ENISA Study

In 2011, the European Network and Information Security Agency (ENISA) conducted a study in the domain of Industrial Control Systems (ICS). Its objective was to obtain the current view on the ICS protection primarily in Europe but also in the international context. The ‘portrait’ included threats, risks, and challenges in the area of ICS protection as well as national, pan European, and international initiatives on ICS security. The study was performed through desktop research, survey and interviews, and a meeting with all involved stakeholders. This chapter highlights the most relevant parts of the final report of the study. It focuses on the challenges to securing ICS identified during the research, but also presents the context and the methodology of the study. In response to the challenges, the seven recommendations of ENISA for protecting ICS are proposed.

Security Threats and Risks of Intelligent Building Systems

Intelligent Buildings (IB) are facility-wide systems that connect, control, and monitor the plant and equipment of a facility. The aim of IB is to ensure a facility is more efficient, productive, and safe, at a reduced cost. A typical IB integrates diverse subsystems into a common and open data communication network, using both software and hardware; however, IBs suffer from diverse generic vulnerabilities. Identified vulnerabilities may include limited awareness of security threats and system vulnerabilities, physical access to parts of the system, compromise of various networks, insertion of foreign devices, lack of physical security, and reliance on utility power. IB risks are contextual and aligned with the threat exposure of the facility. Nevertheless, there are generic mitigation strategies that can be put in place to protect IB systems. Strategies include threat-driven security risk management, an understanding of system criticality, greater integration of departments, network isolation, layered protection measures, and increased security awareness.

Information Sharing for CIP

This chapter describes and contrasts policy, economic theory, and insights concerning the establishment and operation of Information Exchanges (IE). In the context of this chapter, IEs are specific mechanisms meant to stimulate the exchange and sharing (aside from pure disclosure) of a range of confidential information relating to security between owner-operators of critical infrastructure. Information shared in IEs may be of varying types but is reported to generally be of a non-technical nature. In the Supervisory Control and Data Acquisition (SCADA) community, a number of nations have established IEs; for example, European SCADA and control systems exchange has been operating since 2005. The chapter primarily considers these issues through the perspective of efforts to address the security of the Critical Information Infrastructures (CII). Despite IEs being seen by policy-makers as important to tackle CIP issues, limited empirical operational evidence exists to suggest that IEs constitute a useful mechanism to successfully overcome the economic incentives governing the disclosure of information. The chapter concludes by identifying opportunities to further explore the disparities and reasons for the indicative disjuncture between economic theory, policy, and practice. The chapter is thus aimed primarily at managers, policy-makers, and non-technical personnel considering participation in an IE.

Patching our Critical Infrastructure

Worm epidemics such as Stuxnet and Conficker have raised great interest in the public and media lately and stressed the question of how our critical infrastructure can be protected against such attacks. Besides reactive measures like incident response, pro-active counter measures are required. Patch management is such an essential pro-active measure for the secure operation of our critical infrastructure. It is an indispensable activity which is required in many standards. This chapter focuses on patch and update management for industrial control systems that are part of our critical infrastructure. Standards for the automation of patch management and selected operational security standards are discussed in the context of patch management. The main contribution of the chapter is the definition and description of a standard conform patch management process for industrial control systems with special focus on the interaction between operator and vendor of such systems.

Distributed Monitoring

SCADA systems monitor and control many critical installations around the world, interpreting information gathered from a multitude of resources to drive physical processes to a desired state. In order for the system to react correctly, the data it collects from sensors must be reliable, accurate, and timely, regardless of distance and environmental conditions. This chapter presents a framework for secure data acquisition in SCADA systems using a distributed monitoring solution. An overview of the framework is followed by a detailed description of a monitoring system designed specifically to improve the security posture and act as a first step towards more intelligent tools and operations. The architecture of the Smart Grid is used to analyze and evaluate benefits that the proposed monitoring system can provide. Finally, the effects and use of Radio Frequency Identification (RFID) and ZigBee as data acquisition platforms are discussed in the context of the proposed solution.

Fortifying Large Scale, Geospatial Networks

Large scale, geospatial networks—such as the Internet, the interstate highway system, gas pipelines, and the electrical grid—are integral parts of modern society, facilitating the capability to communicate, transport goods and services between locations, and connect homes and businesses to basic necessities like water and electricity. The associated management and protection of this critical infrastructure is a challenging task because it is often compromised or damaged by natural disasters, human error, or sabotage. Further, the cascading effects associated with disruptions can impact related interdependent infrastructure, such as supervisory control and data acquisition systems (SCADA). In this context, although the protection and/or hardening of network elements can reduce disruptive impacts, the cost to protect all equipment in the system is prohibitive. The purpose of this chapter is to detail an optimization approach for selecting elements on a network to be protected, under budget constraints, in order to maximize system performance if one or more components are damaged or destroyed. Applications results for a large scale, geospatial network are explored and presented, illustrating problem complexities as well as the potential for informed strategic investment decision making. The implications for SCADA systems relying on large scale geospatial networks, including the public Internet, are also discussed.

ICS Software Protection

Industrial Control System (ICS) cyber security is weak and exploitable. As evidenced by STUXNET’s attack on the Iranian Natanz1 nuclear facility in 2010 and others since global critical infrastructure is in danger of cyber attack. The problem stems from the growth of industrial management systems over three distinct generations that moved process management systems from manual to fully networked controls and sensors. In many cases the transition has been poorly managed and proper IT management techniques were not employed. In others, the software and hardware systems are so fragile that any change or unexpected access can crash or otherwise render them useless. These instabilities, both caused by poor management and weak equipment open large security holes that allow hackers to exploit critical systems with potentially disastrous results. For example, a petroleum distillery could be made to vent and burn excess gas at a time where it could potentially destroy the facility or perhaps take down entire electrical grids, inconveniencing and possibly causing significant harm.

Motivating Cybersecurity

Based on an analysis of key policy documents and statements from civilian policymakers, military leaders, and cybersecurity experts, this chapter demonstrates that although there is still concern over cyber threats to critical infrastructure, other threat objects have begun to figure more prominently in public policy discourse about cybersecurity in the United States. In particular, intellectual property and government secrets are now identified most often as the primary object of cyber threats. When critical infrastructure is mentioned, it is often used as a motivational tactic, with collapse of critical infrastructure serving as a central theme of hypothetical scenarios meant to motivate a policy response. This chapter documents and critically evaluates this shift in U.S. cybersecurity discourse.

Proactive Security Protection of Critical Infrastructure

The belief that a static alarm system will safeguard critical infrastructure without additional support mechanisms is misplaced. This complacency is no longer satisfactory with the increase in worldwide threat levels and the potential social consequences. What is required is a more proactive, comprehensive security management process that adds to the ability to prevent, detect, deter, respond, and defeat potential harmful events and incidents. The model proposed here is proactive and grounded upon current operational procedures used by major companies in hostile and dangerous environments. By utilising a clearly defined comprehensive risk management tool, a more systematic security, threat, risk, and vulnerability assessment (STRVA), process can be developed. This process needs to identify deliberate targeting of assets through multiple intelligence gathering capabilities, plus defeat testing to probe existing security defences. The consequence approach to a potential breakthrough is at the essence of this methodology.

Safety and Security in SCADA Systems Must be Improved through Resilience Based Risk Management

This chapter describes vulnerabilities related to safety and security in distributed process control systems integrated with information and communication technology (ICT). The author describe key vulnerabilities and how to mitigate these vulnerabilities by current best practices, which have worked in an industrial setting in Norway. Distributed process control systems are denoted as SCADA systems, i.e. supervisory control and data acquisition systems. Increased networking and increased use of ICT impacts the complexity and vulnerability of the SCADA systems. To improve safety and security, there must be a focus on systematic knowledge generation between ICT and process experts and a focus on exploring resilience as a strategy to manage risks and support continuity of operations (resilience seen as the ability to bounce back and sustain operations). Best practices in risk management in this area are to establish policies, improve risk awareness, perform risk assessment in collaboration between ICT and SCADA professionals, focus on segregation of networks, focus on active protection against malicious software, improve reporting and sharing of incidents, and establish and explore disaster/recovery plans. In addition, there should be focus on certification and testing of components in ICT and SCADA systems and improvement of resilience to mitigate uncertainty and complexity.