Editor's Choice
Analytical Instrumentation & Environmental Monitoring
Data Acquisition & Telemetry
Electrical Power & Protection
Enclosures, Cabling & Connectors
Fieldbus & Industrial Networking
Flow Measurement & Control
Industrial Computer Hardware
Industrial Wireless
IS & Ex
IT in Manufacturing
Level Measurement & Control
Maintenance, Test & Measurement, Calibration
Mass Measurement
Motion Control & Drives
News
Operator Interfaces, Switches & Relays
PLCs, DCSs & Controllers
Pneumatics & Hydraulics
Pressure Measurement & Control
SAIMC
SCADA/HMI
Sensors & Transducers
Smart Home Automation
System Integration & Control Systems Design
Temperature Measurement
Training & Education
Valves, Actuators & Pump Control


Training & Education



Print this page printer friendly version

Security in industrial control systems

January 2009 Training & Education

Eugene Coetzee, ICT consultant: Consultants-Online

Getting back to the basics.

Keywords: [attack vector, backdoor, best practice, control system, denial of service, engineering, exploit, firewall, HAZOP, industrial control, malware, MMP, network, patch, reliability, risk analysis, risk reduction, security, threat, TCO, Trojan horse, trusted system, user privilege, VLAN, virus, vulnerability, worm]

To understand the techniques for securing a computer system, it is important to first understand the various types of threats or attacks that can be made against it.

Abstract

In this paper Eugene Coetzee discusses the types of security vulnerabilities with which modern industrial control systems must contend, the impact of security on system reliability, malware, the differentiation between control systems and IT systems and good engineering practice as an essential element of control system security.

Eugene Coetzee, ICT consultant: Consultants-Online
Eugene Coetzee, ICT consultant: Consultants-Online

Coetzee then discusses risk analysis and risk reduction techniques. The paper includes a detailed case study of an incident at a nuclear plant where a computer virus disabled a safety monitoring system.

Introduction

Modern industrial control systems are implemented on commercial information technology (IT) platforms. The technical challenges that face the IT industry with regard to reliability and security are, therefore, also challenges encountered in control systems.

Although the challenges may be similar in nature due to the common technological building blocks, there are fundamental differences between control systems and IT systems that require a different approach in the way that reliability and security is achieved and sustained.

It has become common practice to adopt security solutions from the IT industry in control systems without due consideration for technical merits or the appropriateness of those solutions. Elaborate or complex security systems may, in fact, degrade the reliability and performance of a control system. It is important that control systems are engineered and managed with reliability and security as a primary objective. In the vast majority of implementations, reliability and security can be achieved through a thorough understanding of the basics principles of IT security combined with good engineering practice in the design, implementation and management of those principles.

Commercial IT platforms

The commercial IT platform is also popularly known as the PC or x86 platform. x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel.

The x86 architecture has dominated the desktop computer and small server markets since the 1980s. The PC has replaced the so called proprietary system of various control system vendors. The IBM PC runs, primarily, the following commercial operating systems:

* Microsoft Windows.

* MacOS.

* Unix-like operating systems including Linux and FreeBSD.

[Reference: http://en.wikipedia.org/wiki/X86].

The majority of commercial IT platforms are inherently insecure by design, default configuration or a combination of the two.

Most computer security techniques focus on external threats, and generally treat the computer system itself as a trusted system. Security experts see this as the cause of much of the insecurity of current computer systems. Once an attack has subverted a part of the system, access to most or all of the features of that system is obtained. Computer systems can be very complex, and many commercial platforms cannot be guaranteed to be free of defects - producing inherently insecure systems.

Industrial Security Incident Database (ISID) records the drastic increase in IT related security incidents affecting industrial control systems
Industrial Security Incident Database (ISID) records the drastic increase in IT related security incidents affecting industrial control systems

The trusted systems approach has been predominant in the design of many software products due to a policy of emphasising functionality and user-friendliness over security.

Vulnerabilities

To understand the techniques for securing a computer system, it is important to first understand the various types of threats or attacks that can be made against it. These attacks can typically be classified into one of the following categories:

* Exploits.

* Denial of service.

* Backdoor.

* Social engineering and human error.

* Eavesdropping.

Continued on the web

For the complete article visit.pdf www.instrumentation.co.za/+c9203

For more information contact Eugene Coetzee, Consultants-Online, +27 (0)18 293 3236, [email protected], www.consultants-online.co.za





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Mecosa training courses
Mecosa Training & Education
Courses designed for Radiation Protection Officers    This seminar is designed to equip the participants with an understanding of radioactive sources, their application, safe use and what to do in the ...

Read more...
New product releases from SMC Corporation International Training
SMC Corporation South Africa Training & Education
To ensure a smooth transition and integration for learners from education institutes into industry, SMC International Training equipment is designed based on the latest automation technology used in industry.

Read more...
Adapting education to the fourth industrial revolution
Training & Education
In order to establish a firm value proposition for Industry 4.0, it has to start at the FET (Further Education and Training) level, in schools and TVET (Technical, Vocational Education and Training) colleges, at the HET (Higher Education and Training) level, in universities, and all training providers.

Read more...
Automation education and training in South Africa – Part 3: Funding model
SAIMC Training & Education SAIMC
In the final article of this series, we present a possible funding model to achieve the ideas outlined in the previous two parts.

Read more...
Swellendam’s Technology Winter School
Training & Education
On an otherwise ordinary working day during 2015, Wynand Kotzé and Johan Reyneke discussed the ‘challenges’ young people face when making a career choice. They both had children about to finish school ...

Read more...
Customised training solutions
Rascals Automation Training and Solutions Training & Education
Rascals Automation Training & Solutions offers customised solutions for technology in the industrial and domestic markets. Services include customised training solutions based on a full employee skills ...

Read more...
Automation education and training vital for South Africa’s development - Part 1: Our ability to provide the skills of Industry 4.0 is wanting.
SAIMC Training & Education
In the automation industry, the education and training provided at universities and colleges have, for various reasons, drifted away from industry ­requirements. The SAIMC plans to close this gap, whatever ...

Read more...
Reimagining skills development
Rockwell Automation Training & Education
Consider the wider potential application for skilling people beyond the immediate environments of organisations.

Read more...
Online education is coming of age
Training & Education
Hands-on engineering via remote and virtual laboratories and simulation software.

Read more...
An examination of the current qualification options available to student engineers in South Africa
Training & Education
The discussion in this article focuses on the third milestone in a learner’s career, i.e. from education into industry.

Read more...











Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  Hi-Tech Security Solutions
»  Hi-Tech Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd | All Rights Reserved