Industrial Control System Security - Improving Security Levels

Current state description

Discuss about the Industrial Control System Security.

The term ‘Industrial Control System’ is used to refer to a large number of control systems that are used for assisting industrial production operations. The distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems and other programmable control system are in general referred to be essential components of Industrial Control System’

This particular report is aimed at providing the management of the Pure Land Wastewater Treatment Inc with information about those technological systems, the inclusion of which would help in improving the security levels of the industrial control system currently used by the organization.

Established in 2001, Pure Land Wastewater Treatment Inc, is one such organization that has a significance experience in various aspects of Wastewater Treatment, besides being one of the most well known names in the domain of Biological Fermentation industries and Chemical Manufacturing.

The following diagram depicts the existing industrial control system that Pure Land Wastewater Treatment Inc utilizes on a day to day basis:

Figure 1:  The existing industrial control system of Pure Land Wastewater Treatment Inc

(Source: Reissman, 2014, pp- 9)

As depicted in the diagram, the existing industrial control system can be subdivided into four sections: the Business LAN, the supervisory network, the control system and the field system

The following section of the report provides a brief description of these subsystems:

1. The Business LAN

The employees of the organization have access to this section of the network.  A web server caters to the requests made by the employees and the business service applications can be connected to the internet (Reissman, 2014). However this particular connection is   protected by a firewall.

1. The supervisory network

 The supervisory control and data acquisition or SCADA system remotely monitors and controls the operational functionalities of the organization.

1. The control system

 Efficient human machine interfaces and Inter-Control Center Communications Protocols (ICCP) are utilized for managing the exchange of information between the control system, the   field system and the other facilities of the organization (Reissman, 2014).

1. The field system

The waste water treatment process and the sanitizer feed tank or the COI are remotely controlled remotely by the process control vendor support systems. The internet is utilized for establishing this communication link.

On detailed examination of the existing ICS network, the following weaknesses were identified:

The employees of the organization are capable of connecting to the internet and an internal firewall has been set up for enhancing the security levels of this section of the ICS (Peng et al. 2012).  However, all the business services use this particular LAN connection and thus should have been protected with an external firewall and an Intrusion Detection and Prevention system, which at this point in time is non-existing.

Overview of network weaknesses

The other sections of the ICP are not protected with any security system and thus are vulnerable to a wide range of cyber attacks.

The ICCP protocol is used for maintaining the communication between the control system, the field system and the other facilities of the organization. However, even these communication links are not protected with security system (Estevez,  & Marcos, 2012).

Last but not the least, third party vendors have access to the sanitizer feed tank and the waste water treatment facilities through unprotected, internet based communication channels.

The following section of the report is aimed at providing an insight in to those cyber security threats or vulnerabilities that are associated with industrial control systems.

Sl. No	Threat type	Examples  of  threat
1	Malware  infection  through  intranet or internet sources	1.  Exploitation of the zero day exploits or unknown/ undetected attack that have been launched previously on the system (Allianz-fuer-cybersicherheit.de, 2016). 2.  Attacks on  the external web pages of the organization,  attacks being launched in  form of cross-site scripting ,SQL injection, etc 3.  Limiting the functionalities of the system components by launching untargeted malware attacks.
2	Malware attack through  external hardware devices   and removable media	1. Executable applications might be embedded with malicious codes (Dhs.gov, 2016). 2. USB flash drives used by employees might also be sources of malware attacks (Kaspersky.com, 2016).
3.	Sabotage  or human error	1.  Compromising the security of the system by intentional usage   of unauthorized hardware or software components (Ics-cert.us-cert.gov, 2016). 2.  Incorrect configuration of system components.
4	Intrusion through  remote access	1.  Attacks launched on access points that have been created for maintenance purpose (Rooijakkers  & Sadiq , 2015).
5.	Attacks on control systems  that are  connected to  the internet	1. Attacks   can be launched on control systems that connected directly to the internet.

In order to achieve the compliance with the Chemical Facility Anti-Terrorism Standards or CFATS regulation, the higher management of Pure Land Wastewater Treatment Inc should be abiding by the following regulations:

Appendix [A] to the Chemical Facility Anti-Terrorism Standard, Final Rule:

The Appendix [A] to the Chemical Facility Anti-Terrorism Standard, Final Rule, published in November consists of a list of as many as 300 COI or Chemicals of Interest, besides providing each of their Screening Threshold Quantities or STQ (Dhs.gov, 2016).

Organizations that  holds  any  of these  Chemicals of Interests   at their respective STQ  levels or higher  need  to submit the  Top screen reports  within a period of 60 days (Rooijakkers  & Sadiq , 2015).

Chemical Facility Anti-Terrorism Standards, Interim Final Rule:

The Chemical Facility Anti-Terrorism Standards regulation was published on April 9^th, 2007, as the Interim Final Rule, after considering the information available from the individuals operating in the industries that abide by CSAT regulations, companies, trade associations and numerous other entities (Sadiq & McCreight, 2013).  

The DHS  took the  initiative  of publishing  an appendix that  contained   a list of several Chemicals of Interests  and their corresponding levels, on   storage  of which  an  enterprise would have to submit online Top Screen reports to the  Department of Homeland Security  through  the online Chemical Security Assessment or the CSAT  (Dhs.gov, 2016).

 In the light of the discussions made in the above sections of the report,  it  can be concluded  that in order improve the security level of the ICS system and avoid the risks and vulnerabilities that are frequently launched against such  systems,  certain changes must be incorporated  within the said system.  The desired changes have been mentioned in the following list:

The various sub parts  of  the entire network  must be isolated  from  each other , by  the  implementation of VPN  solutions and  firewall (both  internal and external), such that the  attack routes leading to the ICS network  can be avoided (Reaves,   & Morris, 2012).

Threats and vulnerabilities associated with the ICS

Conventional security measures like that of antivirus software modules and firewalls need to be implemented in the periphery of each of these sub-networks.

The internal access for those control processes that lie in the close vicinity of the production environment must be disabled (Galloway & Hancke, 2013).

Secure authentication procedures must be followed for utilizing the remote access facilities (Ics-cert.us-cert.gov, 2016).

 The analysis  of the diagram of network  used  by Pure Land Wastewater Treatment Inc , along with the  consideration  of the ‘ranked subject areas’ available  in the cyber security assessment report,  has lead to  the identification of  the following domains that require improvement:

Information and documentation management process need to be  incorporated within the   existing  system  which  would enhance  the process  of securing  the  enterprise    information (Sadiq  & McCreight,  2013). 

Firewalls need to be implemented at the peripheries of all the sub-sections of the network

Incident response policies have to be implemented (Allianz-fuer-cybersicherheit.de, 2016).

The techniques currently being used for malware detection and monitoring need to be improved (Reaves, & Morris, 2012).

The processes currently being used for controlling remote access to the ICS need to be secured (Galloway & Hancke, 2013).

Conclusion

The report provides a detailed discussion on the industrial control system that is currently being utilized by Pure Land Wastewater Treatment Inc. A schematic diagram of the existing network architecture has been provided in the report, based on which the weaknesses of the existing system have been identified.  Based on the identified weaknesses,  a list of  security treats or vulnerabilities has been provided,  so as  make  the management of  organization aware of  the  attacks  which  might be   launched against the system.

In order to achieve compliance with the CFATS regulations, Pure Land Wastewater Treatment Inc require to abide by two DHS regulations, the details of   which have been provided in the report. The report also provides insight into some technological aspects that need to be implemented within the ICS system. Last but not the least, five such cyber-security domains have been identified, based on the reports generated by the U. S Homeland Security Department,   which require immediate attention for enhancing the level of security of the ICS system.

References

Allianz-fuer-cybersicherheit.de,. (2016). Industrial Control System Security. Allianz-fuer-cybersicherheit.de. Retrieved 19 March 2016, from https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_005E.pdf?__blob=publicationFile&v=2

Dhs.gov,. (2016). CFATS Covered Chemical Facilities | Homeland Security. Dhs.gov. Retrieved 19 March 2016, from https://www.dhs.gov/cfats-covered-chemical-facilities

Estevez, E., & Marcos, M. (2012). Model-based validation of industrial control systems. Industrial Informatics, IEEE Transactions on, 8(2), 302-310.

Friedland, B. (2012). Control system design: an introduction to state-space methods. Courier Corporation.

Galloway, B., & Hancke, G. P. (2013). Introduction to industrial control networks. Communications Surveys & Tutorials, IEEE, 15(2), 860-880.

Ics-cert.us-cert.gov,. (2016). Overview of Cyber Vulnerabilities | ICS-CERT. Ics-cert.us-cert.gov. Retrieved 19 March 2016, from https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

Kaspersky.com,. (2016). Retrieved 19 March 2016, from https://media.kaspersky.com/en/business-security/critical-infrastructure-protection/Cyber_A4_Leaflet_eng_web.pdf

Peng, Y., Jiang, C., Xie, F., Dai, Z., Xiong, Q., & Gao, Y. (2012). Industrial control system cybersecurity research. Journal of Tsinghua University Science and Technology, 52(10), 1396-1408.

Reaves, B., & Morris, T. (2012). An open virtual testbed for industrial control system security research. International Journal of Information Security,11(4), 215-229.

Reissman, L. (2014). Pureland Cyber Secrity Assessment.

Rooijakkers, M., & Sadiq, A. A. (2015). Critical infrastructure, terrorism, and the Chemical Facility Anti-Terrorism Standards: the need for collaboration.International Journal of Critical Infrastructures, 11(2), 167-182.

Sadiq, A. A., & McCreight, R. (2013). Assessing the Chemical Facility Anti-Terrorism Standards after 5 years: achievements, challenges, and risks ahead. Journal of Homeland Security and Emergency Management, 10(1), 387-404.