Industrial Cybersecurity: How Much Is Enough?

This article is based on a paper presented at the 2016 AIChE Spring Meeting and 13th Global Congress on Process Safety, Houston, TX, April 2016.

To answer that question, first summarize potential attack scenarios in a matrix. Then identify which combinations of attacks, consequences, and risks require mitigation and which you are willing to accept.

Securing an industrial control system (ICS) is a never-ending process. It is always possible to deploy additional security measures — it’s just a matter of budget. So, where do we stop? How do we know when we have done enough regarding cybersecurity? The traditional answer generally relies on one or more of three factors:

• the assurances of expert service providers
• the belief that regulatory compliance ensures security
• the assumption that because our IT systems are secure, our comparably protected control systems must also be secure.

All of these reasons are misleading.

A real-world example illustrates how these factors can lead us down the wrong path. An industrial site recently retained a penetration tester to confirm that a control system was secure. The industrial network at the site was defended in the same way as the IT network, and the penetration test was started only after the IT security auditors for the business had reviewed the protections at the site and decided that all was in compliance with the relevant regulations. From a corporate workstation, with a few free downloaded tools, the tester was able to penetrate the process control network and demonstrate an ability to manipulate systems inside that trusted network after only five minutes of effort. This is a true story. It was a rude awakening, considering the physical consequences that could result from such manipulations.

So, what happened? IT programs include widely understood security measures, such as firewalls, passwords, encryption, antivirus systems, and security updates. The problem at the example site was that firewalls are designed to establish connectivity from one IT network to another IT network, which is not what process control networks need.

Firewalls are routers with filters trying to distinguish “bad” data packets from “good” ones. Filters are software — software has bugs, and filters can be fooled. Firewalls are hackable and are prone to manipulation and misconfiguration. Once inside the firewalled network perimeter, hunting season is on for the bad guys.

Defense-in-depth IT security programs aim to go beyond firewalls with intrusion detection, incident response, and recovery systems. Intrusion detection systems (IDSs) have a role to play, but they are costly. They need people to monitor them 24/7, and more people to investigate security alerts, both real alerts and false alarms. In addition, IDSs are not foolproof — well-established IDS-evasion techniques are common knowledge among attackers. Furthermore, intrusion detection takes time, and an alert sent after an intrusion has occurred is much too late. Experts debate about how long it takes to detect, respond to, and remediate intrusions on industrial networks, but they are debating the wrong question.

If a stranger walks into a control room, pushes the operator out of their chair, and starts moving the mouse at the operator’s workstation, how long would we let that stranger move the mouse? Ask a controls engineer or operator that question and they will say that it is entirely the wrong question to ask. The real question is not “how long do we give this intruder?,” but “how did this person get in here?” and “what do we need to change, right now, so something like this never happens?”

IT-style, detection-based, defense-in-depth may be the right answer for IT networks, but it is the wrong answer for control system networks. Human lives, lost production, and physically damaged equipment cannot be restored from backup the way IT systems are restored after an intrusion.

The traditional IT toolboxes are filled with defenses that can be bypassed by one offensive measure or another. In the end, nothing is totally secure. Rather, we must change our thinking; Security is a continuum, not an “on” or “off” value. We can always be more secure, and we can always be less secure. This means that no matter how secure a particular network is, there is always some kind of attack that can defeat our defenses. And so we ask again, how much is enough? How high should we set the security...