Industrial Automation and Control System Security Principles

Notice

The information presented in this publication is for the general education of the reader. Because neither the author(s) nor the publisher has any control over the use of the information by the reader, both the author(s) and the publisher disclaim any and all liability of any kind arising out of such use. The reader is expected to exercise sound professional judgment in using any of the information presented in a particular application.

Additionally, neither the author(s) nor the publisher has investigated or considered the effect of any patents on the ability of the reader to use any of the information in a particular application. The reader is responsible for reviewing any possible patents that may affect any particular use of the information presented.

Any references to commercial products in the work are cited as examples only. Neither the author(s) nor the publisher endorses any referenced commercial product. Any trademarks or tradenames referenced belong to the respective owner of the mark or name. Neither the author(s) nor the publisher makes any representation regarding the availability of any referenced commercial product at any time. The manufacturer’s instructions on use of any commercial product must be followed at all times, even if in conflict with the information in this publication.

Copyright © 2013 International Society of Automation (ISA)

All rights reserved.

Printed in the United States of America.

10 9 8 7 6 5 4 3 2

ISBN: 978-1-937560-63-8

No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher.

ISA

67 Alexander Drive

P.O. Box 12277

Research Triangle Park, NC 27709

Library of Congress Cataloging-in-Publication Data in process

Dedication

To the Pirate Munchkins who have captured my heart:

Patrick, Ryan, Aaron, and Emma

Acknowledgment

I want to thank my wife, Hilda, for her encouragement and support during the writing of this book.

RLK

Contents

About the Author

Foreword

Preface – Industrial Automation and Control System Security: A Component of a Nation’s Critical Infrastructure

Chapter 1 – Industrial Automation and Control System Fundamental Concepts

Industrial Automation and Control Systems

Industrial Automation and Control System Protocol Summary

Issues in Industrial Automation and Control Systems Security

Summary

Review Questions for Chapter 1

References

Chapter 2 – Information System Security Technology

Information System Security Fundamentals

Types and Classes of Attack

Additional System Security Concepts

Policies, Standards, Guidelines, and Procedures

Malicious Code and Attacks

Firewalls

Cryptography

Attacks Against Cryptosystems

Virtual Private Network

Summary

Review Questions for Chapter 2

References

Chapter 3 – Industrial Automation and Control System Culture versus IT Paradigms

Differences in Culture, Philosophy, and Requirements

Considerations in Adapting IT Security Methods to Industrial Automation and Control Systems

IT and Industrial Automation and Control Systems Comparisons from a Standards Perspective

Summary

Review Questions for Chapter 3

References

Chapter 4 – The Continuing Technological Evolution Affecting the Industrial Automation and Control Systems

Important Technological Trends

The Smart Grid and Technological Trends

Mapping of Emerging Technology Issues onto an Example Automation System – The Smart Grid

Summary

Review Questions for Chapter 4

References

Chapter 5 – Risk Management for Industrial Automation and Control Systems

Risk Management

The Insider Threat

Threat Examples Worthy of Note

Summary

Review Questions for Chapter 5

References

Chapter 6 – Industrial Automation and Control Systems Security Methodologies and Approaches

Automation and Control System Security Standards and Guidelines

NIST Special Publication 800-82, Guide to Industrial Control Systems Security

ANSI/ISA-TR99.00.01-2007, Security Technologies for Industrial Automation and Control Systems

North American Electric Reliability Corporation, Critical Infrastructure Protection Cybersecurity Standards

NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems

Department of Homeland Security, Catalog of Control Systems Security: Recommendations for Standards Developers

AMI System Security Requirements

Department of Defense Instruction Number 8500.2, Information Assurance (IA) Implementation

Consolidation of Best Practices Controls for Industrial Automation and Control Systems

Summary

Review Questions for Chapter 6

References

Chapter 7 – Industrial Automation and Control System Security Training

Background

Training Sources and Approaches

Training Support Guidelines

Common Training Subjects

Summary

Review Questions for Chapter 7

References

Chapter 8 – Future Industrial Automation and Control System Approaches and Issues

Automation and Control System Trends

Formal Methods Used to Quantify and Standardize Important Concepts and Applications

Future Smart Grid Issues and Automation Security Issues

Summary

Review Questions for Chapter 8

References

Appendix A – Review Questions and Answers

Glossary and Acronyms

Bibliography

About the Author

RONALD L. KRUTZ, Ph.D., P.E., CISSP, ISSEP

Dr. Krutz is Chief Scientist for Security Risk Solutions, Inc. He has more than thirty years of experience in industrial automation and control systems, distributed computing systems, computer architectures, information assurance methodologies, and information security training. He has been a Senior Information Security Consultant at Lockheed Martin, BAE Systems, and REALTECH Systems Corporation, an Associate Director of the Carnegie Mellon Research Institute (CMRI), and a professor in the Carnegie Mellon University Department of Electrical and Computer Engineering. He was also a lead instructor for (ISC)² Inc. in its Certified Information Systems Security Professionals (CISSP) training seminars. Dr. Krutz founded the CMRI Cybersecurity Center and was founder and Director of the CMRI Computer, Automation and Robotics Group.

He coauthored the CISSP Prep Guide for John Wiley and Sons and is coauthor of the Wiley Advanced CISSP Prep Guide; the CISSP Prep Guide, Gold Edition; the Security + Certification Guide; the CISM Prep Guide; the CISSP Prep Guide, 2nd Edition: Mastering CISSP and ISSEP (Information Systems Security Engineering Professional); the Network Security Bible; the CISSP and CAP (Certification and Accreditation Professional) Prep Guide, Platinum Edition: Mastering CISSP and CAP; the Certified Ethical Hacker (CEH) Prep Guide; Cloud Computing Security; and Web Commerce Security. He is also the author of Securing SCADA Systems and of three textbooks in the areas of microcomputer system design, computer interfacing and computer architecture. Dr. Krutz has seven patents in the area of digital systems and has published more than 30 technical papers.

Dr. Krutz also serves as consulting editor for the John Wiley and Sons Information Security Certification Series and is a Senior Fellow of the International Cyber Center of George Mason University.

Dr. Krutz holds B.S., M.S., and Ph.D. degrees in Electrical and Computer Engineering and is a Registered Professional Engineer in Pennsylvania.

Foreword

Why should we care about the security of industrial automation and control systems? Surely these systems are isolated, segmented, and already well protected. After all, they control manufacturing plants, oil refineries, power plants, and other elements of our critical infrastructure. We know that we can’t just casually saunter through the main entrance of a pipeline control center or power plant without the proper credentials … but without adequate automation system security controls, the virtual back door may be wide open to uninvited visitors.

It’s easy to recognize the potential for harm if industrial automation and control systems were to be manipulated by adversaries, and there are real-world scenarios that both demonstrate such capability and make it clear that there are individuals or organizations with the motive. An obvious example is the Stuxnet family of worms, which have targeted control systems including those purportedly used by Iranian organizations for uranium enrichment.

Industrial automation and control systems are a hidden but integral part of our daily lives. Their components include programmable logic controllers (PLCs), programmable automation controllers (PACs), intelligent electronic devices (IEDs), SCADA servers, and remote terminal units (RTUs), which respond with specific output signals based on the commands they receive. A simple example is a PLC that receives an input signal or command from a sensor, such as a temperature sensor on a machine in an industrial production line. When an alarm condition is detected, the output signal might shut down the machine to avoid overheating and potential damage or fire. With the widespread proliferation of computing and network technologies (e.g., high bandwidth wireless technology and broad availability of the public Internet), a natural evolution has been the development of software systems to monitor, control, and manage critical infrastructure and manufacturing systems.

So how do we figure out what the next Stuxnet, Duqu, Flame or other malicious code that targets industrial control systems might be capable of? What other threats to industrial automation and control systems exist (or may exist in the future) that our critical infrastructure might be vulnerable to, and what can we do about them?

To help answer these questions, Dr. Krutz describes the conditions that expose our critical infrastructure to network-based threats, and presents a method for identifying, prioritizing and mitigating the associated risk. Dr. Krutz seamlessly fuses his deep knowledge of information security risk management techniques with his impressive engineering experience to articulate a readily actionable approach to improving the confidentiality, integrity and availability of industrial automation and control systems through effective risk management.

This book is a compelling eye-opener for organizational leaders and a must read for anyone involved in the management, engineering, or operation of any aspect of our critical infrastructure.

Johnathan Coleman

Principal, Security Risk Solutions Inc.

Preface

Industrial Automation and Control System Security: A Component of a Nation’s Critical Infrastructure

As defined by ANSI/ISA-99.00.01, industrial automation and control systems (IACS) include (but are not limited to) distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition (SCADA) systems, networked electronic sensing and control, and monitoring and diagnostic systems.

A SCADA system provides the ability to obtain information from remote installations and to send limited control commands to those installations. Industrial control systems (including DCSs, PLCs, and intelligent electronic devices) comprise real-time elements that control critical industrial processes in a wide variety of applications.

Before the advent of local area networking, computer-based industrial automation and control systems were generally isolated from the outside world and used their own proprietary communication protocols. Eventually, as networking technology improved, interconnectivity among plants and other corporate units emerged as a way of obtaining increased knowledge of plant operations and more efficient management of resources.

With the maturation of the Internet and browsers, the TCP/IP protocol and Ethernet LANs found their way into supervisory control and data acquisition systems as well as process and manufacturing plant control systems.

In addition, computing platforms such as PCs running Windows were adopted for reasons of lower cost and standardization. However, with these advantages came the disadvantages of vulnerabilities and exposure to threats that plague these platforms.

There is also an emerging trend in many organizations toward consolidating some overlapping activities in IACS and corporate IT systems. This trend is motivated by the cost savings achievable by avoiding the use of disparate platforms, networks, software, and maintenance tools and by an increased capability to run the total organization more efficiently and effectively.

An important issue associated with the merging of these two systems is that, in many cases, both IACS and corporate IT environments use the same security model. This overlap introduces the possibility of the corporate Internet connection exposing critical operations to additional threats and compromising the real-time, deterministic requirements of plant control systems. The emergence of the Stuxnet worm, aimed specifically at PLCs that transmit and receive real-time control bits, highlights the sophisticated threats that exist today and the critical need for IACS-optimized system security methods. Follow-up malware such as the Flame or Flamer virus that have appeared portend a trend of future attacks on these critical systems.

This book develops a novel approach to securing industrial automation and control systems by generating applicable, useful, protection principles through the merging and adaptation of the best industrial and governmental standards and practices.

Chapter 1

Industrial Automation and Control System Fundamental Concepts

The material in this chapter provides basic coverage of industrial automation and control system components and terminology, including supervisory control and data acquisition (SCADA) systems and distributed control systems (DCSs). However, because the focus of this book is the security of these systems, this chapter is not designed to be a comprehensive tutorial on industrial automation and control systems. The material assumes that the reader is familiar with these systems and communications terminology.

Note that the term DCS is also used to refer to digital control systems, but, unless otherwise stated, in this book DCS will denote a distributed control system.

Industrial Automation and Control Systems

Over the years, as industrial automation and control systems have evolved into distributed control systems and SCADA systems, the associated terminology has meant different things to different people. Control engineers, software engineers, plant personnel, and management have attached different meanings to commonly used terms such as distributed control systems, industrial control systems (ICSs), supervisory control systems, and SCADA systems.

This situation has been further complicated by the migration from relay logic, to programmable logic controllers (PLCs), to microcomputers, to the use of local area networks, Windows platforms, standard buses, and so on.

To establish a solid foundation for the material in this book, the definitions from ANSI/ISA-99.00.01-2007¹ and NIST Special Publication 800-82² will be used.

ANSI/ISA-99.00.01 defines industrial control systems, distributed control systems, PLCs, and SCADA systems as belonging to the class of industrial automation and control systems (IACSs). Specifically, ANSI/ISA-99.00.01 states that an industrial automation and control system is:

A collection of personnel, hardware, and software that can affect or influence the safe, secure, and reliable operation of an industrial process. These systems include, but are not limited to:

a. industrial control systems, including distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition (SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context, process control systems include basic process control system and safety instrumented system [SIS] functions, whether they are physically separate or integrated.)

b. associated information systems, such as advanced or multivariable control, online optimizers, dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant information management systems.

c. associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.

NIST SP 800-82 defines an industrial automation and control system as a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other control system configurations, such as skid-mounted programmable logic controllers (PLCs) often found in the industrial sectors and critical infrastructures.

In this text, the ANSI/ISA-99.00.01 terminology and definitions will take precedence over others where there are differences.

SCADA Systems

ANSI/ISA-99.00.01 defines a SCADA system as a type of loosely coupled distributed monitoring and control system commonly associated with electric power transmission and distribution systems, oil and gas pipelines, and water and sewage systems. NIST SP 800-82 describes SCADA systems as:

Highly distributed systems used to control geographically dispersed assets, often scattered over thousands of square kilometers, where centralized data acquisition and control are critical to system operation. They are used in distribution systems, such as water distribution and wastewater collection systems, oil and natural gas pipelines, electrical power grids, and railway transportation systems. A SCADA control center performs centralized monitoring and control for field sites over long-distance communications networks, including monitoring alarms and processing status data.

ANSI C37.1³ defines SCADA as a system operating with coded signals over communication channels to control remote terminal unit (RTU) equipment. The supervisory system may be combined with a data acquisition system by using coded signals over communication channels to acquire information about the status of RTU equipment for display or for recording functions.

A SCADA system comprises both hardware and software, and the classical SCADA system model includes the following components:

•Human-machine interface (HMI) – A program that provides the operator with an easy-to-read graphical and textual display of the SCADA system elements. The HMI displays warnings and alerts and supports the operator in analyzing system performance, spotting trends, and changing controls. Some commonly used HMI software packages are Wonderware, RSView, and iFIX. An HMI is typically resident in the master control center as well as on the plant floor.

•Master terminal unit (MTU) or SCADA server at a master control center – A SCADA element at the control center that provides two-way data communication and control of field devices, such as RTUs, PLCs, PACs, and IEDS. Two-way communications between the MTU and field devices are usually low bandwidth and can be implemented through a variety of technologies, including telephone, VHF/UHF radio, spread-spectrum radio, satellite, and microwave.

•Remote terminal unit (RTU) – In a typical application, the RTU serves as a data concentrator and is an interface between the MTU and field devices, such as PLCs, PACs, or IEDs. The RTU gathers information from the field devices and stores it until interrogated by the MTU. Conversely, the RTU receives commands for the field devices and passes these on to be executed. There are some PLCs or PACs that incorporate the functions of the RTU by communicating with the MTU and providing remote data acquisition and control of field devices, such as actuators and pumps.

•Programmable logic controller (PLC) – A PLC is defined as a solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions, such as I/O control, logic, timing, counting, three-mode (PID) control, communication, arithmetic, and data and file processing.³ A PLC uses a standard instruction set, such as IEC 61131-3, to implement control logic functions. IEC 61131-3 is a vendor-independent international standard for PLC programming languages for industrial automation. It includes standards for the following PLC programming languages:

–Function block diagram (FBD)

–Instruction list (IL)

–Ladder diagram (LD)

–Sequential function charts (SFC)

–Structured text (ST)

•Programmable automation controller (PAC) – A PAC is similar to a PLC, but has additional capabilities, such as more robust communications, higher-speed processors, integration with organizational databases, and a common development environment for integration of software and hardware components.

•Intelligent electronic device (IED) – IED is a general term for a device that can communicate directly with the MTU or through the RTU and provide direct connections for controlling and polling field equipment, such as actuators.

Classical SCADA systems provide a dependable means of collecting information from multiple RTUs. However, in many current applications, SCADA systems are used in production environments and perform calculations and data analysis in real time on a plant floor, with HMI capabilities. Thus, in many instances SCADA and HMI reside on the same system to perform operations at the equipment level in a real-time data-driven production environment. The discussions in this book are meant to encompass both classical and current SCADA environments.

The SCADA control center serves as the central location for monitoring and analyzing data acquired from the field devices and for sending control commands to these devices. Because of its criticality, in many instances there is a duplicate control center at a backup site connected to the main site by a wide area network (WAN). Additional important capabilities that reside in the control center are archiving historical data, providing operations information to business managers and accounting, and restoring lost data. This type of capability is usually provided by a data historian, a real-time relational database, and a yield accounting system.

The data historian acquires and stores data and provides for prompt recovery of that data, if required. It differs from a real-time database in that the historian only archives information and provides no outputs to other system devices. It offers additional capabilities, such as compressing data to store large amounts of data more efficiently and organizing the data into save-sets, which are histories of the system for specific time periods.

A real-time relational database supports interactive storage and retrieval of detailed contextual information when production processes are involved and can interface with business applications, other databases, forms, and XML files.

A yield accounting system interacts with the real-time relational database, processes plant production data, and generates production accounting information. Typical information provided by a yield accounting system includes:

•Inventory discrepancies

•Material balances in different areas of the plant and for the total plant

•Plant material movement

•Total amount of product made by a particular unit

•Total volume of a finished product shipped to a customer over a specified time interval

For planning and scheduling purposes, condensed versions of production data are transmitted from the yield accounting system to the enterprise resource planning (ERP) system for processing.

SCADA systems can be configured in a wide variety of architectures with various components, depending on the application and other plant and corporate requirements. Figure 1-1 is an example of a SCADA system client-server model that incorporates fundamental SCADA elements. The figure is presented to provide a conceptual view of a SCADA system and is not intended to represent all the various SCADA system architectures that are employed in the field.

Distributed Control Systems

A DCS includes a supervisory controller running on a control server and a number of distributed controllers. The supervisory controller transmits data set points to the remote controllers and acquires data from them. The distributed controllers control process elements by communicating with them over a field-bus-type network based on the information received from the supervisor.

Figure 1-1. A client-server SCADA architecture example

ANSI/ISA-99.00.01-2007⁵ classifies a distributed control system as:

A type of control system in which the system elements are dispersed but operated in a coupled manner.

NOTE: Distributed control systems may have shorter coupling time constants than those typically found in SCADA systems.

NOTE: Distributed control systems are commonly associated with continuous processes, such as electric power generation, oil and gas refining, and chemical, pharmaceutical, and paper manufacture, as well as discrete processes such as automobile and other goods manufacture, packaging, and warehousing.

NIST 800-82⁶ defines a distributed control system as control achieved by intelligence that is distributed about the process to be controlled, rather than by a centrally located single unit.

In a distributed control system, subsystems have their own controller elements to manage local processes and to communicate with an operator console for overall supervisory functions. The individual controllers are integrated and communicate through local area networks. Figure 1-2 illustrates a typical distributed control system. In the figure, the engineering workstation supports distributed system security functions, serves as a development facility, and is used to set alerts and alarm conditions. The operator workstation provides the operator interface and is used by the operator to monitor the distributed control system, sense alerts and critical situations, and conduct system diagnostics.

Safety Instrumented Systems

Safety instrumented systems (SISs) have been widely used in the process industry to maintain a process in a safe condition during a hazardous situation, for example, if critical set points are exceeded or safe operating conditions are breached. SISs are sometimes referred to as safety shutdown (SSD) systems or emergency shutdown (ESD) systems.

ANSI/ISA-84.00.01-2004, Part 1(IEC 61511-1 Mod)⁷ defines an SIS as an instrumented system used to implement one or more safety instrumented functions (SIFs). An SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). The standard also defines an SIF as a safety function with a specified safety integrity level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function. Figure 1-3 illustrates the relationship between safety instrumented functions and other process functions.

Figure 1-2. Example of a distributed control system

An SIS is usually implemented in parallel with conventional control systems to reduce the risks associated with explosive or other dangerous environments.

Figure 1-3. Safety instrumented functions vs. other process functions

[Source: ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod)]

Thus, the proper application of an SIS should be preceded by a formal risk assessment to identify possible threats, vulnerabilities, and likelihoods of occurrence. An excellent guide to risk management is NIST SP 800-39⁸, which takes a global, multitiered approach to risk management, where system risk is one part of a hierarchy of risk management levels. The document is aimed toward IT applications, but many of the principles are applicable to industrial automation and control systems. The document describes the following three tiers of an organization-wide risk management paradigm:

1.Tier 1 – Organization: Establishes and implements governance structures consistent with the organizational mission and goals.

2.Tier 2 – Mission/Business Processes: Designs, develops, and implements mission/business processes to support the mission defined in Tier 1.

3.Tier 3 – Information Systems: Integrates risk management activities into the system development life cycle (SDLC) of organizational information systems and addresses the resilience of organizational information systems.

NIST 800-39 will be discussed in more detail in Chapter 5 of this book.

ANSI/ISA-84.00.01-2004 Part 1(IEC 61511-1 Mod) promotes two important concepts associated with an SIS, namely the safety life cycle and safety integrity levels, and defines these terms as follows:

•Safety life cycle – Necessary activities involved in the implementation of safety instrumented function(s) occurring during a period of time that starts at the concept phase of a project and finishes when all of the safety instrumented functions are no longer available for use.

•Safety integrity level (SIL) – Discrete level (one of four) for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instrumented system. Safety integrity level 4 is the highest level of safety integrity; safety integrity level 1 is the lowest.

Figure 1-4 provides a flow diagram of the SIS life cycle phases and functional safety assessment steps. The clauses cited in the figure refer to clauses in the ANSI/ISA-84.00.01-2004 document.

Industrial Automation and Control System Protocol Summary

A protocol defines the rules for entities to use in communicating with each other. In order to better manage communications and compartmentalize the activities required to establish, maintain, use, and close communication links, high-level models are used. In particular, layered