As Eric Byres of the Trusted Computing Group warns, ‘If you can ping it, you can own it!’ Speaking on behalf of the Metadata Access Point standards body, a 100 member-strong organization that sets out to lock down network communications and certify products, Byres emphasized that, particularly in the post-Stuxnet era, network access control (NAC) is crucial for industrial control and SCADA systems. NAC is not magic, it implies a holistic approach to user authentication, identity management and endpoint health. At the heart of trusted computing is MAP, the metadata access point. MAP targets security coordination use with an authenticated, asynchronous publish/subscribe mechanism supporting, inter alia, real-time data flows between sensors, flow controllers and other industrial equipment. MAP’s public key infrastructure provides lifecycle cryptographic identity management for SCADA and industrial control systems which are otherwise vulnerable to certificate expiry, revocation or spoofing. Oil and gas use testers include ExxonMobil, Shell, GE, Honeywell, Siemens and Yokogawa. More from www.oilit.com/links/1101_2.
David Whitehead of Schweitzer Engineering Labs asked, ‘How do you know if your control system has been compromised?’ Control system complexity offers plenty of entry points to hackers and malware making this a tricky question to answer. A multi-pronged approach is necessary to monitor SCADA systems, network appliances and intelligent electronic devices. This is done by constant surveillance of alarms, sequence of events recorders, event reports, operating system and network logs. Secondary communications paths in the network should be established to notify users when a probe or attack is underway. Cryptographic best practices protect serial and Ethernet connections. Network segments are connected via firewalls and control networks isolated with DMZ. Patches need managing.
Industrial Defender’s Walt Sikora’s presentation, ‘How Stuxnet changed the world,’ noted that, ‘Your friends now know what you do for a living and that you no longer have to justify your cybersecurity budget.’ But the reality is that the world of control systems has not changed at all. There is much more interest in who perpetrated Stuxnet and why, than on what we should be doing to prevent similar attacks on our systems. The proof that our controls systems can be compromised has not hit home. More awareness is needed of control system peer-to-peer communications, shares or the ‘seven other ways it could move about.’ More information is also needed on the Microsoft ‘zero day’ vulnerabilities Stuxnet has exposed and on the way it seeks-out and disables the anti virus. For Sikora, asset owners are hiding their heads in the sand. ‘There are thousands of threats that could compromise a control system.’ These include ‘drones,’ APT-capable worms and botnets. In fact, ‘It is possible that your system is already compromised and owned by an adversary!’ Moreover, anti-viruses, compliance with industry standards and other current preventative measures would not have prevented Stuxnet. What might is, ‘A complete understanding of your automation system, a secure configuration and system baseline and locking-down and denying access to everything by default.’ More from www.industrialdefender.com.
Notwithstanding Sikora’s skepticism, the standards movement continues its best efforts to assure plant cyber security. Andre Ristaino provided an update on the ISA Security Compliance Institute’s (ISCI) activity. ISCI has top-level support from ExxonMobil, Chevron, Rockwell, Honeywell, Yokogawa, Siemens and Invensys. The organization’s secure designation trademark provides ‘instant recognition of product security characteristics and capabilities’ similar to the ISO/IEC 61508 safety integrity level certification. Of particular interest to readers of Oil IT Journal are the emerging software development security assessment program and the related reference standards for secure software development. A stack of verification and validation protocols checks that software has been developed following appropriate engineering practices, is fit for purpose and incorporates a minimum set of security features needed to prevent common security threats. These standards are described in IEC 61508 and in Mike Howard’s book The Security Development Lifecycle1. More from www.oilit.com/links/1101_3.
Presentations available on www.oilit.com/links/1101_1.
© Oil IT Journal - all rights reserved.