Some 200 attended the 2013 Dome Exhibitions’ oil and gas ICS cyber security forum held earlier this year in Abu Dhabi. For ADCO’s Riemer Brouwer, the secret to ICS security success is a risk-based approach. While this is generally recognized in IT, it is often overlooked in Scada systems. In one review it was found that ‘pantries are often better protected than control rooms!’ To IT, Scada systems are complex and can be hard to understand. But the reality is that they are relatively simple and only a few core components are security-critical. On the other hand, several commonly held beliefs regarding control systems are actually misconceptions that expose companies to unnecessary risks. For instance Scada systems are not separate from corporate IT, they are not necessarily well protected from unauthorized access and the knowledge required to effect an attack is not all that hard to obtain.
Brouwer recommends the ISO 27001/2 standards as a framework for security and risk management. While developed for corporate IT, the same principles can be applied to control systems. Implementing the standard also facilitates a fruitful dialog between IT and control system specialists.
Ayman Al Issa (ADMA-OPCO) tempered Brouwer’s optimism, warning that rendering industrial automation control systems secure has failed because of the diversity of control systems and the use of components of various vintages. Three years on from Stuxnet, we are aware of the problem but have made little or no progress, ‘We still don’t know what we want to do!’ Automation vendors cannot provide a defence in depth solutions. While cyber security vendors do better, they are not yet truly ‘on board.’ Securing existing systems is hampered by an over reliance on procedures and guidelines. Controls are weak and there is a risk of conflict between automation systems providers and cyber security solutions. While vendors may offer a solution, the big question is, how can it be implemented and supported throughout the plant’s life. This is a ‘gigantic problem.’ Al Issa advocates engaging a main cyber security contractor—à la main automation contractor—to deploy and support cyber security across the plant’s lifecycle. The new MCSC should be under the MAC’s responsibility and only deploy tested components and fixes.
David Alexander, who is with EADS unit Cassidian, told an industrial detective story involving control system forensics. Forensics can be done on databases, log files and mobile devices to detect and investigate intrusion. Objectives of such investigations allow for identifying the duration and mechanism of an intrusion and, most importantly, how to stop it from happening again. Investigations must comply with legal constraints to be admissible in court. Alexander outlined some basic investigative principles—data must not be altered, all electronic evidence needs an audit trail and all investigative personnel need formal certification. Cassidian has developed a methodology for collecting, analysing and presenting incident-related data in a compliant manner. Alexander presented the results of a real-time investigation into a hack on a Siemens traffic light controller. More from Dome.
© Oil IT Journal - all rights reserved.