The Can of Worms Is Open-Now What?

By John Cusimano, Director, Exida Security Services Division
and
Eric Byres, CTO, Byres Security

The recent Stuxnet worm that targeted Siemens HMI and PLC systems (see Worst Fears Realized) highlights the fact that designing a good cyber defense for your SCADA or process control system is no longer an option. While the motivations of the worm's designers are still not clear, the undisputable fact is that this worm was designed to let an outsider gain unauthorized access to control systems using the most widely deployed brand of PLC and SCADA products in the world.

To their credit, Siemens and Microsoft responded rapidly to the Stuxnet threat, and provided a patch to address the vulnerability and a utility to detect and remove the virus. But everyone knows it's always better to prevent a threat than to react to one.

So, how can you protect yourself from the next Stuxnet?

The answer in a sense is relatively simple—develop and maintain a cyber security management program that employs a defense-in-depth strategy. Think of it this way: suppose you lived in a neighborhood that recently saw a large increase in the crime rate. Short of moving, what would you do to protect yourself , your family and your possessions?

The answer probably wouldn't be just one thing, such as patching the hole in the fence. You would probably implement a number of defenses, such as erecting a high fence around your property, installing a surveillance system, upgrading the locks on windows and doors, getting a watchdog, etc.

In addition, you might also implement some "policy" changes around the house: no more leaving the garage door open during the day, or the alarm must be armed whenever you leave the house, etc.

[pullquote]A cyber security program is the same thing. It's combines policies and procedures coupled with technical countermeasures and an ongoing program to monitor, maintain and adapt as necessary. Simply put, cyber security is a risk management issue, so the proper way to address it is with a risk management program. In the real world, there is no such thing as perfect security and no such thing as zero risk. However, a good risk management program will help you assess and mitigate the risk to levels you can live with, i.e. tolerable risk.

Fortunately, there is no shortage of guidance on how to do this. Over the last decade numerous organizations such as ACC, ANSI, API, AWWA, DHS, IEC, ISA, NERC, NIST and WIB, to name a few, have published a variety of standards and best practice documents addressing the subject of control system cyber security.

If you're going to read one standard, we recommend ISA99, specifically ANSI/ISA 99.02.01-2009. It is sector-independent, outlines most everything you need to know to establish a cyber security program at your facility and provides ample references to other sources of information. Of course, if you're in a regulated industry, such as power or chemical, you will also want to read the sector-specific regulatory standards, such as NERC CIP and DHS CFATS.

Security gap analysis

Figure 1. A good security gap analysis has three phases: pre-assessment, on-site data collection, and analysis and reporting.

After you've read the ISA standard (the normative part is only 45 pages long) and other relevant information, we recommend conducting a control system cyber security gap analysis to assess how your current control system and management policies and practices stack up to the standard and other best practices. Such an assessment will provide the organization with a good understanding of where you are, where you need to be, and how to get there. It can also be beneficial in providing necessary documentation to demonstrate to regulators, insurance companies and any other stakeholders that the company is addressing the issue proactively.

Control system security assessments can be performed internally, or by using third-party consultants or a combination of the two. The process itself is straightforward and can be broken down into three phases.

In Phase 1, or the pre-assessment phase, existing information is collected from those responsible for the system. Items such as network diagrams, lists of cyber assets, existing policies and procedures are compiled to provide the assessment team with a basic understanding of the system before they arrive on site.

A Cyber Security Gap Analysis

Phase I – Collect information

Network diagrams
Cyber assets
Existing policies and procedures

Phase II – On-site data gathering

Brief staff
Tour the system
Verify network architecture and traffic flows
Collect information on individual devices
Analyze configurations
- Access control
- Open ports, applications and services
- Status of patches
- Anti-virus tools

Phase III – Analyze data and report on gaps between current and best practices.

Phase 2 is performed on-site and is primarily focused on data-gathering. The assessment team will brief the staff on the process, and physically tour the system. They will verify the network architecture and traffic flows. Then the assessors will visit each networked device to collect basic information, such as make and model, but also to analyze the configuration of each device (access control measures, open ports, applications and services, status of patches, anti-virus tools, etc.) In most cases, phase 2 is performed on an operational production system, so the utmost care must be taken by the assessment team to perform the assessment in a non-intrusive manner.

It is important to note that a control system cyber security assessment is not the same as penetration testing. Pen testing has its place, but should never be performed on an operational control system. The assessment team will also interview key staff during the data-gathering process to better understand the actual procedures that are being followed. Before they leave the site, the assessment team will meet with management to provide a briefing on key observations and initial recommendations.

In Phase 3, the assessment team fully analyzes the data and formally document the results in an assessment report. The gaps between current practices and standards/best practices are documented, and recommendations are identified and prioritized.

When selecting an assessor, look for individuals or organizations with deep knowledge of control and safety systems, risk management, reliability engineering, industrial networking, IT security techniques, knowledge of relevant standards and experience in performing similar assessments. Avoiding companies who provide both consulting services and industrial security products, as they may have a bias towards selling you their solution.

So, whether you view Stuxnet as an unexpected wake-up call or the event you anticipated was coming, there is no doubt that now is the time to establish or review the status of your cyber security management programs and adjust them as necessary.