The Attributer was recently at a client meeting where the conversation turned to the meaning of the term ‘information assurance’ and the scope of its application. Doubt was expressed as to whether the term includes the security and assurance of industrial control systems (ICS), supervisory control and data acquisition (SCADA) and industrial programmable logic controllers (PLCs).
There is a historical problem inasmuch that the development of ICS, SCADA and PLCs, and development of conventional business IT, has progressed along completely separate technological lines. Back in the 1960’s when business computing was emerging there was no similarity between these two technologies. ICS consisted of electromagnetic transducers and relays to control industrial production systems in factories, oil refineries and the like. Then, as information technology developed, ICS became electronic and embraced microprocessor based systems, then moved to utilise standard platforms (first UNIX, then Windows) and during the 80’s and 90’s adopted networking and eventually connected to the Internet itself. ICS developers and engineers did not consider security, whereas the mainstream IT industry has been moving along a path of securing business systems against a variety of emerging threats.
As an example, in the late 1990’s The Attributer visited a small island where there is one power station. It’s a tightly knit community in which everyone knows everyone. We met the Deputy Power Station Manager through some long-time friends from university, and he proudly demonstrated how he could control the power station from his laptop at home. I asked about the security of the system and was met with a blank look on his face. He didn’t even understand the question. It was just a friendly casual chat so we did not pursue it, but it was typical of how that type of ICS was being implemented at that time. Even in the mainstream IT industry, the early remote network control systems, using SNMP v1, had no effective security embedded. Later developments of SNMP have fixed this deficiency.
Today there is a growing awareness in the production engineering industry of the need to secure remote control protocols, particularly following the Stuxnet computer worm, discovered in 2010, which targeted Siemens ‘Step 7’ PLC software, and which reputedly was used to destroy certain Iranian nuclear production facilities. As recently as December 2014 the BBC reported that a blast furnace at a German steel mill suffered “massive damage” following a cyber attack on the plant’s network (http://www.bbc.co.uk/news/technology-30575104).
What is not apparent is that these lessons are being learned and implemented in the emergence of IoT (the Internet of Things). There is a growing market for domestic control systems such as HIVE, which can be used to control domestic heating systems remotely from a smart phone, tablet or laptop. What assurance do we have that security has been given sufficient consideration? STEDIN (http://www.stedin.net) announced in January 2015 that they had just gone live with their IoT developments for managing the Dutch Electricity grid, but no reference has been given as to how this control system is secured. It has recently been published that Samsung smart TVs that have voice activation will capture conversations in the room and transmit them to a central location for language processing. There are many similar developments now being launched, such as Apple’s Homekit, Google’s Nest Labs solution, and the open standard HyperCat. What assurance do we have that these technologies have been adequately secured against the emerging range of threats that the IoT might imply?
The more we see incidents occur, the more the industry will consider the issue, but as always, security is an emergent property that can only be developed with a view of what potential threats actually exist. SABSA thinking can help by ensuring that threat scenarios are considered during the specification of these new technology applications. The inclusion of the attribute ‘process controlled’ would at least mean that the threats are analysed alongside the business opportunities being pursued.