How to avoid a Stuxnet of your own
As industrial control systems become networked, IT security becomes a pressing issue
- By William Jackson
- Jun 10, 2011
The use of standardized IP technology in the industrial control systems that underlie the nation’s critical infrastructure has introduced new vulnerabilities, highlighted by the appearance in 2010 of the Stuxnet worm.
Although Stuxnet apparently is targeted at a specific piece of equipment being used for a specific purpose, it illustrates the need to adequately secure these networked systems against intentional attacks and accidents.
The National Institute of Standards and Technology has published guidelines for this in Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security.
Stuxnet reveals vulnerabilities in industrial controls
The publication provides guidance on securing ICS, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC). It includes an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.
“These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems,” the publication states. Although the majority of such systems are privately owned and operated, they also perform critical functions for agencies, including supporting air traffic control operations.
The evolving nature of industrial control systems over the past decade has focused attention on them as a specific area of risk.
“Initially, ICS had little resemblance to traditional information technology systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software,” NIST says in publication.
But as ICS adopt IT solutions to improve connectivity and allow remote access, “they are starting to resemble IT systems,” the report says. “This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems.”
SP 800-82 grew out of work on an earlier NIST publication, SP 800-53, “Recommended Security Controls for Federal Information Systems,” originally published in 2005. An appendix on ICS security was added to that document in 2006. Earlier drafts of SP 800-82 were released in 2007 and 2008.
Although most controls specified for federal information systems in SP 800-53 apply to industrial control systems, some require ICS-specific adaptations or guidance. NIST has said that because of quickly changing ICS security landscape it is planning to again update the current document next year.
NIST identifies three broad categories of threats to industrial control systems:
- Intentional attacks.
- Unintentional consequences or collateral damage from malware or control system failures.
- Unintentional consequences from internal activities such as inappropriate testing or unauthorized system configuration changes.
Stuxnet is the most recent intentional attack cited in the document, and is the first worm to specifically target such systems.
Stuxnet is being described as the first cyberweapon, because of its ability to leverage IT system vulnerabilities to produce physical damage to a targeted system. Its authors have not been identified, but it appears to target specific Siemens controllers used in Iraqi uranium processing facilities.
NIST recommends a layered defense-in-depth strategy that addresses security throughout the ICS lifecycle, from architecture design through decommissioning. It includes security policies and training and isolating critical communications in the most secure and reliable layer. There should be physical and logical separation between corporate and ICS networks, with redundancy built into several networks avoid single points of failure.
ICS user privileges should be restricted, with separate authentication from the corporate network, using strong authentication techniques including Personal Identity Verification cards.
William Jackson is freelance writer and the author of the CyberEye blog.