Control System Security Overview
Control systems monitor and control
industrial infrastructures and facilities including electric, water, oil and
gas pipelines, among others. System
types are implemented based on the needs of the facility and their need for
either constant measures or simple notification.
Types of Control Systems
Distributed control systems are geographically local control
systems used in power generation facilities, refineries and water treatment
plants. DCS provide constant feedback,
via analog input/output (IO), on systems status to engineers. Engineers can then make adjustments as
required. For example, DCS’s can be
setup to issue alarms when a subsystem reaches a certain predetermined
temperature.
Programmable logic controllers are also geographically local
control systems that, unlike DCS’s, utilize discrete input, which is, in
simplest terms, on or off. PLC’s are
used on assembly lines and industrial facilities. For example, a PLC may be
used to alert an operator that assembly of a car component has completed. Like DCS, PLC’s utilize high-speed
communications.
Supervisory Control and Data Acquisition (SCADA), unlike DCS
and PLC controlled systems, are more widely distributed. SCADA is, essentially
a system where data is collected from a system in order to control it. Utilizing Local Area Networks (LANS), SCADA
installations can cover hundreds or thousands of miles. They are used in water utilities, oil and gas
pipelines and electric utilities among others. The components of a SCADA system
are SCADA control centers and the systems that they monitor. Control centers constantly monitor other
systems or field sites, collecting data and keeping track of systems status. If an event occurs the control center can
trigger an alarm, alert an operator or whatever it is designed to do in
response to the event.
Energy Management t systems are actually a type of SCADA system
designed to monitor and control power systems.
They are generally connected to the SCADA LAN.
Brief History of Control Systems
Prior to the 1990’s control systems
were largely isolated networks whose main ‘security’ concern was physical. The systems were mostly closed-loop networks
that relied upon system to system communication. As the year 2000 approached the industry
leaders realized they needed to prepare for potential year 2000 or Y2K
issues. As these improvements were made the
industries also began to recognize the cost benefits of interconnecting systems
and attached them to networked computer systems. Systems that were mainly stand-alone were now
being connected to corporate networks so that decision makers could get feedback
in real or near-real time. The approach
did improve efficiency, but it also introduced vulnerabilities that did not
previously exist.
Threats to Control Systems
Being in a more open environment
has exposed control systems to the same vulnerabilities that were initially
faced in Information Technology (IT).
However, control systems are usually run on much older technology that
has not been ‘hardened’ over time as IT systems have. The lack of maturity leaves them open to
vulnerabilities that have long been solved by IT systems. Attempting to apply IT safeguards to control
systems can have adverse effects. For
example, port scanning, commonly used to find open ports on a network, can
freeze PLC’s. Additionally, there is a
lack of knowledgeable resources available to tackle the control system cyber
security issue with most of those coming from the IT world.
An attempt has been made at protection
standardization. The North American Electric Reliability Council (NERC) created
the Critical Infrastructure Protection standards to address the issue. However, many aspects of the standard are too
liberal, allowing individual organizations decide what was critical and what
was not. This lack of application of
rigorous standards leaves, not only an organizations systems at risk, but any
systems that interface with that organizations self-identified non-critical
components.