Dr Terence Love, CEO at Design Out Crime and CPTED Centre; and Mark Ames, Principal Adviser at Hivint
(Note: This paper is the work of the authors and has not been reviewed by or authorised by Hivint and does not represent the views of Hivint.)
Traditional IT folk tend to regard industrial control systems (ICS) as poor in cyber-security terms. They present a real challenge to traditional IT folk. Typically, ICS are Windows and Unix and Linux servers running specialist software applications. That’s reasonably familiar, but these systems are not connected to people or data stores: they’re connected to pumps and switches and relays and valves that open and close, switch off and on.
Often referred to as OT (Operational Technologies), these are the systems that control large important electrical grid infrastructure and manufacturing plants, nuclear power stations, sewage plants, oil and gas plants, water processing systems and the like. Another name for them is SCADA (Supervisory Control And Data Acquisition) systems.
If bad actors can take control of SCADA/OT systems they can create tremendous amounts of long-term damage, and threats to life for large populations: a perfect terrorism scenario.
So shouldn’t the conventional IT security controls and monitoring apply to OT servers and networks? Shouldn’t the operating systems be patched regularly, especially with critically sensitive security patches. That’s industry best practice isn’t it?
This is all true, but these systems are controlling gas pressure in pipelines, heat settings in refineries and chemical plants, radiation levels in nuclear facilities, and the power supply and internet services to your home. Patches can and often do break the applications running on these servers and then things can really get out of hand: think pollution, fires, threats to human life. Sometimes, many thousands of lives could be at risk.
This is a different universe of technology with some similar, but often misleading resemblances to the world of IT. It isn’t about protecting secrets or identities – here people's lives are at risk.
The IT/OT problem
Recently, there has been a significant drive by managers and IT staff to connect OT systems to corporate IT networks and the Internet.
This is known as IT/OT - some might think of it as IDiOT
Traditionally, OT systems have had little need for direct protection against cyber-attacks from the Internet.
Early OT systems were not connected at all to the internet. OT environments typically connect to corporate networks via secure gateways (firewalls) with very limited access, mainly for monitoring tools.
There is no direct access to the internet , but the path is there and could be exploited.
This renders the IT/OT nexus dangerous. The technologies themselves aren't dangerous - rather it is the way they are deployed together and (in)securely managed.
A cultural problem
OT software design and management has its own culture: a unique culture very different to the established IT culture.
The OT culture focuses on major risk consequences including catastrophic failure of industrial systems leading to loss of life. the focus is on maintaining reliability of systems to avoid plant downtime and avoid any system changes that might lead to compromise of reliability or safety.
OT systems are designed and tested to ensure continuous reliability and safety for years. They typically run relatively unchanged and changes are avoided to minimise the risk of expensive or dangerous failures. Many OT systems have older un-patched operating systems - this is often a good thing for reliability and security reasons, compared to the risks of applying changes or reprogramming the OT control systems.
OT folks know that the risk of malware getting into their networks is very small compared to IT, but the consequences could be far graver. The US Government officially recommends that no anti-malware software be installed for off-shore drilling platforms. Things are changing and many OT systems now have this protection or are moving towards it.
Culturally and historically, reliability and safety are much more important for OT systems than protection from internet-enabled cyber-attacks. They are intentionally kept separate from the Internet and interactions with them are primarily a matter of monitoring rather than control.
Most cyber-security professionals are steeped in the historical IT culture. When reviewing IT/OT systems they often see OT as the primary problem.
IT cyber security people are naturally concerned to discover that some OT control software only runs on one version or build of XP or another deprecated operating system that hasn't been been updated to avoid risk of things not working. Not a big deal in an isolated network, but very scary on a corporate LAN!
We suggest the ways chosen to address OT security issues, are primarily shaped by these cultural differences.
An alternative is to view OT systems as standalone black box systems, and to ensure the whole of the cyber-security is implemented on the IT side - to guarantee the security of the OT systems.
OT systems history
The development and testing of OT and SCADA systems has a history much longer than contemporary Internet-based IT.
The software and hardware technologies of OT and SCADA are more sophisticated than IT systems. This is especially true for logical control units that do the actual switching or valve activation – they are sophisticated in their own way but tend to be single purpose with minimal processing power; there isn’t a lot you can do with them beyond the specific functions they were engineered for.
The process controllers are the target or focus of potential cyber-security attacks – they are typically Windows or Unix servers hosting control and monitoring programs, often with special hardware attached to control the downstream devices. They are managed much differently than their IT counterparts – there is little data storage and most of that is highly structured. Likewise, they have little data communications – at least compared to servers on the corporate LAN.
The reliability requirement of OT and SCADA systems is generally orders of magnitude higher than for IT systems. OT systems are expected to work continuously without significant errors for years. well defined and managed redundancy/resilience arrangements for critical OT systems have been in place for much longer than for IT systems. Likewise, hardware and software refresh cycles for OT and SCADA systems are much longer than for IT systems; it is not uncommon to have remote terminal units operating over a 25 year service cycle, though there is a current move towards shorter refresh cycles of 5-10 years.
From this perspective, the security of OT and SCADA systems is much stronger and more tightly controlled than for IT systems. In cyber security terms, OT systems have much stronger control over system access and changes to the operational environments than corporate IT systems.
Development of OT technology is very mature program. Its origins date back to medieval and earlier times with the Ktesibios water clock in Alexandria around 250 BCE often cited as the first mechanical control system. Mechanical process controllers were regulating temperatures, pressures and the rotational speed of engines well before 1900. OT and SCADA systems for power stations became commonplace in the 1920s and 30s and digital 'computer' based OT systems were deployed from the 1950s. The development of highly secure and reliable networked OT systems emerged in the late 1960s.
The development of corporate network-enabled IT systems is a recent development from the 1990s and until recently had very much less emphasis on security and reliability.
The real IT/OT cyber-security problem
Cyber-security becomes a problem for OT systems when they are connected to IT systems that do not have the same high levels of reliability and security as OT systems.
Corporate systems and networks generally tolerate a degree of crashes, glitches and network errors that would be totally unacceptable in OT and SCADA systems. The significant effort and costs to ensure the security and reliability of OT systems would likewise be totally unacceptable in the corporate environment.
The problem in IT/OT cyber-security is primarily the lower rigour of IT cyber-security practices
Imposing the corporate IT-based perspective of cyber-security onto OT creates a blinkered (and we suggest problematic) perspective on addressing IT/OT security. It too often results in targeting OT for not having 'best practice' IT-based cyber-security practices in place and pushes to impose inappropriate IT-based cyber-security practices into OT system environments.
An alternative is to guarantee appropriate cyber-security at the IT side of any interface gateway with OT/SCADA, and ensure that expectations of reliability and security are maintained in the OT/SCADA managed environment.
In practical terms, trying to impose inappropriate IT cyber-security practices and culture into OT/SCADA environments is likely to reduce the reliability/resilience/security of OT/SCADA systems by introducing a less rigorous approach to securing OT systems .
Take Aways
OT and SCADA development has a mature culture rigorously focussed on "no-fail" operational reliability over years and continuous security of outcomes for very large, very dangerous manufacturing and production systems to avoid incidents that could be disastrous and catastrophic on a national scale.
This contrasts with the culture of IT cyber-security with its business-related reliability and security focus, and its view that stopping the majority of attacks and breaches is good enough to enable businesses to recover from an incident quickly enough to avoid losing too much share value or income for too long.
The obvious way forward for IT/OT cyber-security has two key directions:
- A focus on IT/OT cyber-security on the IT side of IT/OT gateways to manage the cyber-security of external communications to the OT/SCADA environment and maintain the required level of security and reliability for OT/SCADA. This ensures that cyber-security processes are located at the source of risk - the interconnected gateways - and leaves the existing OT/SCADA systems intact and maintains the required high levels of operational reliability and security.
- Include OT security and operations professionals in the development of cyber-security for IT/OT and SCADA systems. Their experience and expertise can be applied to identify OT/SCADA specific cyber-weaknesses that may be potentially overlooked by IT cyber-security developers.
This approach can provide a more appropriate and effective cyber-security development culture for IT/OT and SCADA systems by drawing on the more mature development culture of OT to guide and contribute to the deployment of sound cyber-security practices (and systems) within the OT environment.
This article first appeared on LinkedIn at https://www.linkedin.com/pulse/improving-ot-scada-cyber-security-make-do-work-dr-terence-love/