System Integration & Control Systems Design


Tofino Security White Paper ISA-99

July 2012 System Integration & Control Systems Design

Anyone integrating automation technologies these days is well aware of the pressure on the operators of industrial plants to increase productivity, reduce costs and share information in real-time across multiple industrial and enterprise systems. Adding to these business pressures is the growing fear of cyber attack as the world has become aware that the Stuxnet worm was specifically designed to disrupt an industrial process. Operators and engineers are under pressure to isolate automation systems, while at the same time management is asking for greater interconnectedness.

How can you help your company or clients deal with the conflicting requirements of more integration and more isolation? This white paper explains how the ‘zone and conduit’ model included in the ANSI/ISA-99 security standards provides a framework for helping deal with network security threats that arise from both the ‘push for productivity’ and the fear of the next ‘Son-of-Stuxnet’ worm.

Why the ‘Push for Productivity’ has degraded control network security

As corporate networks have converged with industrial control system (ICS) networks, there have been many integration projects where proprietary networks were replaced with commercial-off-the-shelf equipment using Ethernet-TCP/IP technology.

This shift in technology has greatly increased the complexity and ‘interconnectedness’ of control systems. As a result, they now have many of the same vulnerabilities that have plagued enterprise networks. In addition, the controllers in these networks are now subjected to new threat sources that they were never designed to handle.

The result has been a significant increase in the number of plant disruptions and shut-downs due to cyber security issues in the control networks.

The Repository for Industrial Security Incidents (RISI) is the world’s largest database of security incidents in control and scada systems. An analysis of the data from 1982 to 2010 found that the type of incidents affecting control systems breaks down as follows:

* 50% of incidents were accidental in nature.

* 30% of incidents were due to malware.

* 11% of incidents were due to external attackers.

* 9% of incidents were due to internal attackers.

In our study of the incidents included in the RISI database, we see problems arising from three common sources:

Proliferation of ‘soft’ targets

Supervisory control and data acquisition (scada) and ICS devices such as PLCs, DCS controllers, IEDs, and RTUs were designed with a focus on reliability and real-time I/O, not robust and secure networking. Many ICS devices will crash if they receive malformed network traffic or even high loads of correctly-formed data. Also, Windows PCs in these networks that run for months at a time without security patches or antivirus updates, are ever susceptible to new, or even outdated, malware.

Multiple points of entry

Even without a direct connection to the Internet, modern control systems are accessed by numerous external sources. All of them are potential sources of infection or attack and include:

* Remote maintenance and diagnostics connections.

* Historian and manufacturing execution systems (MES) servers shared with business users.

* Remote access modems.

* Serial connections.

* Wireless systems.

* Mobile laptops.

* USB devices.

* Data files (such as PDF documents or PLC project files).

These pathways are underestimated and poorly documented by the owners and operators of industrial systems. As the Stuxnet worm showed us in 2010, these pathways can be readily exploited by malware and other disruptive elements. Stuxnet used at least eight different propagation mechanisms, including USB drives, PLC project files and print servers to work its way into the victim’s control system.

Poor internal network segmentation

Control networks are now more complex than ever before, consisting of hundreds or even thousands of individual devices. Unfortunately the design of many of these networks has remained ‘flat’ with virtually no segmentation. As a result, problems that originate in one part of the network can quickly spread to other areas.

To learn the methods of ANSI/ISA-99 Zone and Conduit Security Model framework for network security improvements through integrated design, implementation, monitoring and continuous improvement, visit http://instrumentation.co.za/+C16783



Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

World’s first 5G smartphone for ATEX and IECEx zone 1/21
Extech Safety Systems IS & Ex
i.safe MOBILE has launched the world’s first 5G smartphone for ATEX and IECEx zone 1/21. The intrinsically safe mobile device, which was also developed for use in 5G campus networks, offers companies great flexibility thanks to its wide range of possible applications, especially in the automation sector.

Read more...
Inspection system for leak detection in valves in hazardous areas
Extech Safety Systems Valves, Actuators & Pump Control
Leaking valves in industrial plants not only lead to loss, safety risks and possible contamination and pollution, but also result in high economic costs. Therefore, valves in hazardous areas require regular proper inspection and preventive maintenance to ensure their functionality.

Read more...
The time is now for systems integrators
Editor's Choice System Integration & Control Systems Design
Integrators combine sophistication regarding technology innovation with practical, hands-on experience. Collaborating with systems integrators is the means to significant productivity improvement, powered by the convergence of automation and information and operations technology.

Read more...
System integrators are a diverse market
Editor's Choice System Integration & Control Systems Design
System integrators (SIs) combine expertise on emergent technologies with real world experience. Working with SIs, it’s inevitable that at some point someone will say, “We’re not a typical SI.” And in many ways, it’s true. SIs come in all shapes and sizes.

Read more...
Avoiding the pitfalls of PLC and scada control system integration
Iritron System Integration & Control Systems Design
Upgrading your control system by integrating PLCs with scada systems should be a simple seamless process. Regrettably, the industry is plagued with control system integration and upgrade myths and misconceptions that can lead to liability issues, project delays, cost overruns and decreased plant performance.

Read more...
EtherCAT measurement terminals for vehicle development at Mercedes-Benz
Beckhoff Automation System Integration & Control Systems Design
At the Mercedes Technology Centre plant in Sindelfingen, Germany, car axles are examined with the highest precision on four test benches, in parallel with road tests and simulations. All data is acquired using PC-based control from Beckhoff.

Read more...
Loop signature 23: Tuning Part 2.
Editor's Choice System Integration & Control Systems Design
It is my opinion that most tuning methods are very crude. They do of course also offer a starting point for tuning if one is not fortunate enough to have a sophisticated tuning package like a Protuner around.

Read more...
PIC microcontrollers with integrated FPGA features in TME
System Integration & Control Systems Design
The new PIC16F131xx microcontrollers in TME’s offering from Microchip are ideal for the evolving and miniaturising electronic equipment market, offering efficient power management and predictable response times for controllers.

Read more...
Five smart machine trends you need to know
Adroit Technologies System Integration & Control Systems Design
The last ten years have brought about dramatic advances in technologies that OEMs had never realised would affect their designs or the saleability of their machines, much less impact business models and profits so dramatically. The following discussion will cover key advancements and recommendations all OEMs should be adopting in their design processes to stay current and competitive.

Read more...
36 years of innovation and success
SAM Systems Automation & Management Editor's Choice System Integration & Control Systems Design
Systems Automation & Management was established in 1988 at a time when there were no other systems integrators (SIs) in the process business. SA Instrumentation & Control’s editor caught up with managing director, Claudio Agostinetto to find out more about how this thriving company has prospered over the last 36 years.

Read more...