Here at Enterprise Efficiency, we've had plenty of blog posts, radio shows, and video blogs on the subject of security. It's a critical issue for enterprise IT, but our discussions have tended to stop at the real or virtual walls of the white-collar world. That's understandable but unfortunate, since there are very real security issues that can hit the control systems running our industrial processes.
Last year's attack on certain Siemens equipment (equipment that was, we're to believe by sheer coincidence, used in Iran's nuclear processing facility) shows that these systems are vulnerable. The question has been what's best to do about it. Now, a government standard has been introduced that may help companies provide an answer. Welcome to the Guide to Industrial Control Systems (ICS) Security.
The Guide is NIST's response to a requirement in the Federal Information Security Management Act (FISMA) that they develop standards and guidelines for federal information systems that aren't part of the military. While most enterprises don't fall within the scope of FISMA, the guidelines developed by NIST have frequently been used as starting points and justifications for companies developing their own security systems. Now, manufacturing companies have a rationalization for taking the security of their embedded control systems seriously, while also having a list of criteria and a logical framework to take to vendors when discussing security options.
According to the guidelines, there are five major objectives for an overall security plan for an industrial control system (ICS):
Restricting logical access to the ICS network and network activity
Restricting physical access to the ICS network and devices
Protecting individual ICS components from exploitation
Maintaining functionality during adverse conditions
Restoring systems after an incident.
The guidelines address each of these objectives after beginning with an overview of how ICS has evolved to be both more capable and more vulnerable, and the critical ways in which ICS and traditional IT systems differ. According to the guidelines:
To properly address security in an ICS, it is essential for a cross-functional cyber security team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cyber security team should consist of a member of the organization's IT staff, control engineer, control system operator, network and system security expert, a member of the management staff, and a member of the physical security department at a minimum.
There will still be serious questions that remain for those implementing security for manufacturing systems -- this is just a guide, after all. One of the more serious big-picture questions is the extent to which the security of manufacturing systems will be integrated into the larger enterprise security framework. There will, of course, be limits on just how extensively the systems can be integrated, given the differences in operating systems and other details -- but there are likely points at which unified reporting through a central security dashboard can make sense. That unified reporting could help dispel one of the more pernicious myths of control systems -- that security isn't an issue because the underlying operating system is inherently secure.
Let's be clear about this: If a system is open to communication from any system outside itself, it is not inherently secure. Some may be more easily compromised than others; some may be more commonly attacked than others. But give an expert a port into a system and that system can ultimately be successfully attacked. The fact that most manufacturing systems haven't yet been compromised says more about the desirability of the company that uses them than about the systems themselves, and that institutional desirability can change in an instant. In preparation for those changes, it pays to plan on securing the embedded systems.
The new NIST guidelines are an important step toward manufacturing system security. Depending on your industry, you might also want to look at NIST's Guidelines for Smart Grid Cyber Security, though if you really need to read that document, you're already aware of the fact. The greatest takeaway, though, is that it's time (past time, really) to start taking manufacturing systems security seriously. Read the NIST documents and open up discussions with your system vendor. The bad guys are out there, and the opportunities for them to get up to mischief are right there in your shop.
The bad guys are out there, and the opportunities for them to get up to mischief are right there in your shop.
@Curtis, I totally agree with you, bad guyz are waiting to spread havoc. We all know how lulzsec caused "widespread mayhem" during the last three months. Its better to be prepared for such kind of attacks and I believe Guide to Industrial Control Systems (ICS) Security is the step in right direction.
@Gigi, the security equipment guidelines are generally addressed by FISMA. Once again, though, the only organizations that must pay attention are departments of the federal government. That doesn't mean that they aren't good ideas for a lot of companies...
@Sara, you have a point: The only organizations that must pay attention to these guidelines are federal agencies that aren't part of the defense department. I think that NIST has done a good job, though, so I hope that more groups will take the recommendations to heart.
Much of the attitude about the safety of control systems comes from mistaking lack of hacker interest for inherent security. It's a variety of the attitude that leads people to say, "I don't have to worry about malware because I use a Mac/Linux/Andriod/Chrome." If the target has enough value, people will try to get it, and the liklihood is they'll succeed. That's when good security and planning come into play.
Curtis, actually there should be some guideline for security equipments also. Many companies are in market with security equipments having different functionality and features. But am really doubting, whether they are meeting the real security aspects in full because no where it’s defined about the guidelines or minimum specification to meet. Equipment manufacturers are defining their own specifications based on usage and application and moreover it may vary from manufacturer to manufactures, even for the same application.
So I think this can help for standardization and maintaining uniformity among companies.
I'm delighted to hear that NIST has released these guidelines, but I fear that they'll be overlooked by some of the people who need them most. For reasons I STILL don't understand, a lot of security professionals see control systems security as a non-issue. I'm sure that attitude has shifted some over the course of this eventful year... but has it shifted enough?
The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail: firstname.lastname@example.org
Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.