by John Cusimano
The majority of process plants today are controlled and operated by automation systems built on Ethernet TCP/IP networks and legacy Microsoft operating systems. Control and safety systems often reside on the same process control network. That process control network often has other computers and monitors connected to it and will typically interface with the enterprise network. The enterprise network will often interface with the Internet.
What if a malicious actor or malicious code were able to enter and compromise the control system? This could result in a loss of both control and alarm layers. Values in both layers could be manipulated if they were to reside in the same system. An even worse scenario would be if the malicious code were also to compromise the safety instrumented system. In this scenario an attack could result in the loss of three layers of protection based on a single initiating event or attack. Such attacks have happened.
Unfortunately, traditional hazard and operability studies (HAZOPs) and layer of protection analysis (LOPAs) do not account for the cyber compromise of these layers of protection. Fortunately there is help available now. Many standards and regulations have been developed over the last decade to address this known issue; our control systems are susceptible to cyber compromise.
ICS cybersecurity vulnerability assessment
An ICS cybersecurity vulnerability assessment is an evaluation of a control system’s design. We start with the control system as-built or as-found drawings. How is that control system constructed? What devices make up the system? How are they networked together? How do those networks communicate with one another? We need to understand how all these pieces go together. Unfortunately, in many facilities it is very difficult to find a drawing that shows the entire system architecture; these systems have often grown and evolved over decades.
We start with an analysis of network communications. We want to understand how these networks are constructed, how they are configured, and how data is moving throughout the system. This is done by recording actual network traffic and plotting it out so we can see the data flows. We can identify what devices are communicating with each other. What devices should be communicating with each other? What devices are communicating with each other that perhaps should not be, or were not expected to be? Are any devices communicating using protocols we did not expect to find? Are there control system devices that are trying to communicate out to the Internet? We plot the communications and look for anomalous behaviors.
A vulnerability assessment would then go on to analyze the actual servers and workstations that make up the system. Most of the operating systems that are controlling the bulk of industrial facilities today are legacy Microsoft platforms such as XP and Windows Server 2003. We need to identify vulnerabilities. We also need to look at the control devices themselves, the programmable logic controllers, the safety instrumented systems, the operator interfaces, the variable frequency drives, the analyzers, etc. Most of these devices now have Ethernet ports and are connected to common networks that make up the control system network.
The next step in a vulnerability assessment would be to partition the system into zones and conduits. We do this so we can better analyze the system and better design protections to limit communications to only that which needs to go into and out of a zone.
A vulnerability assessment should also include a review of policies and procedures and include a gap analysis. How does the system stack up against industry standards and best practices? Finally, the assessment should list the vulnerabilities that have been discovered and the recommended mitigations to close the gaps.
Understanding vulnerability is only one part of the equation. Cyber risk is combination of threats, vulnerabilities, and consequences. Most organizations want to understand what the true cyber risks are. A method has been developed to do so; it’s called a cyber risk assessment or cyber PHA (process hazards analysis). It’s a very systematic approach similar in many ways to a PHA or HAZOP. The team will ultimately develop a risk register and risk profile, so we can have a ranked set of risks, and understand where those risks are in our system. Ultimately, we can then come up with a set of recommendations and a plan to mitigate those risks.