Cybersecurity

Control-System Cybersecurity: Staying Ahead of Evolving Threats

The benefits of modern industrial control systems have never been greater. A baseline system security image, as a start, allows a vessel owner or operator to understand the security risks.

The benefits of modern industrial control systems have never been greater. However, as these systems have evolved, the threats to their safe and secure operation have grown. While the return on investment for a complete control-system security audit may be difficult to calculate, the cost of not having a complete plan in place may, if a worst-case condition arises, be impossible to comprehend. A baseline system security image, as a start, allows a vessel owner or operator to understand the security risks.

Introduction

A diver-support-vessel control system suddenly loses position control and begins to drift while the divers below are put in harm’s way. A programmable-logic controller on the vessel’s dynamic-positioning system had entered an error state and flooded the primary and backup control networks with erroneous data, knocking all connected systems offline. Before control is restored, the vessel is 200 m from its station and one diver has been left unconscious on the template bailout and the other is stranded in the diving bell. The unconscious diver is rescued by his companion from the diving bell once the vessel arrives back on station. Is this a scene from a movie? Unfortunately not; it was a recent, real-world failure. Just as unsettling is the fact that the root cause of the network jamming was never identified.

While viruses, Trojans, worms, and backdoors have been generally associated with Web servers, personal computers, and phones with access to the Internet, serious concerns about cyberphysical attacks on industrial control systems have also been raised—attacks that could result in conditions similar to the loss of positional control just described.

Offshore assets with complex operational capabilities, such as floating production, storage, and offloading vessels; drillships; and semisubmersibles, while not necessarily targets for national-security-based malicious attacks, are nevertheless high-value targets whose compromise may have high-consequence results. Control systems onboard the vessel demand real-time operation, interference with which may result in costly and even life-threatening situations.

Problem

With more and more industrial control systems exposed to external, uncontrolled access for remote upgrades, remote monitoring, and ease of access, these systems are often visible to hackers as well. Combine this access with the increased use of highly targeted and often outdated or unpatched operating systems, and there is good reason for concern.

Solution

The following six, high-payoff steps or practices should be implemented even before a security-baseline and gap assessment has been performed:

  • Network design and implementation—Perform a survey of the control network to ensure there are no undocumented bridges or devices that have been attached.
  • Host configuration—Validate proper user and password control on each system. Validate that all unused ports and services are turned off.
  • Virus and malware protection—Ensure virus and malware scanners are installed and properly configured to detect new and updated files, yet not interfere with real-time operation.
  • USB access—Insertion of USB flash drives is a common avenue for the spread of malicious software. Ensure there is not a means for unauthorized physical access to the USB ports on each system. If this is not possible, ensure USB ports have been disabled by operating-system configuration.
  • Extraneous-program removal—Adobe Acrobat, while seemingly a common and benign standard program, has been the avenue for many recent attacks. Ensure all unneeded programs have been removed from the system.
  • Recovery plan—Develop a detailed recovery plan for the network and each device attached.

Diving Deeper

Industry-recognized security practices reduce risk and ensure that high-consequence situations are unlikely to happen. For a complex drillship, however, blindly applying industry information-technology standards is not only overkill but also could result in degraded performance of a system. Imagine an uncoordinated virus scan of a workstation’s hard drive capturing enough of the system’s bandwidth to undermine deterministic, real-time control. Therefore, application of purpose-built security assessments is required, providing a detailed review of the rig’s control-system networks, their topology and devices, and the system/software-maintenance plan from a control-system perspective.

A review of the baseline system security image, a threats assessment, a gaps review, and a risk assessment are performed where the entire system is scored from a security perspective. Reviews of security policies, patch-management plans, enabled ports and services, account management, security-layer adequacy, and recovery planning (including recovery testing) are conducted, and results are compared to industry standards and best practices. These results are compared to historical records and against other assets. Any serious gaps are noted, prioritized, and monitored for remediation. A picture of the overall process is shown in Fig. 1.

jpt-2014-08-controlsystemfig1.jpg
Fig. 1—Overall control-system security review and remediation.

Baseline Process Details

Security-Policy Review. A vessel’s control-system security policy defines the process and rules the staff must follow when using equipment, devices, and software that are part of the vessel’s control systems. The policy should address

  • Account management
  • Password management
  • Physical security
  • Network security
  • Wireless security
  • Mobile-device security and mobile-device use on networks
  • Email usage and security
  • Company-/personal-computer security and network access
  • Software and patch management
  • Antivirus and antimalware use policy

Because the various layers of security determine the threat’s ability to attack the industrial control system, one of the end results of the policy review is to obtain a high-level picture of the layers of security in place to thwart such threats, as shown in Fig. 2.

jpt-2014-08-controlsystemfig2.jpg
Fig. 2—Layers of security.

Recovery Plan and Recovery Test Plan. For drillships and related vessels, double and triple redundancy of critical systems is required; however, when a system does fail, the vessel temporarily relies on a backup system whose further loss would render the vessel inoperable on some level. Therefore, it is imperative that the failed system be brought back online as quickly and safely as possible. In the event that a common-mode failure does occur, as in the diving-support-vessel example, the ability to recover from a failure while under duress is even more critical. Therefore, not only should detailed recovery plans be in place, but these plans should also be readily available in print and must be tested at least annually with a simulated system fault, a subsequent failure, and a recovery operation. The recovery plan must provide step-by-step procedures, including validation of all process parameters to ensure that no disruptions or discontinuities occur when the restarted system comes back online.

Network and Device Survey. After the overall security policy is understood, it is necessary to examine the actual network and devices to ensure compliance with the policy and to review against published security standards and best practices. The overall network topology is analyzed and compared to documented network design specifications. Proper use and configuration of firewalls and demilitarized zones, as well as wireless networks, are reviewed.

A baseline audit of individual workstations is performed to ensure that the administrative and user password security policies have been followed and that the minimal functionality of software is in place for the workstation, controller, or other device to perform its intended use. Ports and services are audited to ensure that only those required for the workstation or controller to function as intended are enabled. The audit will include the availability of and restrictions on use of removable media, including flash memory. Depending on stated policy, the presence and configuration of antivirus and antimalware scanners are confirmed, along with comprehensiveness of patches and revision updates as compared with those currently available for the operating system and installed software.

Threat Assessment. Threats to the security of a control system change often, sometimes weekly. It is important to have an understanding of the current identified threats before proceeding into the next phase of identifying gaps in control-system security. Current threats are identified through publications from antivirus vendors, operating-system vendors, database-system providers, software vendors, and the US Computer Emergency Readiness Team, just to name a few.

Gap Analysis/Review. After a complete baseline system image has been developed, it is important to compare these findings not only to the documented and narrated security policy of record for the vessel but also to best-known practices, standards, and guidelines, and to identify areas that are new avenues for recently identified security threats. It is critical for an expert within the particular domain to be made available to the reviewer to provide guidance in applying standards and guidelines judiciously.

Risk Assessment. After the gaps in security have been identified, the risks to the system can be assessed. In order to assess the risks adequately, various modes of potential breach of security (along with the potential consequences) must be established.

Prioritization and Remediation Plan. The likelihood of a particular threat and associated attack method, along with the potential degree of damage, provides a basis for the expected cost of a given security gap if not secured. Depending on the remediation options and relative costs, a prioritization and remediation plan is developed. The details of this plan include determining if a threat is severe enough to disrupt current operations or whether the update, upgrade, installation, or reconfiguration may be coordinated with an existing scheduled maintenance activity.

Implementation. The implementation of the remediation plan must be approached in the same way any other well-run project on the vessel is. Development of a set of overall requirements, a work-breakdown structure with owner and responsibility assignments, and a detailed schedule ensures that implementation proceeds efficiently with minimal disruption.

Update of System Image. After the implementation stage, the original system security image is updated with any changes along with the associated security scorecard. This update provides the control-system owners with a basis for determining the viability of the just-completed review and correction process and becomes the new baseline when the cycle is repeated. Unfortunately, unlike the case of many purely physical security systems, control-system security is an ever-moving target where new adversaries and threats are being developed continually. Therefore, security audits providing updated system images and security scores must be performed on a regular basis to stay ahead of the threats and new vulnerabilities. Updates performed every 6 months are advised. This update period strikes a balance between the rapidity of the development of new threats and potential disruption to daily vessel activity.

This article, written by Special Publications Editor Adam Wilson, contains highlights of paper OTC 24393, “Control-System Cybersecurity: Staying Ahead of the Evolving Threats,” by C. DeWitt, ABS Consulting, and J. Ellis, Neodigm Press, prepared for the 2013 Offshore Technology Conference Brasil, Rio de Janiero, 29–31 October. The paper has not been peer reviewed. Copyright 2013 Offshore Technology Conference. Reproduced by permission.