New security standards to strengthen supervisory control and data acquisition systems

The security of critical-infrastructure processes, long festering as a thorny issue in securing everything from food and water to...

The security of critical-infrastructure processes, long festering as a thorny issue in securing everything from food and water to energy and transportation, will be getting a boost from proposed standards for industrial controls. 

The US National Institute of Standards and Technology (NIST) fostered the creation of the Process Control Security Requirements forum in 2001. The group issued the first draft of its system protection profile for industrial control systems (SPP ICS) in October. 

"It started out as a group of a dozen end-users," said Keith Stouffer, the forum's chairman and an engineer at NIST. "Now we have about 600 members. It includes everybody from the process control world," he said, such as users, academics, government officials, integrators and suppliers. 

The original group held about 10 meetings and "a bunch of conference calls" seeking input from the 13 critical-infrastructure groups designated by the US Department of Homeland Security, Stouffer said.

Those infrastructure groups include critical civil services such as transportation, food, water utilities, electric power, pharmaceuticals and energy, and typically are large users of process control or supervisory control and data acquisition (Scada) systems. 

"Scada systems were designed around reliability and safety, not security. Now Scada systems are becoming increasingly interconnected with IP networks and have become vulnerable to internet threats," Stouffer said. 

The group looked initially to model their security standards after the work done by the National Information Assurance Partnership, a partnership between the National Security Agency and NIST that administers the common criteria evaluation and validation scheme for trusted systems. 

"There is no other formal languages for specifying security requirements," Stouffer said, adding that the SPP "says what needs to be done, not how you have to address it". 

The SPP requirements address system life-cycle security and were developed by consensus, he said. They will be periodically updated with marketplace feedback.

"It is not a NIST specification. It comes from industry. We are trying to get people to think about security from the get-go when architecting a system," Stouffer said.

The SPP ICS includes security concepts such as defence in-depth, or layered security, extending from industrial process sensors and programmable logic controllers (PLC) up through the factory control and enterprise business hierarchy to the internet. 

The process control security issues addressed in the draft SPP ICS mirror security baselines found elsewhere. According to Stouffer they are: 

  • Spoofing countermeasures: To prevent masquerading attacks and to maintain confidentiality and data integrity for PLC and sensor data. 
  • Identification and authorisation: For both users and data, "to make sure the data is authentic" between devices, sensors, PLCs, controllers and up the manufacturing hierarchy, including human users. 
  • Logging and auditing: To provide forensic capabilities if something goes wrong, with time and date stamps. 
  • Encryption: Voluntary encryption for sensitive or private information, where necessary. 
  • Default security: Products need to come secure from the supplier "out of the box" with security turned on by default. 
  • Physical security: To maintain the integrity of the system. 
  • Policies and procedures: To provide for secure management practices.

"Certification has only recently been discussed. It hasn't been worked out if certification is useful," Stouffer said. "That will be a marketplace issue. There are issues with certification, like cost." 

The cost of having a commercial software product undergo a common criteria evaluation can be $250,000 and up, according to industry sources. 

A user representative on the forum, Thomas Good of Du Pont, said the new standards would have an impact on the security of industrial processes in "two to three years", as well as on their management. 

"By having a set of products available with configurable security features, end-users can select the appropriate off-the-shelf device and configure its security features to match their risk/impact situation," he said.

"Companies will consider SPP ICS compliant control systems on modernisation projects or new production lines when the risk is sufficiently high. Due to the total cost of replacement, I would not anticipate many companies ripping out and replacing existing control systems." 

Some retraining may be required for plant operations, Good said. "Effective use of new security features will likely require skills not currently found in many process control system managers," he said.

Sources for the additional security knowledge would be the internal IT organisation, more training for process control operators, or bringing in contractors, he said. 

Process control supplier Honeywell International expects to see a ready marketplace for SPP ICS-compliant products. 

"We believe our customers will be adopting these requirements," said Kevin Staggs, a Honeywell control systems planner. Many products already meet some of the requirements, he said. 

"We understand that security is a journey more than a destination. We will be continuing to evolve our products and services to meet the requirements of our customers." He said cost should not be an objection to SPP ICS compliance because the security will be "baked into the system" for the customer to configure.

Mark Willoughby writes for Computerworld

Read more on IT risk management