Guiding Control System Cybersecurity
Securing the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks that are used to run everything from chemical refineries to power grids is a daunting job. The systems are linked to the Internet and, thus, vulnerable to hacks.
But unlike traditional enterprise networks whose common software and system architectures make it possible to secure vulnerabilities worldwide with a single patch, the typical ICS or SCADA system is not easy to patch.
As in other areas of critical infrastructure protection, ICS and SCADA risk mitigation falls to private owner-operators, as do the costs. The Department of Homeland Security (DHS) can, however, impart knowledge, which it does through the ICS-Cyber Emergency Response Team (ICSCERT).
While the name evokes that of US-CERT, its partner in DHS that focuses on risks to the country’s IT networks, ICSCERT’s work on process management networks has much in common with one of its closest collaborators in DHS, the Office of Infrastructure Protection (OIP), which helps owner-operators mitigate overall risk and boost resilience through site-assistance visits and risk assessment products.
The crux of ICS-CERT’s work lies in threat and vulnerability analysis, both sector-wide and at the owner-operator level. At the company or plant level, ICS-CERT helps in forensic incident response and vulnerability assessment, explains Sean McGurk, director of DHS’s Control System Security Program (CSSP), which oversees ICS-CERT.
Day-to-day, ICS-CERT computer and process management engineers work with their partners at the Department of Energy’s Idaho National Laboratory. Together, the groups run tests on ICS software and equipment that are both in use and under development, McGurk says. Any findings from this research are distributed to users and manufacturers.
An actual incident response may result from a report of an attack from an owner-operator, but it may also be initiated by ICS-CERT if its own analysis uncovers a critical vulnerability in an operating system. In a typical response, a team of four to six engineers with expertise relevant to both the software and the sector is dispatched to an owner-operator site to collect data on the incident, which is then analyzed to determine what vulnerabilities and threats contributed.
Those findings are presented to the owner-operator and shared with relevant sector members and vendors in a report redacted to maintain the operator’s anonymity. None of the owner-operator’s data is retained by DHS, McGurk says.
ICS-CERT teams make at least 50 site assistance visits to owner-operators each year to conduct control system vulnerability assessments. For sites that do not get an in-person evaluation because they do not meet prioritization criteria, such as immediate consequences of failure and interdependence, the group also distributes its own free self-assessment tool, called the Cyber Security Evaluation Tool (CSET).
CSET incorporates any established standards covering critical infrastructure sectors, like the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards, the American Petroleum Institute’s API 1164, and the National Institute of Standards and Technology’s Special Publication 800-53, which addresses IT security. The tool helps the owner-operator identify the systems’ gaps relative to the specific standard that the owner-operator uses, McGurk says.
As with other DHS assessment tools, CSET aids in the identification of vulnerabilities and then recommends mitigation measures. Implementation decisions fall to the owner-operators without regulatory requirements.
While OIP had to limit in-person assessments based on certain factors because it did not have the resources to visit every site, McGurk is well aware of the dangers of that approach. He notes that not only are these resources all networked via the Internet, they are also interdependent in many cases. One of the “vectors for malicious activity is going to be through the least focused-on sector or link,” he explains. “So if I’m going to try to work my way into a facility, I may take the path of least awareness as opposed to the path of most awareness.”
McGurk offers the example of a chemical processing facility managed using an ICS. The operator may protect the system via its “front door,” namely, the ICS system’s connection to a control center or the company’s broader network. If, however, attackers hack the SCADA system that runs the area’s power grid, they can shut off power to the chemical facility’s ICS system and cause a catastrophe.
ICS-CERT also offers procurement guidance for operators building new facilities who want help selecting new security systems and upgrades.
Each year, the office conducts weeklong simulated red-team training sessions for system security professionals at a DHS facility near the national laboratory in Idaho Falls. The training sessions begin with a day-long primer on the basics of network attacks, followed by a day on the defense-in-depth approach to securing systems.
On the third day, students divide into a red team and a blue team and start gaming attacks. On the fourth day, the two teams engage in a “no holds barred” exercise using an ICS/SCADA simulator. On the session’s final day, ICS-CERT and laboratory experts review how each side performed and pick a winner.
The courses accommodate up to 320 students a year in eight different sessions. McGurk notes that the sessions offer attendees a rare hands-on training experience where they can get a taste of the real threat without any actual risk to their mission or assets.