The world of industrial control systems, like many high-tech sectors, possesses its own lexicon to describe the nuances of its industry. Unfortunately, the terms used are also often interchanged and misunderstood. Industrial Control Systems are often referred to in the media as “SCADA,” for example, which is both inaccurate and misleading. An industrial network is most typically made up of several distinct areas, which are simplified here as a business network or enterprise, business operations, a supervisory network, and process and control networks (see
Figure 2.1). SCADA, or
Supervisory Control and Data Acquisition, is just one specific piece of an industrial network, separate from the control systems themselves, which should be referred to as Industrial Control Systems (ICS),
Distributed Control Systems (
DCS), or
Process Control Systems (
PCS). Each area has its own physical and logical security considerations, and each has its own policies and concerns.
The book title “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems” was chosen because this text discusses the security concerns of all the networks that make
up an industrial network, including the supervisory and distributed control systems, primarily as they apply to critical infrastructure. The business Local Area Network (LAN), the process control network, and whatever supervisory demilitarized zone (DMZ) exists between them are all equally important. To be more specific, it discusses the cyber security of these networks. For the sake of clarity, it is assumed that a strong security policy, security awareness, personnel, and physical security practices are already in place, and these topics will not be addressed except for where they might be used to strengthen specific areas of network security.
Critical Infrastructure
For the purposes of this book, the terms “Industrial Network” and “Critical Infrastructure” are used in somewhat limited contexts. “Industrial Network” is referring to any network operating some sort of automated control system that communicates digitally over a network, and “Critical Infrastructure” is referring to critical
network infrastructure, including any network used in the direct operation of any system upon which one of the defined “critical infrastructures” depends. Confusing? It is, and this is perhaps one of the leading reasons that our critical infrastructures
remain at risk today: many an ICS security seminar has digressed into an argument over semantics, at the sake of any real discussion on network security practices.
Luckily, the two terms are closely related in that the defined critical infrastructure, meaning those systems listed in the Homeland Security Presidential Directive Seven (HSPD-7), typically utilizes some sort of industrial control systems. In its own words, “HSPD-7 establishes a national policy for Federal departments and agencies to identify and prioritize [the] United States critical infrastructure and key resources and to protect them from terrorist attacks.” HSPD-7 includes public safety, bulk electric energy, nuclear energy, chemical manufacturing, agricultural and pharmaceutical manufacturing and distribution, and even aspects of banking and finance: basically, anything whose disruption could impact a nation. However, while some, such as global banking and finance, are considered a part of our critical infrastructure, they do not typically operate industrial control networks, and so are not addressed within this book (although many of the security recommendations will still apply, at least at a high level).
Utilities
Utilities—water, gas, oil, electricity, and communications—are critical infrastructures that rely heavily on industrial networks and automated control systems. Because the disruption of any of these systems could impact our society and our safety, they are listed as critical by HSPD-7; because they use automated and distributed process control systems, they are clear examples of industrial networks. Of the common utilities, electricity is often separated as requiring more extensive security. In the United States and Canada, it is specifically regulated to standards of reliability and cyber security. Oil and gas refining and distribution are systems that should be treated as both a chemical/hazardous material and as a critical component of our infrastructures. It is often regulated as a chemical facility because of these particular qualities.
Nuclear Facilities
Nuclear facilities represent unique safety and security challenges due to their inherent danger in the fueling and operation, as well as the national security implications of the raw materials used. This makes nuclear facilities a prime target for cyber attack, and it makes the consequences of a successful attack more severe. As such, nuclear energy is heavily regulated in the United States by the Nuclear Regulatory Commission (NRC). The NRC was formed as an independent agency by Congress in 1974 in an attempt to guarantee the safe operation of nuclear facilities and to protect people and the environment. This includes regulating the use of nuclear material including by-product, source, and special nuclear materials, as well as nuclear power.
Bulk Electric
The ability to generate and distribute electricity in bulk is highly regulated. Electrical energy generation and distribution is defined as a critical infrastructure
under HSPD-7, and is heavily regulated in North America by
NERC—specifically via the NERC Critical Infrastructure Protection (CIP) reliability standards—under the authority of the Department of Energy, which is ultimately responsible for the security of the production, manufacture, refining, distribution, and storage of oil, gas, and non-nuclear power.
It’s important to note that energy generation and distribution are two distinct industrial network environments, each with its own nuances and special security requirements. Energy generation is primarily concerned with the safe manufacture of a product (electricity), while energy distribution is concerned with the safe and balanced distribution of that product. The two are also highly interconnected, obviously, as generation facilities directly feed the power grid that distributes that energy; bulk energy must be carefully measured and distributed upon production. For this same reason, the trading and transfer of power between power companies is an important facet of an electric utility’s operation.
The smart grid—an update to traditional electrical transmission and distribution systems to accommodate digital communications for metering and intelligent delivery of electricity—is a unique facet of industrial networks that is specific to the energy industry that raises many new security questions and concerns.
Although energy generation and distribution are not the only industrial systems that need to be defended, they are often used as examples within this book. This is because the North American Electric Reliability Corporation (NERC) has created a reliability standard called “Critical Infrastructure Protection” and enforces it heavily throughout the United States and Canada. Likewise, the NRC requires and enforces the cyber security of nuclear power facilities. Ultimately, all other industries rely upon energy to operate, and so the security of the energy infrastructure (and the development of the smart grid) impacts everything else, so that talking about securing industrial networks without talking about energy is practically impossible.
Is bulk power more important than other industrial systems? That is a topic of heavy debate. Within the context of this book, we assume that all control systems are important, whether or not they generate or distribute energy, or whether they are defined that way by HSPD-7 or any other directive. A speaker at the 2010 Black Hat conference suggested that ICS security is overhyped, because these systems are more likely to impact the production of cookies than they are to impact our national infrastructure. However, even the production of a snack food can impact many lives: through the manipulation of its ingredients or through financial impact to the producer and its workers, for example.
Chemical Facilities
Chemical manufacture and distribution represent specific challenges to securing an industrial manufacturing network. Unlike the “utility” networks (electric, nuclear, water, gas), chemical facilities need to secure their intellectual property as much as they do their control systems and manufacturing operations. This is because the product itself has a tangible value, both financially and as a weapon. For example,
the formula for a new pharmaceutical could be worth a large sum of money on the black market. The disruption of the production of that pharmaceutical could be used as a social attack against a country or nation, by impacting the ability to produce a specific vaccine or antibody. Likewise, the theft of hazardous chemicals can be used directly as weapons or to fuel illegal chemical weapons research or manufacture. For this reason, chemical facilities need to also focus on securing the storage and transportation of the end product.
Critical versus Noncritical Industrial Networks
The security practices recommended within this book aim for a very high standard, and in fact go above and beyond what is recommended by many government and regulatory groups. So which practices are really necessary, and which are excessive? It depends upon the nature of the industrial system being protected. What are the consequences of a cyber attack? The production of energy is much more important in modern society than the production of a Frisbee. The proper manufacture and distribution of electricity can directly impact our safety by providing heat in winter or by powering our irrigation pumps during a drought. The proper manufacture and distribution of chemicals can mean the difference between the availability of flu vaccines and pharmaceuticals and a direct health risk to the population. Regardless of an ICS’s classification, however, most industrial control systems are by their nature important, and any risk to their reliability holds industrial-scale consequences. However, while not all manufacturing systems hold life-and-death consequences, that doesn’t mean that they aren’t potential targets for a cyber attack. What are the chances that an extremely sophisticated, targeted attack will actually occur? The likelihood of an incident diminishes as the sophistication of the attack—and its consequences—grow, as shown in
Figure 2.2. By implementing security practices to address these uncommon and unlikely attacks, there is a greater possibility of avoiding the devastating consequences that correspond to them.
Although the goal of this book is to secure any industrial network, it focuses on Critical Infrastructure and electric energy in particular, and will reference various standards, recommendations, and directives as appropriate. Regardless of the nature of the control system that needs to be secured, it is important to understand these directives, especially NERC CIP, Chemical Facility Anti-Terrorism Standards (CFATS), Federal Information Security Management Act (FISMA), and the control system security recommendations of National Institute of Standards and Technology (NIST). Each has its own strengths and weaknesses, but all provide a good baseline of best practices for industrial network security (each is explored in more detail in
Chapter 10, “Standards and Regulations”). Not surprisingly, the industrial networks that control critical infrastructures demand the strongest controls and regulations around security and reliability, and as such there are numerous organizations helping to achieve just that. The Critical Infrastructure Protection Act of 2001 and HSPD-7 define what they are, while others—such as NERC CIP, CFATS, and various publications of NIST—help explain what to do.