Security For Industrial Control Systems — Is It A Missing Link To Critical Infrastructure Security?

I was just reading the recent Elinor Mills interview with Joe Weiss, and I wanted to share a few of my thoughts on the subject of securing industrial control system (ICS). Security for industrial control systems is an important topic in the modernization of critical infrastructure components. Sometimes we get too hung up on concepts like Smart Grid, but we forget that we've been dealing with similar systems for some time now. Currently, supervisory control and data acquisition (SCADA) and programmable logic controllers (PLC) systems are commonly found in electric, oil, gas, and water environments. Over the years these components have gone through varying degrees of modernization, but they are no less susceptible to security threats than smart meters or grids.

Making any of these systems secure depends on the risk assessment and management methodologies employed in the respective domains.  To some extent, it involves taking care when deploying these systems and reducing the threat vector when they are connected to either private or public networks.  But it also requires scrutiny of the technologies that are being rolled out in the critical infrastructure. For example, sensor based networking is gaining a lot more traction in critical infrastructure modernization. Smart meters and home appliances will rely on Zigbee communication links to transfer data and feeds. Similarly, transportation, public safety, and smart buildings will all rely on wireless sensor technologies to communicate and send data in real time. Researchers have shown vulnerabilities and ways to attack sensor based networks by employing routing attacks like Sinkhole, Replay attack, Selective Forwarding, and the HELLO flood attacks, along with novel methods like Malicious Code Injection. Similar studies have been done to show some inherent vulnerability in the design and manufacturing of the smart meters.

 The notion of making infrastructures smart, whether it’s Smart City or Smart Grid, shouldn’t come at the expense of increasing risk exposure. To me, the Smart Grid could become reference architecture for adjacent industries if done properly. We may see the likes of the credit card industry here, which is still going through its efforts to make security built-in.  Industries like this suffer from common problems; for example, security not being built into Point of Sale (POS) systems, or card swipe terminals not having encryption for transferring personally identifiable information (PII). Aren’t we facing similar issues in the Smart Grid ecosystem? Don’t we have to address problems that range from securing smart meter communication to encrypting data at various chokepoints in the network?

 The points I mentioned above only scratch the surface of security and risk issues, but I have touched on many of them in my previous blog posts. However, here are a few things for adopters (governments, utilities, public safety, education, transportation, smart buildings) of the smart technologies to consider:

  • Think smart — Deploying smart technologies is not enough. Take time to redefine existing processes and invest in people’s skills and education.  You should invest the time and energy in marketing security and risk measures when deploying smart cities and smarter grids from day one.
  • Reduce the threat vector — Smarter critical infrastructure must equal secure critical infrastructure. When deploying smart technologies, you should consider performing vulnerability assessment right from the beginning of the design phase. And smart devices should go through penetration testing before deployment.
  • Build bridges externally and internally  — You must collaborate with many constituencies externally and internally in order to make smart technology implementations successful. That means making external partnerships with other players in the ecosystem like energy retailers, regulators, and technology vendors.  Moreover, work with technology vendors and equipment manufacturers to embed security into the devices. At the same time, spend some time bringing internal teams like security, compliance, IT, and utility operations to the table.

 That’s all for now, but I’m working on a report that talks about “Demystifying Security and Risk Concerns In The Smart Grid Ecosystem” and would love to hear your thoughts and experiences.