, , , , , , , ,

We are currently working on a project to implement a security design around our Industrial Automation Networks in the Field. These range from gas measurement shacks with a single valve all the way up to multi-train gas processing plants. Post the StuxNet incident and the 60 minutes airing that notified the nation of the great dangers in exposing our vital infrastructure to the internet, there have been several regulatory commssions who have or are currently working on updating thier requirements around securing this vital infrastructure. Our goal is to beat them to the punch and be prepared for the worst while doing our Control Technicians a favor or two in providing them further isolation from the Enterprise.

In 2002 FISMA (Federal Information Security Management Act) kicked off a lot of these regulations by requiring each government entity to develop requirements to protect their perspective systems from cyber attack. Due to this, government agencies have become more and more aware of the threats imposed by networked system access to critical systems. In my opinion, this eyeopening will spark the proposal of additional regulation to protect these critical systems. In this first article, I’ll cover some common terms and we’ll note some regulatory bodies and any specific regulations already identified…

Acronyms, Lingo, and Definitions

IACS: Industrial Automation and Control Systems – Process Control System utilizing a Distributed Control System or Programable Logic Controllers and/or Human Management Interface Systems for Operator Assisted Control.

SCADA: Supervisory Control and Data Aquisition – Usually refers to an enterprise-wide or multi-process Operation System. This generally provides screens with updated information giving an overview of the entire system and the ability to make control decisions based on the entire systems health and capacity. 

DCS: Distributed Control System – Centralized often proprietery control system with distributed I/O. The process and control logic is performed in a centralized system, while the field I/O is housed on distributed Field Controllers. Integrated HMI.

PLC: Programmable Logic Controller – Networkable Appliance with Ladder Logic for developing State Machines to manage smaller dedicated processes utilizing Discrete and Analog inputs and outputs as well as information from other PLCs.

HMI: Human Management Interface – Something as simple as a button or switch to a touch screen display that allows process monitoring as well as control on a Unit by Unit or Process by Process basis.

OPC: OLE (Object Linking and Embedding) for Process Control – This is usually in reference to the OPC-DA (Data Aqusition) piece of the puzzle. OPC-DA provides one of several versions of an API to allow two non-similar proprietery systems to exchange I/O or Data Points. Recently these systems are being utilized to tighten down security access to the I/O or Data Points within a Control System, by attaching Credential based Access Control Lists to the read and writes of these Data Points.

IO: Input/Output – signals on a wire, where Discrete I/O would signify absense or presence of a voltage results in ‘ON’ or ‘OFF’ whereas Analog I/O would signify a variable voltage or current signifying a range of predetermined values. This is usually hard wired to the sensor or device the PLC/DCS is driving. There is the availability to perform I/O over ethernet within multiple specifications, however, there are very few devices that operate at this level which can leverage ethernet.

Regulatory Bodies


North-American Electric Reliability Corporation Critical Infrastructure Protection : /nerc-cip/

NERC is the regulatory body which maintains the North-American Electric Grid and has issued the CIP mandate requiring documentation of security systems in place to prevent unauthorized breach of both physical and networked systems controlling the electric grid. This also includes a notification procedure for distribution of information to other entities regulated by NERC in the event there is a distributed attack.

Determine is if the regulation is applicable, which is fairly simple:

  1. Does the generation facility contribute beyond 200 MegaWatt of power to the grid?
  2. Is the site required to be operational in case of black start?
    In some instances, the a site may be significantly smaller power generation facility than normally mandated as critical. However due to an large critical station’s requirement to jump start thier systems from the smaller sites power in the event of total grid blackout, this may require a contract be negotiated between the larger facility and the smaller facility in order to accomodate the emergency recovery plan of the larger site. As a result, the small ‘black start’ site falls under NERC CIP compliance.
  3. Is the site deemed critical by NERC?

If the any of the responses to the previous resulted in yes the site falls under NERC regulation. From a network perspective the requirements are condensed as follows: (as defined in /CIP-007-1/)

  1. Test Procedures — Develop a test plan, perform it regularly, document it’s occurance and the results.
  2. Ports and Services — A Layer-4 device (ex: firewall) should restrict access to only necessary TCP/UDP services, blocking all others. Document policies, occurance of changes, and deviations.
  3. Security Patch ManagementKeep systems within the IACS environment up to date both firmware and software. Document occurance and revision.
  4. Malicious Software PreventionSystems should have malware protection installed and be updated regularly, and possibly inline virus/malware detection (Advanced Firewall features). Document update occurance and incident occurance.
  5. Account ManagementAccess to systems should be limited to work related positions. Define and document policy for use/Pasremoval of administrator, shared, and generic accounts with audit trail of use. Passwords should be minimum of a combindation of six alpha-symbol-numeric characters with a minimum yearly expiration.
  6. Security Status MonitoringMonitor the systems for both outage, availability, and threat management. Maintain logs for ninety calendar days. Review noted logs on a recurring basis. Document instance, incidents, process, and procedures around all technical logging and monitoring mechanisms.
  7. Disposal or Redeployment — Develop a plan for preventing possible security breach due to aquisition of security authorization keys and or configuration from retired equiptment.
  8. Cyber Vulnerability AssessmentPerform a self-assessment annually and document occurance and results.
  9. Documentation Review and MaintenanceReview and update documentation annually.

As you can see, most of this revolves around documentation. They only get specific about Account Authorization and Ports and Services, and its not nearly as intrusive as some of the requirements by Sarbanes-Oxley and FERC. And really, even if an entity doesn’t fall under regulation, the requirements are at the very least portions of what most would consider best practice.

US Department of Transportation – PHSMA

Pipeline and Hazardous Materials Safety Adminstration : /dot-phmsa/

As of yet we have found no formal regulation. It simply is stated that the TSA will provide regulations to promote the security of critical pipeline infrastructure. /pipeline-safety-and-security-report/


Industrial Automation and Control Systems Security : /isa-99-standards/

In Part 2, we will delve into Cisco and Rockwell Automations Design Guide around ISA-99 and CIP.