Here at Enterprise Efficiency, we've had plenty of blog posts, radio shows, and video blogs on the subject of security. It's a critical issue for enterprise IT, but our discussions have tended to stop at the real or virtual walls of the white-collar world. That's understandable but unfortunate, since there are very real security issues that can hit the control systems running our industrial processes.
Last year's attack on certain Siemens equipment (equipment that was, we're to believe by sheer coincidence, used in Iran's nuclear processing facility) shows that these systems are vulnerable. The question has been what's best to do about it. Now, a government standard has been introduced that may help companies provide an answer. Welcome to the Guide to Industrial Control Systems (ICS) Security.
The Guide is NIST's response to a requirement in the Federal Information Security Management Act (FISMA) that they develop standards and guidelines for federal information systems that aren't part of the military. While most enterprises don't fall within the scope of FISMA, the guidelines developed by NIST have frequently been used as starting points and justifications for companies developing their own security systems. Now, manufacturing companies have a rationalization for taking the security of their embedded control systems seriously, while also having a list of criteria and a logical framework to take to vendors when discussing security options.
According to the guidelines, there are five major objectives for an overall security plan for an industrial control system (ICS):
The guidelines address each of these objectives after beginning with an overview of how ICS has evolved to be both more capable and more vulnerable, and the critical ways in which ICS and traditional IT systems differ. According to the guidelines:
- Restricting logical access to the ICS network and network activity
- Restricting physical access to the ICS network and devices
- Protecting individual ICS components from exploitation
- Maintaining functionality during adverse conditions
- Restoring systems after an incident.
To properly address security in an ICS, it is essential for a cross-functional cyber security team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cyber security team should consist of a member of the organization's IT staff, control engineer, control system operator, network and system security expert, a member of the management staff, and a member of the physical security department at a minimum.
There will still be serious questions that remain for those implementing security for manufacturing systems -- this is just a guide, after all. One of the more serious big-picture questions is the extent to which the security of manufacturing systems will be integrated into the larger enterprise security framework. There will, of course, be limits on just how extensively the systems can be integrated, given the differences in operating systems and other details -- but there are likely points at which unified reporting through a central security dashboard can make sense. That unified reporting could help dispel one of the more pernicious myths of control systems -- that security isn't an issue because the underlying operating system is inherently secure.
Let's be clear about this: If a system is open to communication from any system outside itself, it is not inherently secure. Some may be more easily compromised than others; some may be more commonly attacked than others. But give an expert a port into a system and that system can ultimately be successfully attacked. The fact that most manufacturing systems haven't yet been compromised says more about the desirability of the company that uses them than about the systems themselves, and that institutional desirability can change in an instant. In preparation for those changes, it pays to plan on securing the embedded systems.
The new NIST guidelines are an important step toward manufacturing system security. Depending on your industry, you might also want to look at NIST's Guidelines for Smart Grid Cyber Security, though if you really need to read that document, you're already aware of the fact. The greatest takeaway, though, is that it's time (past time, really) to start taking manufacturing systems security seriously. Read the NIST documents and open up discussions with your system vendor. The bad guys are out there, and the opportunities for them to get up to mischief are right there in your shop.