You are on page 1of 19

Industrial Control Systems

:
A Primer for the Rest of Us

Abstract
In the current turbulent landscape of cybersecurity for industrial
control systems (ICS), system owners struggle to protect systems that
were never intended to be interconnected. This white paper presents
a balanced, informed primer for cybersecurity practitioners, C-level
executives and vendors. It scopes the threat environment, presents
similarities and discusses special considerations for ICS to provide an
overview of the concepts and issues related to these systems.

www.isaca.org/cyber

but were traditionally modern-day IT networks were new themselves. governmental involvement and an increase struggled to spend money just to introduce technology. dissimilar levels of maturity between the two arises The systems have long existed in many industrial from the recognition that it was not that long ago that and manufacturing settings.psychologytoday. standards and publications—not unlike the vulnerabilities and attack vectors. 1985: Dot-com Revolution Starts With a Whimper.” Wired. Is all the media attention afforded to breaches and Stuxnet caught many off-guard and created a vulnerabilities just hype? Doubtful. Headline stories are in the daunting position of consistently having to such as those about Stuxnet. many are getting rich in what could be described as an arms race This white paper was researched and written to to fight a losing battle. 8 October 2010.” Psychology Today. C-level executives and vendors alike. Despite high-profile more with less.4 browser makes it clear that disagreement between ICS and IT cybersecurity camps is as plentiful as Budgets are continually manipulated to accomplish malware traversing the Internet. Eduard. “March 15. serve as constant reminders for vigilance about books.1 the most sophisticated of controls are compromised.com/security-firms-scramble-scada-talent-after-stuxnet-100710/74562 3 Abell. in information sharing. 15 March 2010.com/global-cybersecurity-spending-reach-769-billion-2015-gartner © 2015 ISACA. especially in converged environments. www.kaspersky. for the critical services they provide. ICS security mountain of knowledge surrounding IT. http://threatpost. where appropriate. Eugene. Duqu and Flame play defense. John C. This decision not to focus on the that were never intended to be interconnected..9 Billion in 2015: Gartner. “The Man Who Found Stuxnet—Sergey Ulasen in the Spotlight. “Security Firms Scramble for SCADA Talent after Stuxnet.Industrial Control Systems: A Primer for the Rest of Us INTRODUCTION The current landscape for cybersecurity of industrial to limit use of the word “differences” when discussing control systems (ICS) is best described as turbulent.” Nota Bene. a mere three decades ago. All Rights Reserved. “How Emotions Influence What We Buy. “Global Cybersecurity Spending to Reach $76. a traditional as system owners struggle to protect systems IT infrastructure. Stuxnet’s 2010 discovery by antivirus vendor Is it enough? No. the first isolated. present a balanced. Even modern IT networks that employ VirusBlokAda. Many dedicated incidents have become more frequent and attack individuals selflessly contribute to tasks aimed at vectors have expanded in the brief period since advancing the security posture of critical infrastructure. Peter Noel. positively affected business earnings. regardless of industry.com/blog/inside-the-consumer-mind/201302/how-emotions-influence-what-we-buy 5 Kovacs.2 can excite emotions already known to influence Thirty minutes of searching in one’s favorite consumer behavior.securityweek. 2 November 2011. presents similarities and. It scopes the threat environment.wired. barriers still exist today.com/2010/03/0315-symbolics-first-dotcom/ 4 Murray. 2 . Paul.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/ 2 Roberts. yet media coverage tremendous demand for engineering expertise. yet in 2015 global cybersecurity spending is forecast These barriers hinder significant advances in ICS to exceed US $79 billion. 25 August 2014. www. Similarly.3 Cybersecurity technology (ICT) necessitate unparalleled security professionals across the globe. cybersecurity considerations for an ICS vs. Technological advances and convergence dot-com top-level domain was registered on 15 March with traditional information and communications 1985. It was not too long ago that businesses incidents.” SecurityWeek. 26 February 2013.” Threatpost. www. Research reveals massive quantities of revealed certain fallibilities surrounding ICS and educational material and discussion in the form of blogs. discusses special considerations for ICS. http://eugene.5 Technology has undoubtedly cybersecurity. Significant effort was made 1 Kaspersky. informed primer for cybersecurity practitioners.

com.”13 This high-level distinction may be core to The European Union Agency for Network and the varying thoughts with regard to securing the two. In 2008. Theo Tryfonas. Karen Scarfone. one may find devices with embedded software.org/glossary © 2015 ISACA. is defined as (PLC) often found in the industrial sectors and “the hardware. John May. software. www.org/resources/cybersecurity. It was not until the descriptive of the array of systems that can fall under the early 21st century that attempts were made to ICS title: “… physical equipment oriented technologies standardize language and terms such as process and systems that deal with the actual running of plants and control systems (PCS). agriculture.kmccontrols. 3 .wbdg. However. Michael. store.” KMC Controls. production. BAS “monitor and control the environment in commercial.9 Dr. and distribution.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/can-we-learn-from-scada-security-incidents 9 TeachMeFinance.”12 skid-mounted Programmable Logic Controllers Information technology (IT). distributed control systems equipment. Bryan L. include devices that ensure physical system (DCS). especially building automation systems (BAS) that may otherwise in older articles. Konstantinos Moulinos. Joe Falco. Adrian. 23 October 2014. Guide to Industrial Control Systems (ICS) Security. www. USA. the US National Institute of Standards and industrial. and supervisory control and data acquisition integrity and meet technical constraints.Industrial Control Systems: A Primer for the Rest of Us Defining Industrial Control Systems The term “industrial control system. encompasses manufacturing. and are event- (SCADA) systems.teachmefinance.”11 Technology (NIST) released Special Publication 800-82. http://www. which Gartner defines including supervisory control and data acquisition as “hardware and software that detects or causes a (SCADA) systems.” Whole Building Design Guide.php 11 “Understanding Building Automation and Control Systems.aspx 12 IT Glossary. DCS.. who live or work outside the US or are unfamiliar with the is understood to be those systems that reside in subject matter. product handling. Singer. especially by those the singular “system” and the plural “systems”). 2011 8 Pauna.enisa. Dr. Keith. water and energy production.CRC Press. Within the US.gartner. processes and events in the enterprise. USA. HMI. Michael Chipley’s definition may be more ICS encompass far more. and institutional facilities. change through the direct monitoring and/or control of and other control system configurations such as physical devices. Matina Lakka.”7 used to input.html 10 Chipley. Tyson. Dr.com/it-glossary/operational-technology-ot 13 Glossary. process. Information Security (ENISA) describes ICS as those systems “used to control industrial processes such as manufacturing.isaca. communication and other facilities critical infrastructures. All Rights Reserved. Cybersecurity for Industrial Control Systems: SCADA. www. ISACA.” hereafter noted Comprehending the breadth of systems inferred by ICS as ICS (the same acronym is traditionally used for requires looking past both definitions. “Cybersecurity. 9 October 2013. be overlooked by those unfamiliar with types of DCS. transmit and output data in whatever form. the term “industrial sector” industrial and manufacturing environments. as an operational technology (OT). Before that. mining and electricity. PLC. the terms were driven and frequently real-time software applications or used interchangeably.e. Gartner. www. reinforcing Security. i. NIST.com/products/Understanding_Building_Automation_and_Control_Systems. on the other hand. Can we learn from SCADA security incidents?. ENISA. which defined ICS as “a general term that the importance of embracing the categorization of ICS encompasses several types of control systems. construction.europa.”10 This elaboration references to industrial automation or industrial supports the proper characterization of ICS to include automation and control systems (IACS). and SIS . Guide to Industrial Control Systems (ICS) Definitions can unnecessarily constrain thinking.” 8 6 Macaulay. distributed control systems (DCS).6 Occasionally. Special Publication 800-82. www. 2012 7 Stouffer.com/Scientific_Terms/Industrial_sector.

It is a field device often equipped with wireless radio interfaces to support remote situations where wire-based communications are unavailable. Sometimes PLCs are implemented as field devices to serve as RTUs. 14 Stouffer. NIST. switches and mechanical timer/counters). flexible and configurable than special-purpose RTUs. These definitions are from NIST Special Publication 800-82. 4 . an RTU is a special-purpose data Remote terminal unit (RTU) acquisition and control unit designed to support SCADA remote stations. a source document that is broadly accepted within the industry. but are designed for specific control applications. Special Publication 800-82. Also called a remote telemetry unit. The major components in both categories are listed and defined in figure 1. All Rights Reserved. versatile. PLCs are small industrial computers originally designed to perform the logic Programmable logic controller (PLC) functions executed by electrical hardware (relays. they provide the same control as PLCs. 2011 © 2015 ISACA. Other controllers used at the field level are process controllers and RTUs. Karen Scarfone. In SCADA environments. Components may appear in multiple systems or may be unique to just one type. PLCs are often used as field devices because they more economical. USA. Guide to Industrial Control Systems (ICS) Security. Joe Falco. Keith. It accesses subordinate control modules over an ICS network. in this case.Industrial Control Systems: A Primer for the Rest of Us Demystifying the ICS Architecture An ICS contains multiple components that span two broad categories: control and network. This is a device that acts as the master in a SCADA system. They have evolved into controllers with the capability of controlling complex processes and they are used substantially in SCADA and DCS systems. Remote SCADA server or master terminal units and PLC devices (described below) located at remote field terminal unit (MTU) sites usually act as slaves. 1 FIGURE ICS Components14 Term Definition Control Components The control server hosts the DCS or PLC supervisory control software that Control server communicates with lower-level control devices. the PLC is often referred to as an RTU.

administrators. The HMI Human-machine interface (HMI) displays process status information. The use of IEDs in SCADA systems and DCS allows for automatic control at the local level. and segregation strategies. 5 . The following three network components are • Modems are often used in SCADA systems not included in figure 1. historical information. For example. They a re also used in SCADA systems. © 2015 ISACA. and connecting MTUs and RTUs to a long-distance network medium for SCADA communication. between MTUs and remote field devices. for diagnostic purposes. their use in ICS may not be quite so familiar. The devices communicate with the fieldbus controller using a variety of protocols. a communication system. communicate to other devices. and perform local processing and control. Network Components The fieldbus network links sensors and other devices to a PLC or other controller. an HMI could be a dedicated platform in the control center.Industrial Control Systems: A Primer for the Rest of Us An IED is a “smart” sensor/actuator containing the intelligence required to acquire data. However. Control network It connects the supervisory control level to lower-level control modules. A router is a communications device that transfers messages between two networks. The IO server is a control component responsible for collecting. from statistical process control to enterprise level planning. low-level Intelligent electronic device (IED) control capabilities. Use of fieldbus technologies eliminates the need for point- Fieldbus to-point wiring between the controller and each device. The messages sent between the sensors and the controller uniquely identify each of the sensors. The location. Information stored in this database can be accessed to support various Data historian analyses. It also allows a control engineer or operator to configure set points or control algorithms and parameters in the controller. buffering Input/output (IO) server and providing access to process information from control subcomponents such as PLCs. platform and interface may vary a great deal. reports and other information to operators. as their definitions are to enable long-distance serial communications undoubtedly well known to readers of this publication. and program memory in one device. It could combine an analog input sensor. IO servers are also used for interfacing third-party control components. a laptop on a wireless local area network (LAN) or a browser on any system connected to the Internet. An HMI is software and hardware that allow human operators to monitor the state of a process under control. analog output. RTUs and IEDs. Common uses for routers include connecting a LAN to a wide Communications router area network (WAN). All Rights Reserved. business partners and other authorized users. and manually override automatic control operations in the event of an emergency. An IO server can reside on the control server or on a separate computer platform. such as an HMI and a control server. modify control settings to change the control objective. managers. DCS so examples follow: and PLCs for gaining remote access for operational and maintenance functions such as • Firewalls are useful in managing ICS network entering commands or modifying parameters.

operate continuously over the Typical ICS implementations exist in the form of DCS duration of a process. are found. US Department of Commerce. and remote diagnostics and is using a personal digital assistant (PDA) to maintenance tools that have been built using network access data over a LAN through a wireless access protocols on layered network architectures. Keith.Industrial Control Systems: A Primer for the Rest of Us • An example of the role of a remote access point control loops. HMIs. point. but hybrids. and using a laptop and modem connection The control loops can be “interdependent. 2013.1.” in that to remotely access an ICS system. Not copyrightable in the United States. of both. © 2015 ISACA. ICS perform monitoring and control loops. A typical system contains multiple 2 FIGURE Basic Operation of ICS Set points. depending on the specific implementation. parameter constraints process data Manipulated Controlled variable variables Process Process inputs outputs Disturbances Source: Stouffer. different loop. Guide to Industrial Control Systems (ICS) Security. variables determined in one loop can set off another. Supervisory-level loops and lower-level Simply stated. All Rights Reserved. 6 . figure 2. Reprinted courtesy of the National Institute of Standards and Technology. NIST. USA. containing elements is illustrated in figure 2. a second to minutes. whose cycle times can range from fractions of functions. The basic operation of an ICS or SCADA systems. Karen Scarfone. Special Publication 800-82. Joe Falco. control algorithms.

Industrial Control Systems: A Primer for the Rest of Us The key components of the operation of an ICS are defined in figure 3. again with thanks to NIST Special Publication 800-82. 7 . actuators such as control valves. Joe Falco. NIST. and the communication of variables. Guide to Industrial Control Systems (ICS) Security. to again be transmitted to the controller. based on set points. switches and motors. which it transmits to the actuators. Human-machine interface (HMI) control algorithms. The controller interprets Control loop the signals and generates corresponding manipulated variables. USA. Special Publication 800-82. 15 Stouffer. Controlled variables are transmitted to the controller from the sensors. NIST Special Publication 800-82 is the source of these brief descriptions. 2013 © 2015 ISACA. 3 FIGURE Key Components of Operation of ICS15 Term Definition The control loop consists of sensors for measurement. controller hardware such as PLCs. and adjust and establish parameters in the controller. breakers. identify and recover Remote diagnostics and from abnormal operation or failures. Operators and engineers use HMIs to monitor and configure set points. The HMI also displays process status information and historical information. Process changes from disturbances result in new sensor signals. maintenance utilities No discussion of ICS would be complete without at least a basic understanding of the following ICS types and configurations. Karen Scarfone. identifying the state of the process. All Rights Reserved. Keith. Diagnostics and maintenance utilities are used to prevent.

integrated subsystems that are responsible for controlling the details of a localized process. They distribute control components. 2013. USA. Joe Falco. 8 .Industrial Control Systems: A Primer for the Rest of Us Distributed Control Systems (DCS) DCS control industrial processes within the same geographic location and are integrated as a control architecture containing a supervisory level of control overseeing multiple. NIST. figure 2. Karen Scarfone. Keith. In many modern systems. 4 FIGURE Example of DCS Implementation Source: Stouffer. Not copyrightable in the United States. which are centralized. US Department of Commerce. the DCS are interfaced with the corporate network to give business operations a view of production. © 2015 ISACA. Reprinted courtesy of the National Institute of Standards and Technology. An example DCS implementation is shown in figure 4. Special Publication 800-82.7. unlike SCADA systems. Guide to Industrial Control Systems (ICS) Security. All Rights Reserved. DCS are used extensively in process-based industries.

5 FIGURE SCADA System General Layout Source: Stouffer. Special Publication 800-82. A SCADA system general layout is depicted in figure 5. © 2015 ISACA. US Department of Commerce. 2013. SCADA systems are designed to collect field information and transfer it to a central computer facility so that an operator can centrally monitor or control an entire system in real time. Karen Scarfone. Reprinted courtesy of the National Institute of Standards and Technology. 9 .Industrial Control Systems: A Primer for the Rest of Us Supervisory Control and Data Acquisition (SCADA) Systems SCADA systems consist of both hardware and software and are highly distributed systems used to control geographically dispersed assets where centralized data acquisition and control are critical to system operation. They integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. Keith. NIST.2. figure 2. Guide to Industrial Control Systems (ICS) Security. operation or task can be automatic or can be accomplished through operator commands. dependent on system sophistication and setup. Not copyrightable in the United States. Joe Falco. They are usually designed to be fault-tolerant systems with significant redundancy built into the system architecture. All Rights Reserved. USA. Control of any individual system.

Special Publication 800-82. Karen Scarfone. PLCs are used extensively in almost all industrial processes. figure 2.8. they are often the primary components in smaller control system configurations used to provide operational control of discrete processes such as automobile assembly lines and power plant soot blower controls. USA.Industrial Control Systems: A Primer for the Rest of Us Process Logic Controllers (PLC) PLCs are computer-based solid-state devices that control industrial equipment and processes. 10 . Not copyrightable in the United States. 2013. 6 FIGURE Example PLC Control System Implementation Source: Stouffer. Figure 6 illustrates an example of a PLC control system implementation. Guide to Industrial Control Systems (ICS) Security. All Rights Reserved. Joe Falco. © 2015 ISACA. NIST. Reprinted courtesy of the National Institute of Standards and Technology. US Department of Commerce. While PLCs are used throughout SCADA and DCS systems. Keith.

Keith.16 comparison of the two systems17 made no mention of The intention is not to discount any efforts to thoroughly testing changes prior to deployment on an distinguish between the two disciplines.com/security-spyware/271010-configuration-change-takes-down-microsoft-s-bing-on-friday 20 Balza. 23 September 2010. similarities or explain distinctions. they understand the IT outages affect productivity and customer purpose and processes of the systems and know satisfaction. also or task-specific. but rather to IT system. 11 . 7 December 2009. The following section takes a deeper look at. safety.com/news/google-appears-down-now-090900626. components may or may not be One w ay of thinking about this is to compare difficult to access.19 eBay20 and provide additional context where possible to explore Google21 reinforce the need for change management. repair and/or replace the world. integrity. but unavailability may jeopardize life. They have to. It is true that • Availability—Little can be disputed about the performance requirements. (No than may be obvious at first glance. components. and often there are other aspects that reveal more similarities expensive equipment and/or processing plants.wslifestyle.” Techcrunch. people many IT professionals have a focus that is system. network importance of ICS availability. ICS are designed architecture and priorities of the cybersecurity triad to monitor and respond to abnormal conditions and (confidentiality. • Communication—Although protocols do vary. On the other hand. www. likely in part because reinforced by many operating system (OS) and instabilities in non-*nix environments have led most software certifications. NIST.techcrunch. many can speak it. they • Access to components—Regardless of are simply a means for devices to communicate. Guide to Industrial Control Systems (ICS) Security. “Configuration Change Takes Down Microsoft’s Bing on Friday.com. Karen Scarfone._ylt=A0LEV7kcPwJVIh0AVCQnnIlQ © 2015 ISACA. On the other hand. “eBay blames outage on server maintenance. thoroughly tested is false. to freely adopt the three-step troubleshooting technique: Refresh. www. have grown to accept lower IT system up time.appscout. Joe Falco. reboot.yahoo.” Prestige Essence. “Facebook Gives A Post-Mortem On Worse Downtime In Four Years. reload. often serve.html. The same can be said for backhaul and those outside of the industry. USA. 18 Kincaid. This is prevalent in SCADA systems ICS protocols areproprietary and thus foreign to and BAS. Generally speaking. 16 Stouffer.) Alternatively.com/site/news/ebay-blames-outage-on-server-maintenance/ 21 O’Reilly. 4 September 2014. available) do not align. All Rights Reserved.pcmag. Due to the unique roles that ICS protocols to spoken languages. and sometimes challenges.” Yahoo! Finance. with ICS are operational people. Jason. 12 March 2015. www. protocols. some of the differences that • Change management—It is ironic that NIST’s have been defined between the two technologies. www. authorized technicians are often Ethernet is like English: Regardless where one is in needed to diagnose. The linchpin reports of death from a system reboot were found may be a major cultural difference. technology. must be planned well in advance and changes because lives are often at stake. table 3.1 17 Ibid. The notion that only ICS outages the systems down to the device level.” PCMag. “Google suffered a rare but major outage on Thursday. Chloe.Industrial Control Systems: A Primer for the Rest of Us Are ICS really that dissimilar from IT? The short answer is yes and no.finance. This compartmentalization is known as availability. Melissa. Those who work in the research for this publication. 2011.com/2010/09/23/facebook-downtime/ 19 Albenesius. Special Publication 800-82. For example. Lara. Outages to Facebook.18 Bing. even backbone trunks laid underground.

will be developed. of IT used in home and offices around the world. Why? Because they are entrusted between ICS and IT systems. whereas ICS monitor and control some of the world’s most lucrative manufacturing processes and production plants. occur: (1) More Ethernet will be introduced to ICS defense requires its security practitioners to ICS n etworks. deeper background checks for privileged users and audits are all necessary components for safeguarding both IT and ICS. Cybersecurity is the protection (ISC-CERT) have identified and characterized threat of d igital assets. not only from outsiders.aspx?eventid=1000535&id=389080&FormID=%2011&frmType=1&m=34731&FrmBypass=False&mLoc=F&SponsorOpt=False&utm_ campaign=ISG_SIA&utm_medium=ISG_SIA&utm_source=ISG_SIA&utm_content=ISG_SIA&utm_term=ISG_SIA&MAC=ISG_SIA © 2015 ISACA.com/redForms. but also from insiders. Cybersecurity Fundamentals Study Guide.” 7th Annual SCADA Asia Summit. As ICS and IT systems continue defense. 27-30 January 2015. these systems propriety protocols do. IT systems safeguard intellectual property and a great deal of personally identifiable information (PII).Industrial Control Systems: A Primer for the Rest of Us When asked how long it takes to be proficient with SCADA protocols. 12 . USA. 2015 23 Pain. All Rights Reserved. 22 ISACA. www. Department of Homeland Security’s Industrial The same should hold true for IT and ICS Control Systems Cyber Emergency Response Team systems. most ICS practitioners will respond. “Years.22 The best security for any computer component is to leave it in the box. Unlike traditional IT defense. including hardware and agents. not connected to a network. Unlike many IT environments.scadasummit. software media. Good policies.23 • Physical security—Banks do not leave Threat agents and attack vectors do not differ vaults open. “The 5 Most Critical SCADA Security Failures. Richard.” Yet many who are new to Threat Environment IT can become Network+ or Cisco Certified Cybersecurity professionals across the globe have Networking Associate (CCNA)-certified in a a daunting role in that they are constantly playing month. (2) the industry will embrace and face the overwhelming task of defending a critical teach this art to larger audiences or (3) a infrastructure that is full of antiquated technology. Challenges are abundant regardless to converge. Access to key architecture must be adequately protected. ICS are typically monitored every hour of every day of the year. yet can communicate are typically 10 to 15 years behind the “security curve” with Ethernet. new protocol that achieves what current According to the SCADA Asia Summit. ENISA and the US with safeguarding their customers’ money. as illustrated in figures 7 and 8. one of three things is likely to of industry sector. robust technical controls.

www.” 2014. All Rights Reserved. “ISC-CERT Update. “ENISA Threat Landscape 2014.europa.enisa.” Industrial Control Systems Cyber Emergency Response Team (ISC-CERT). 13 . Overview of current and emerging cyber-threats. Bob.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/ enisa-threat-landscape-2014 8 FIGURE Incident Threat Actors Source: Timpany.Industrial Control Systems: A Primer for the Rest of Us 7 FIGURE Cybersecurity Threat Agents Source: ENISA. February 2015 © 2015 ISACA.

afford. www. Rowe.cfm?id=2380805 25 Byres. “A Survey of SCADA and Critical Infrastructure Incidents. Bill. 3. Internet-connected critical control systems.416 serial-to-Ethernet corporate networks they were still at risk. Many air-gapped systems are actually connected systems has significantly increased exposure.com/definition/acoustical-infection 30 Rouse. Even if removable devices are not infected.com/tech-news/us-military-bans-removable-media-again. many believed the air gap to be a viable modern-day examples.” InformationWeek Network Computing.techtarget. 14 . Proceedings of the First Annual Conference on Research in Information Technology. According to Tofino Security.org/citation. All Rights Reserved. Matthew J. and 204. Association for Computing Machinery. 4. a devices from a staggering 182 manufacturers. isolating sensitive/secure systems from nonsecure ones. insider sabotaged the Chevron Emergency Alert System. a hacker gained unauthorized root level thumb drives. http://dl. the Internet. http://searchsecurity.automationworld. “Thumb Drive Security: Snowden 1. http://thetechjournal. one form of this. WikiLeaks 27 and Snowden 28 are For decades.Industrial Control Systems: A Primer for the Rest of Us An actor’s motivations ultimately influence the reasons: Digital information cannot cross a physical gap and designation of target. “Unicorns and Air Gaps—Do They Really Exist? Living with Reality in Critical Control Systems. Eric. Sampling 2. The results but also are at tremendous risk for collateral effects were astonishing. resulting US Department of Defense systems are powerful in significant information disclosure.30 is a great source of highlighting air gaps. a malicious reminders of the damage these devices can do..” The Tech Journal.24 intended to be shared. 14 June 2013.networkcomputing. Many air-gapped systems rely on the use of USB years later. the use of air gaps was attractive for two 24 Miller. Fahmida Y. 13 December 2010. “van Eck phreaking.” TechTarget Search Security.2 million devices. Project SHINE was a 22-month interconnections—known and unknown—reveal that study to see whether researchers could locate any ICS are no longer susceptible only to direct attacks. NSA 0. Dale C.” SecurityWeek. Air gap traditionally refers to physically signals are susceptible to eavesdropping.com/storage/thumb-drive-security-snowden-1-nsa-0/d/d-id/1110380? 29 TechTarget accoustical infection http://whatis.xhtml 28 Schwartz.techtarget. 6 October 2014. www. due to the tremendous opportunities that IT systems researchers identified 586.securityweek. In 1982. people can which was not noticed until an emergency occurred.” Automation World. Additionally. However. Two 2. Up until now. These directly to the Internet.26 Trojan was inserted into a SCADA system responsible for the Siberian Pipeline. extract and disseminate information that was never jeopardizing the lives of thousands of people.. ICS attacks have bad things never get into control systems.25 Multiple events typically been attributed to nation-states. resulting in its explosion.com/security/unicorns-air-gaps-do-they-really-exist 26 Rashid. “Project SHINE Reveals Magnitude of Internet-connected Critical Control Systems.997 industrial systems. Margaret.acm. Vendor documentation monitor electromagnetic emanations.com/project-shine-reveals-magnitude-internet-connected-critical-control-systems 27 Khan.Obaiduzzaman. 2012. MD. www. Stuxnet and the data exfiltration of access to the Salt River Project via a modem.475 HVAC and BAS. There are proof-of-concept attacks that demonstrate but for this discussion it will be used to mean isolating successful acoustical infections. telecommunications security measure. 6 June 2013.com/definition/van-Eck-phreaking © 2015 ISACA. long before ICS were connected to 13. It is important have proven this to be untrue: to note that convergence of ICS with corporate IT 1. “US Military Bans Removable Media Again.29 Van Eck phreaking is the control networks from the business network and. In 1992. it relies on specialized equipment to more specifically.” RIIT ‘12.

www.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/ © 2015 ISACA.31 Sophos predicts the gap between ICS and IT security will continue to broaden and far more serious flaws will be exposed.sophos. equipment manufacturers have a long history of installing backdoors for ease in troubleshooting remotely. http://blogs.” Wired.Industrial Control Systems: A Primer for the Rest of Us Another threat vector lies in the supply chain. vulnerabilities and exploits experienced in the early months of 2015. “Our top 10 predictions for security threats in 2015 and beyond. which prevents local hardening. Specifically. 9 FIGURE ICS CERT Advisories Through 12 March 2015 Source: Adapted from Timpany. the 398 ICS-CERT security issues.com/2012/04/ruggedcom-backdoor/ and Goodin.” Arstechnica. “ISC-CERT Update. Figure 10.” Industrial Control Systems Cyber Emergency Response Team (ISC-CERT). “Equipment Maker Caught Installing Backdoor Account in Control System Code. adapted from the SCADAhacker. Within the IT industry it is common practice to ship devices with default usernames and passwords for devices. All Rights Reserved.com site and built on OSVDB vulnerability trend statistics.org). “Intruders hack industrial heating system using backdoor posted online. these passwords are user-configurable. Bob.” 12 November 2014.wired. 25 April 2012. Within ICS. by vendor.osvdb. 31 Zetter. 13 December 2012. Kim.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/ 32 Sophos. user accounts (if they even exist) and backdoors are hard-coded. Unlike most ICS. is a good representation of the type of data tracked by OSVDB. www. 15 . February 2015 Additional information can be gleaned from Open Source Vulnerability Database (OSVDB.32 Figure 9 dissects. Dan. http://arstechnica.

.) In discovered banking Trojans being packaged as legitimate some instances.osvdb. SCADAhacker. 8 January 2015. but rather to steal firewall rules.” InformationWeek Dark Reading. (In this context. Early attempts by vendors to produce ICS security products and appliances were rightfully met with resistance because the offerings highlighted a profound Vendors persistently release patches but. www.org. “Banking Trojans Disguised as ICS/SCADA Software Infecting Plants. the vendors listed in figure 9 revealed a surprisingly high patch availability—greater than 90 percent.” 14 March 2015.html#sansics Mitigation Security simply cannot be bolted on with any expectation of success. firmware updates and software upgrades. ICS-CERT typically publishes similar guidance. financial information. they lack of understanding of the unique operating environment take time to develop and make available. as in IT. patch also includes hot fix. on average.com/attacks-breaches/banking-trojans-disguised-as-ics-scada-software-infecting-plants/d/d-id/1318542?_mc=RSS_DR_EDT © 2015 ISACA. “Vulnerability Trend Data. vendors do include mitigation language ICS patches.33 In these instances. When this language is not provided. https://scadahacker.com. maintenance As if this were not enough. All Rights Reserved. 33 Higgins. Kelly Jackson. www. A sampling of they were built to secure. a security researcher release. 16 .Industrial Control Systems: A Primer for the Rest of Us 10 FIGURE Vulnerability Trends Through 14 March 2015 Sources: Open Source Vulnerability Database. ICS are not believed encouraging administrators to limit exposure and verify to be targeted for system interruption.darkreading.com/resources. Cyberattacks against ICS are growing in sophistication.

www. 17 .com/2014/07/bayshore-networks-announces-four-new-scada-firewalls/ © 2015 ISACA. All Rights Reserved. defense in depth is not and certifications. offer training and not mean it can or will be implemented. Many IT departments could learn a great deal from the ICS camp about the importance of Research has revealed that a great deal of work has accurate inventories and network data flow. manufacturing plants. as do risk Regardless of prevailing opinion. conferences entertained. are not leveraged for development and execution of There are tremendous advantages to creating and enterprise cybersecurity strategies.000. any combination or thereof. who understand the criticality change management — and will become ultimately of repeatable processes. and because of their experience community well. “How to Organize IT/IOT Security for Success. IT risk and governance control system protocols become exposed. 29 January 2014. Many belong to professional associations any particular patch is a necessary control and.” which has ICS implementations vary. which influences risk appetite. preplanned responses and responsible for gaps in operational control systems that profound familiarity with the network they are charged were never specifically designed with security in mind.34 Architecture specificity is designed specifically for industrial control security and beyond the scope of this document. overlapping redundancy. regardless of whether one is charged with defending critical infrastructure. sustaining cross-functional teams. in vulnerability management. Some might argue it is reckless.” Gartner. ISA’s recent notable achievements only good practice. out in many organizations when cross-discipline teams ICS is no exception. especially in converged enterprises. Summary Risk management and governance are paramount.bayshorenetworks. responsible for Operational Technology (OT) patch and similar to the military. systems professionals.Industrial Control Systems: A Primer for the Rest of Us Unfortunately. if such as the International Society of Automation (ISA). CISOs will become ICS professionals are operationally-minded individuals. Rarely devices about which one has no technical understanding will any two networks require identical cybersecurity is intimidating. strategies. been accomplished to date by individuals who selflessly 34 Op cit. so. noted this disconnect in cybersecurity professionals bring valuable and unique a 2014 report: “As vulnerabilities in SCADA and industrial perspectives to the table. hold conferences and help create relevant risk assessments are necessary to determine whether certifications. that scenario is playing assessments. In these situations. the patch would likely not even be professionals with training and education. in this area include the creation of ISA99.”35 with maintaining. but is paramount. just because a patch is available does contribute to creating standards. so it goes without saying become the global industrial cybersecurity standard that defense-in-depth architecture strategies will differ. exploited are not new concepts and should serve the ICS and become incidents. Then again. compartmentalization or Cybersecurity Fundamentals Specialist Certificate. ISACA 35 Perkins. Earl. as well as the ISA99/IEC 62443 rings. Business objectives differ. Gartner consultant. Organizations such as ISA (and ISACA) rely components or systems. building Few can dispute that attempting to secure technology or automation or building the corporate network. testing must be conducted to ensure it performs which reports on its web site a membership in excess as expected and does not adversely affect other of 30. Comprehensive education. from the Industrial Electrotechnical Commission. “Industrial Automation and Control Systems Security. Both ICS and IT Earl Perkins. the Defense in depth can be implemented using concentric IEC 62443 series. if operations can heavily on member contributions to support industry never be interrupted.

in/ISACAOfficial resource for security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome.isaca. procedures and tests or exclusive of other information. security. www. procedures and tests that are reasonably directed to obtaining the same results. ISACA also advances and validates business- Participate in the ISACA critical skills and knowledge through the globally respected Certified Information Systems Knowledge Center: Auditor ® (CISA®).org in 1969.com/ISACAHQ © 2015 ISACA. assurance. procedure or test. risk.isaca. networking.facebook.com/ISACANews Join ISACA on LinkedIn: Disclaimer ISACA (Official). information and information systems.847. Suite 1010 Rolling Meadows. IL 60008 USA ISACA® Phone: +1.253.org/industrial-control-systems and manage their information and technology.1545 With more than 115. The association has more than 200 chapters worldwide. privacy and governance professionals. https://twitter. ISACA is the trusted source of knowledge. and career Web site: www. and value from.253. ISACA (www. 18 .org development for information systems audit. In determining the propriety Like ISACA on Facebook: of any specific information.org) helps business Fax: +1. security professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. a business framework that helps enterprises govern www. ISACA offers the Cybersecurity Nexus™. standards.isaca. Certified in the Governance www. Established Email: info@isaca. and COBIT®.847.isaca.3701 Algonquin Road. Certified Information Security Manager ® (CISM ®).1443 and IT leaders build trust in. The Work should not be considered inclusive of all proper information. All Rights Reserved.org/knowledge-center of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) Follow ISACA on Twitter: credentials. a comprehensive set of resources for Provide feedback: cybersecurity professionals. ISACA has designed and Industrial Control Systems: A Primer for the Rest of Us (the “Work”) primarily as an educational http://linkd.000 constituents in 180 countries.

PRINCE2. CEH. CISA. CIA. CRISC. SCPM..M. ITIL CISA. CRISC. PMP. CISSP. CISA. USA Clyde Consulting LLC. UK India Vodafone. Past International President KPMG LLP. Chairman ISACA Board of Directors Rosemary M. GICSP. CISM. CGEIT. Noble CISA. Vodafone. CGEIT. CGMA. CGEIT. UK CISA. CGEIT. CISSP. CISM. USA Alexander Zapata Lenis Ivan Sanchez Lopez CISA. FIIA. MCSE. Babb USA CGEIT. CFE. CISM.CISSP. Germany USA Stephanie Schaeffer Knowledge Board Cybersecurity Task Force CISSP. Barnes CISA. 19 . Vice President Industrial Cybersecurity Center (CCI). CISM. ISO 27001 LA. Vice President Tony Hayes CGEIT. Eddie Schwartz Steven A. UK. CISSP. Vice President Charlie Blanchard Neil Patrick Barlow Garry J. AFCHSE. FBCS. Dell. Deloitte Touche Tohmatsu Ltd.. USA. Samuel Linares Six Sigma Black Belt. CISSP. Lageschulte CISA. FACS. Vice President Sushil Chatterji Brent Conran Robert A. USA Frank K. Saudi Arabia. Vice President Derek Grocke Ramses Gallego HAMBS. CRISC. CRISC. Director Pfizer. Chairman USA. Clyde CGEIT. CGEIT. Kumar & Raj. CMA. CIPP/US. CRISC. CIPP/E. CISSP. CPA.A. UK.. Edutech Enterprises. International President Neil Patrick Barlow Sanjay Bahl Steven A. Mexico. CRISC. Grocholski Phil J. CRISC. ITIL. FCPA. CISM. FHKCS. FCA. CRISC. CTRC. CISA. GCIH. CISM. CRISC. ITIL V3. CISA. CISM. CGEIT. Monica Jain Ernst & Young LLP. ITIL. All Rights Reserved. Amato Manuel Aceves Robert E Stroud CISA. India. CISM. USA Debbie A. Australia. USA. Director DHL Global Forwarding & Freight. CGEIT. Raj CISA. CCSK. Verizon. CGEIT. de C. CPA. Capital One. CGEIT. Chase Cunningham SABIC. UK Vital Interacts. Australia. Yam Jamie Pasfield CISA.. Spain Theresa Grafenstine Marc Sachs CISA. CGAP. Sidney Sakota Grupo Cynthus S. CRISC. USN (retired). CGEIT. USA. ACA. SA de CV. CISSP. CRISC.V. Babb CISA. CHE. CISSP. MSP. USA US House of Representatives. Vice President Vittal R. CRISC. CISM. Director Viacom. Cheryl Santor Focus Strategic Group Inc. CISM. USA CGEIT. CISSP. The Netherlands Cerberian Consulting. USA PhD. Past International President © 2015 ISACA. CGEIT. PMP. Singapore Intel. FHKIoD. Australia CISM. CISSP. Hong Kong. CISA. USA Capital One. Queensland Government. CIPP. CIA. CISA. CISM. Mexico CA. CPA. CISM. CISSP. USA. CRISC. Spain. CGEIT. Lew Anthony P. CISA. FCITSM. Amgen Inc. CISM. CIA.ACKNOWLEDGMENTS Expert Reviewers Gregory T.