The latest blog on Digital Bond's website is hacking a Logitech Mouse server. It is a very interesting blog and I learned a lot. However, how does this help us prevent ICSs from going “boom in the night”?
This concern brings me to a new addition to the book (http://www.momentumpress.net/books/protecting-industrial-control-systems-electronic-threats). In the beginning of the book, I describe what constitutes typical plant distributed control systems (DCSs) as well as SCADA and other ICSs. To have the book go full circle, the appendix will include an archetype for a typical DCS upgrade specification, in this case for a large coal-fired power plant. It is based on, and representative of, actual DCS request for proposal (RFP) specifications. Generally, regulated utilities have historically developed (either by themselves or their consultants) very comprehensive DCS specifications ranging from 50-250 pages. These specifications typically address the entire upgrade, including how the DCS directly or indirectly affects all related plant equipment. I have deliberately included the entire specification to demonstrate the technical specificity involved for the non-security part of the upgrade. However, the reader will be able to see the lack of specificity for security. The sections that deal with security are primarily with the Windows-based interface and communication networks. There needs to be security requirements for the field equipment such as transmitters, drives, chemical analyzers, and continuous emission monitoring systems.
In this attachment, I provided comments on all sections I believed could be affected by cyber security considerations. The comments also address issues from actual control system cyber incidents that should be addressed. These were provided to the purchasers to be sent to the DCS suppliers. In cases where cyber security enhancements for the DCS upgrade were not included, end users have experienced actual ICS cyber incidents with varying degrees of impact. Additionally, the standard DCS system logging (forensics) features were unable to identify or record these cyber incidents.
It should be noted that DCS suppliers provide systems to various industries and many also have DCSs qualified for nuclear plant use.
Joe Weiss