Cybersecurity is becoming an increasingly thorny concern for those running automation and control networks. With the proliferation of plant networks matched by the growing Internet of Things and wireless everything, security has become a major issue. Plant employees routinely connect to the automation network with smartphones and tablets while they plug USB sticks into plant PCs. So far, security technology is stuck with authentication as its major wall against cyberbarbarians, who keep learning new ways to crack authentication.
The challenge for plant operators is to stay half a step ahead of the security threat - and that threat is learning all the time. "You have to stay ahead of the bad guys. It's a management discipline," Andrew Ginter, vice president of industrial security for Waterfall Security Solutions, told us. "You address the problem by hardening the parameter, the physical parameter, as well as the cyberperimeter." In other words, you have to know who's walking into your plant and who's connected to it.
Smartphones and tablets have become ubiquitous in our daily lives. People have become adept at these tools, and they want to use them when they're at work in the plant. Yet these devices are a chink in the armor of security. "The iPhone, the tablet, the bring-your-own-device is challenging," Ginter said. "One of the standard security measures is to cultivate suspicion of every piece of information coming into the system, from a tablet to a flash stick. You have to be suspicious and test it to make sure it's not corrupt."
Plant network engineers have conceded that wireless devices and USB sticks are going to connect to the network. There's no way to ban them. "Some industrial systems require that you use a flash sick, so you can't just outlaw flash sticks." The same goes for phones and tablets. Vendors have developed time-saving apps that plant personnel are eager to use. So security becomes a matter of trust.
The Stuxnet virus
One of the classic examples of trust gone wrong was the June 2010 cyberattack targeting Iran's radium program. The attack was targeted, presumably, by a government agency that wanted to halt the program. The virus was cleverly disguised on USB sticks used on a Siemens Step7 project. The virus came in a compressed zip folder that held a couple thousand files, all with cryptic names. The virus buried itself within these files using a similarly cryptic name. About 1,000 or 2,000 of Iran's centrifuges were destroyed as the worm spun plant processes out of control. Meanwhile, the HMI viewed by plant personnel showed everything was working normally.
Viruses don't always leave fingerprints, so the exact breach in trust at the Iranian plant remains a mystery. "They speculate that the integrator who was working on it carried one of these files to the site and installed it," Ginter said. "It was coming from a trusted provider. That's not an easy problem to solve. The solution is easy to say - trust those who enter your plant - but it's not easy to do. You're at the mercy of those you trust."
Someone walking in with a corrupted flash stick is just one of the many challenges network operators face. "One of the pushbacks we get from customers is remote access. The extreme example is to control a nuclear plant from your cellphone. The issue is you might trust the person using the system, but that doesn't mean you trust the data." The Iranians trusted the vendor, yet the data was corrupt.