Information Security of the Process Control System: Don Quixote in the Cyber ​​Weaponry Era

This article systematizes the requirements for information security (IS) of the process control system. Requirements are selected from currently available standards, primarily from NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security and the newly developed ISA / IEC 62443 series Security for Industrial Automation and Control Systems .



Process control systems interact with objects of the physical world and provide protection against accidents and disasters. In English literature, the process control systems are called Industrial Control Systems (ICS) or Industrial Automation and Control Systems (IACS). In the world of IT technologies, they can be compared with Don Quixote, which has remained faithful to simple, but not very fashionable principles in a world that has changed a long time ago.



Therefore, a parallel was drawn up with functional safety and a set of requirements was considered, allowing both sides to ensure the safety of the automated process control system, both functional and informational.

')

Similar problems should be addressed for other cyber-physical systems, including IoT and embedded control systems.



What is the difference between the process control system and other information (IT) systems?



Before considering the issue of information security, it would be good to first understand, and what, strictly speaking, is this in the process control systems, that their protection and security issues should be considered separately from the rest of the world of other IT?



A good comparative analysis that answers this question is contained in the already mentioned NIST SP 800-82. Below is a fragment of this document with the comparative characteristics of the automated process control system and the abstract information system (IT system). It is possible to argue with some points, however, it should be remembered that the table attempts to concentrate as much as possible on possible differences, which, however, may not be inherent to an individual information system (for example, in a banking system, the availability and speed of access ).



Comparative analysis of information (IT) systems and automated process control systems







So what is the problem with the information security of the process control system?



Besides the fact that information security is a problem in itself, in the field of process control systems the situation has its own specifics due to the presence of several factors.



Often, all information security is reduced to the consideration of an information management system (ISMS), although an ISMS is a necessary but not sufficient condition for providing information security for an automated process control system. In addition, three levels should be considered in managing the IS of an automated process control system: 1) an enterprise, 2) a program for developing and operating an automated process control system, 3) a single automated process control system. This is not always remembered, and there is a substitution of concepts, when for an automated process control system, as a technical object, they are trying to fulfill all the requirements for the ISMS and miss the functional and technical characteristics.



It also happens that IB is considered only from the point of view of high-tech, as a stream of “black” innovations (Stuxnet, BlackEnergy, etc.) and, accordingly, a set of certain measures to protect against them.



Nevertheless, a systematic approach that includes organizational and technical measures (the “People - Processes - Technologies” triad) is reasonable.



Another point is the avalanche increase in the number of information security standards over the past 5-10 years. Many standards are actively processed and expanded, causing some chaos in the requirements.



I tried to take into account the standards and technical processes on the process control system, as well as the sources to which they refer. The result was an extensive list:

- the ISO / IEC 27000 series “Information technology - Security techniques - Information security management systems” is known to everyone, and has been discussed many times in Habré, standards are translated into Russian and accepted as GOST R ;

- three parts of ISO / IEC 15408 “Information technology - Security techniques –Evaluation criteria for IT security” or the so-called “Common Criteria” (Common Criteria) are also translated into Russian and accepted as GOST R ;

- A series of standards ISA / IEC 62443 “Security for Industrial Automation and Control Systems”; these standards require the most careful attention, since they are an “encyclopedia” of information security systems for automated process control systems; the first edition was developed by the International Society of Automation (ISA) in the 2000s, and then adapted as a standard by the International Electrotechnical Commission (IEC, in IEC); In the Russian Federation, some parts of 62433 are also taken as GOST R ; ISA is currently developing the following version of 62433; development is behind schedule, but now there is something to read ; the figure below shows the structure of the planned ISA / IEC 62443 series;





Figure 1. Structure of the ISA / IEC 62443 series of standards



- The publication of information security topics by the States National Institute of Standards and Technology (NIST) includes three series: SP 500 Computer Systems , SP 800 Computer Security , SP 1800 Cybersecurity Practice Guides ; NIST developed its own ISMS ( NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” ), as well as the Cybersecurity Framework (SCF) ; but we are most interested in NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security” ;

- North American Electric Reliability Corporation (NERC) publications under the general title Critical Infrastructure Protection (SIP), related primarily to power systems;

- Cybersecurity Capability Maturity Model (C2M2) , developed by the US Department of Energy (Department of Energy, DOE);

- Recommended practices developed by the Industrial Control Systems Cyber ​​Emergency Response Team (ICS-CERT) , which is part of the Department of Homeland Security (DHS);

- Control Objectives framework for Information and Related Technologies (COBIT) , developed by the International Professional Association ISACA;

- Critical Security Controls for Effective Cyber ​​Defense (CIS CSC) framework developed by Center for Internet Security;

- it is also possible to list the standards developed for individual industrial sectors, for example, the AGA 12 series from the American Gas Association (AGA), the API 1164 manual from the American Petroleum Institute (API), the IEC 62645 standard used at nuclear power plants “Nuclear power plants - Instrumentation and control systems - Cybersecurity requirements ”etc.



So, there are many standards, they all represent the subject of information security, they talk about the same, but often in different words. The task of harmonizing requirements will be solved in the next section. There is one good news, which somewhat brightens up the situation. Almost all the standards and technical developments in the field of information security, especially in the field of information security, automated process control systems, are written in a clear technical language. In this, they compare favorably with other standards, for example, in terms of the functional safety of an automated process control system .



Now there is another question: how to combine the requirements for information security with the requirements for functional security (FB) ? The latter is important in that the automated process control systems control physical potentially hazardous objects, and this is exactly where their main risks are.



It happens that the information security specialists do not fully feel the specifics of the process control system, that is, if the system is not attacked, then there is no problem. But after all, threats and risks emanate not only from intruders, but also from incompetent personnel, equipment failures, environmental influences. And these issues have long been resolved within the framework of the FB through the application of methods for ensuring reliability and managing life cycle processes.



It is also true that the “security people” are also skeptical about security, not seeing any special problems in cyber threats. Security systems (emergency protection, ESD) are extremely conservative, since they require high costs for licensing and certification. For example, for nuclear power plants, licensing costs can be up to 10% of the project cost.



So, there is no other way than interdisciplinary integration of efforts and knowledge. Harmonization of information security and security requirements will also be discussed later in this publication.



General picture of information security requirements for process control systems



When considering any technical system associated with possible risks, the algorithm for forming the requirements for it is the following:



- rank the levels of risks, associate risks with the functioning of the system, and thus rank the required levels of system security;

- identify measures aimed at achieving the required risk levels; large-scale, such measures are: management system, life cycle processes, technical countermeasures of protection against malfunction due to failures and / or external influences.



When I thought about it, the general picture was presented in this way.







Figure 2. The concept of information security



At the forefront is risk management. The information security context includes an assessment of threats, vulnerabilities and risks, along with an interrelated process of applying risk reduction countermeasures. The organization of work to ensure an acceptable level of risk is determined by the categories “people”, processes ”,“ technologies ”.







Figure 3. The context of providing and evaluating information security (source: ISA / IEC 62443)



It is necessary to dwell on the features of the description of the automated process control system and the concept of information security.



Description of ACS TP



To describe the features we will deal with three types of models of automated process control systems, which are proposed to be considered in the interests of information security.



First of all, this is the reference model of the industrial control system, which defines five levels:



- Level 4: enterprise management;

- Level 3: operational management of production;

- Level 2: management and monitoring of physical processes (SCADA);

- Level 1: local control of the process and equipment, including protection and safety functions (Control System);

- Level 0: physical process and equipment (sensors and actuators).

What is usually meant by the APCS, in fact, occupies levels 0, 1 and 2.







Figure 4. Reference model of process control system (source: ISA / IEC 62443)



The model of the physical architecture of the process control system is the most common. It describes the physical components connected through networks.







Figure 5. Model of the physical architecture of the automated process control system (source: ISA / IEC 62443)



The zoning model of the automated process control system can be obtained from the previous model by grouping into groups, depending on the requirements of the information security level, functional purpose, and implemented information security policies. This model is the basis for the analysis of threats, vulnerabilities, risks and countermeasures to reduce risks to the required level.







Figure 6 Zoning model of the process control system (source: ISA / IEC 62443)



Further, the process of ensuring information security depends on determining how the process control system is applied at the target object. Such a description includes:



- performed functions;

- used software, hardware and network components and interfaces;

- criteria for the implementation of target processes (efficiency, safety, environmental friendliness, etc.);

- tangible and intangible assets involved in the field of application of automated process control systems (production facilities, intellectual property, business reputation, product quality, personnel and environmental protection tools, etc.);

- analysis of undesirable consequences of possible financial damage, as well as damage to human life and health, the environment, production, confidential information and public image.



Information Security Concept



Information Security Levels



The concept of providing information security is based on the division of an automated process control system into information security levels (Security Level, SL). The levels of information security are determined depending on the characteristic threats and vulnerabilities, risks, the target functions of the parts and components of the process control system, and the associated security policies.



It is believed that the IS levels are borrowed from the previously proposed and successfully applied in the process control system of the FS levels, also called Safety Integrity Level (SIL) .



In the standards, you can find several approaches to the separation of automated process control systems at the Security Level. We will focus on the zoning proposed all in the same ISA / IEC 62443:



- Security Level 0 (No specific requirements or security protection necessary); the definition of a level for which information security measures are not needed, creates some uncertainty, since it is not clear whether it is possible to abandon information security at all; in practice, one can be guided by a specific situation and proceed from the principle of reasonable sufficiency; usually the zero level is set not for zones as a whole, but for individual components, which for some reason do not reach the next level of Security Level 1;

- Security Level 1 (Protection against casual or coincidental violation); protection against accidental or coincident infringements of information security is provided, first of all, by procedural means;

- Security Level 2 (protection against intentional violation of the rules, low motivation); starting from the second level, protection against malicious violations is considered; at the second level, common non-specialized attacks are considered, such as viruses or exploiting known vulnerabilities; usually such attacks are reflected in automatic mode;

- Security Level 3 (ICS specific skills and moderate motivation); at this level, it is necessary to provide protection against intruders with sufficient knowledge and resources to make an attack on the target system; such intruders exploit little-known vulnerabilities of operating systems and industrial protocols, as well as software tools that require specialized knowledge;

- Security Level 4 (ICS specific skills and high motivation); This level differs from the previous one in that the attacker here draws considerable resources, for example, an organized group can use a cluster of computers with high computing power for a long time.



Within the same equipment location zone (see the model of zoning of the automated process control system) it is advisable to provide the same level of information security, and between the zones information is exchanged via controlled channels and “top-down”, i.e. or at one level of information security, or from a higher level of information security to a lower level of information security, but not vice versa.



For each of the IS levels in the process control system, several groups of requirements are defined:



- identity management and authentication;

- control the use of resources;

- ensuring integrity (integrity);

- ensuring the confidentiality of data;

- availability of resources;

- control and restriction of data flows;

- reaction time to events.



Accordingly, the scope of the ISIB requirements considered below, the life cycle of the process control system and protective countermeasures depends on the established IS level.



Information Security Management System



There are already a lot of materials on the problem of organizing an ISMS It is important to remember that the management of the ISMS can be established at several levels: 1) an enterprise, 2) a program for the development and operation of an automated process control system, 3) a single industrial control system.



For the enterprise level ISMS, as for the management system, the Deming cycle is implemented: Plan - Do - Check - Act.



For the ISMS used in projects for the development of automated process control systems, the life cycle is implemented, which is discussed below.



Information Security Life Cycle



For the PCS, a V-shaped life cycle is implemented, which is characterized by the implementation of verification and validation measures (surveys, analysis or testing after each of the development stages). An example of a software development life cycle for a process control system is presented below.







Figure 7. V-shaped life cycle of software development for automated process control systems (source: IEC 61508)



This life cycle implements the requirements for the FB and therefore is called the Functional Safety Life Cycle. In order to comply with the Security Life Cycle, the requirements for information security must be defined in the specification. Requirements for information security should include the implementation of risk-reducing countermeasures, such as confidentiality, integrity and accessibility, identity and authentication management, etc. These requirements are then implemented and verified at all stages of the life cycle.



An important concept of information security is “defense in depth” (Defense in Depth), also coming from the FB area. “Depth Defense” is similar to a multi-level defense in depth when, after an attacker penetrates through one of the defense levels, he encounters a new, possibly fundamentally different, defense of the attacked object.



Communication information and functional security



In publications on the topic of functional security, I was able to reduce all the variety of requirements for several groups:



- functional safety management;

- implementation of the functional safety life cycle (Functional Safety Life Cycle);

- protection against systematic system and software design failures (System and Software Failures Avoidance);

- Protection against accidental hardware failures (Random Failures Avoidance).







Figure 8. The concept of functional safety requirements



If you project these groups of requirements on the information security field, the picture will be approximately the same.



First, based on the role of the process control system in providing security and information security, a gradation and division of systems into levels is performed. Safety Integrity Levels (SIL) are introduced to provide and evaluate FBs, and Security Levels (SL) are introduced to provide and evaluate IS.



Secondly, within the ISMS, IS management should be implemented. Since many IS and PB processes have an intersection, coordination between them should be carried out.



Thirdly, as was shown above, development, verification and validation processes aimed at ensuring both the FB and IB can be implemented within a single life cycle (Safety & Security Life Cycle).



Fourth, in the field of security and information security there are common risks due to possible hardware failures. Methods of protection against such failures are redundancy, diagnosis, protection against interference and other extreme effects, etc. Thus, the same countermeasures are applied to ensure IS and PB.



Fifth, the so-called systematic failures occur in the process control systems, caused by software design and system component deficiencies.The same drawbacks lead to vulnerabilities that can be exploited by hackers. A number of countermeasures can be applied to ensure both information security and security security (for example, access control to equipment and information). Thus, there is a need for coordination between countermeasures aimed at providing information security and security security.



And finally, as part of the management of information security and security security, an assessment should be made of measures to ensure these two security components.



All of the above is presented in the diagram, which can be the basis for coordinating information security and security activities.







Figure 9. The concept of harmonized requirements for functional and information security



findings



The specifics of ensuring information security of the automated process control system consist in the fact that such systems interact with the processes of the physical world and their primary feature is to protect people and the environment from technological risks. The information security of the automated process control system is important because vulnerabilities can be used just for the physical attack of people, the environment and tangible assets.



In view of the above, the provision and evaluation of information and functional safety of an automated process control system should be coordinated within a single life cycle (Safety & Security Life Cycle).



The solution to the problem of information and functional safety of the process control system lies in both the organizational and the technical plane.



The organizational component, in the first place, consists in the constant training of personnel and the full development of a safety culture.



Among the technical measures to protect the automated process control system, the most effective is the placement of equipment and software in areas with different levels of information security (Security Level), among which the highest level has an area including an emergency protection system (ESD). Another effective technical measure can be the use of specialized (proprietary) software, such as operating systems and network protocols.



To protect against attacks and cyber incidents, it is necessary to distinguish between random (vulnerabilities caused by accidental equipment failures) and systematic (vulnerabilities caused by design flaws) components.



In order to effectively eliminate the first type of vulnerabilities, it is necessary to call for help the good old theory of reliability, supplemented by methods of ensuring functional safety, such as data and power backup, diagnostics, physical protection, transfer of equipment and control object to a safe state, etc.



The remaining vulnerabilities can and should be eliminated within the framework of the experience already accumulated by the industry, guided by the concept of building protection in depth (Defense in Depth). However, the mechanisms of hacker attacks will also develop, and there can be no zero risk here.



The goal of the process control system has always been the noble service to humanity by protecting it from man-made risks. However, as a result of filthy cyber intrigues, this part of the IT world was completely unprepared for modern realities, speaking with spears against the windmills of cyber weapons.



Obviously, the methods of struggle must be adequate, and in cyber-warfare the automated process control systems are deliberately doomed to failure. Therefore, Don Quixote (ACS TP, and, especially, emergency response protection) must fight with problems in technological processes, and this battlefield must be separated and protected from the rest of cyberspace.