Bolting on security can have significant unintentional consequences to control systems

Sept. 12, 2018
Bolting on/adding security to legacy control systems may be necessary but it requires a detailed understanding of potential control system interactions which may not be either an IT or OT expertise. Without appropriate understanding, the cure can be worse than the disease.

Control systems are systems of systems that are purpose-built, often with limited computing resources. Control systems were designed to meet safety and reliability criteria which require open, interoperable systems and design requirements addressed expected system interactions. Control systems were/are designed with safety, integrity, and availability (SAI) as key requirements with confidentiality (C) a minor consideration which is inconsistent with the security triad of CIA where C is most important. Often, control systems are designed with features such as hard-coded default passwords that, in hindsight, can introduce cyber vulnerabilities. Without addressing cyber security as part of the design process, such as Bedrock Automation has done, it is difficult to establish a root of trust which is needed for cyber secure systems. Bolting on cyber security tools as an after-thought can have unintended consequences. As an example, patch management is different for a control system than for IT systems where generic Microsoft patches can be applied. Because of this concern, ISA99 has been developing guidance for control system patch management – ISA-TR62443-2-3, Patch Management in the IACS Environment.

A short sampling of problems with bolting on/adding cyber security to the control system environment without adequate control system/system interaction considerations include:

 - multiple cases of manufacturing lines being shut down by using inappropriate (IT) patches

- cyber security tool shutting down a SCADA system

- loss of view and availability of a turbine from a bad patch

- chemical plant shutdown from changing a default password in a substation protective device

Bolting on/adding security to legacy systems may be necessary but it requires a detailed understanding of potential control system interactions which may not be either an IT or OT expertise. Without appropriate understanding, the cure can be worse than the disease.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...