One of the nice things about the Internet is the wide variety of news and reading sources that I have available every day. Yesterday I read two interesting articles that started me thinking about security and control systems. The first article was on EETimes.com about the new cybersecurity standards recently established by the Federal Electric Regulatory Commission (FERC). The second article was on HSDailyWire.com about an employee at an architectural firm that sought revenge on her employers by deleting seven years worth of drawings and blueprints valued at about $2.5 Million.
The first article was a review of why FERC adopted the new standards and includes a quick overview of the requirements outlined in those standards. Those guidelines include:
· Critical cyber asset identification.
· Security management controls.
· Personnel and training.
· Electronic security perimeters.
· Physical security of critical cyber assets.
· Systems security management.
· Incident reporting and response planning.
· Recovery plans for critical cyber assets.
The second article reminded me of what I wrote in a blog last week, “Control systems vulnerable to attack”. I discussed a CIA report about criminal organizations overseas that seized control of electrical grids by cyber attacks on the control systems for those utilities. The purpose of those attacks was for those organizations to extort money from the companies. These various reports show that there are a number of different possible motivations for assaults on control systems.
These two unrelated articles came together in my mind and made me realize that a detailed cyber security program would protect a facility against more than just a terrorist attack or even a disgruntled employee. It would also form the basis for a disaster response plan in the event of a natural disaster or a severe accident at the facility. After all, these different scenarios all have one thing in common, contingency planning.
With that in mind, we will take a quick look at how some of the bulletedpoints above can be used in the vulnerability assessment of a SCADA, or Supervisory Control and Data Acquisition, system in a chemical facility. For purposes of this blog, we will only look at those parts of the system that apply to the DHS required SVA for high-risk chemical facilities. That means that the SCADA system is only considered where it impacts controls on one or more of the chemicals of interest (COI) listed in the DHS letter informing the facility that they are required to do an SVA.
Critical Cyber Asset Identification
The most important part of the SCADA vulnerability assessment is determining just what physical parts of the system can be considered a Critical Cyber Asset (CCA). In a perfect world everything within the facility would receive equal attention. In practice there is only a limited amount of time and money available to get the facility adequately secured. Those resources need to be first focused on the critical parts of the system.
While the central processing unit (CPU) of the SCADA system is certainly a Critical Cyber Asset, not all of the sensors and controls attached to that CPU need to be considered a CCA. Systems that monitor and control critical safety parameters (like temperature, pressure or tank level) on the COI will normally be identified in safety reviews. If a successful attack could be executed by manipulating those devices they would be considered CCA.
Any input device that would allow a person to modify the control scheme to allow an unsafe upset condition should also be considered a CCA. A careful review of these devices is necessary. Frequently a keyboard that is normally used only for data entry can, with the appropriate password, be used to modify the programming of the CPU. Laptops that can be used to access the system from outside of physical confines of the facility also need to be considered.
The power system for the SCADA system certainly should be considered a CCA. This includes anyuninterrupted power supply (UPS) that keeps the system operating in the event of a failure of the primary power supply to the facility. Even if the facility systems can automatically revert to an inherently safe state in the event of a power failure, the power supply should be considered a CCA.
Personnel and Training
There will be three classes of people working at the facility when it comes to access to the SCADA systems; those with no access, those with limited access, and those with full access. Identifying which people fall into what class can be difficult. People with no access have no ability to interact with the system other than to read the output of fixed displays (temperature, pressure or level for example). Limited access individuals can input data to, or request data (as opposed to reading a fixed display) from, the system. Personnel with full access can modify the actions or response of the control system.
In cases where the SCADA is a two layer system with the safety interlocks separated from process controls, a facility may decide that only personnel with access to the safety interlocks have full access. To come to this conclusion their analysis would have to show that actions taken in just the process control section of the SCADA could not result in a runaway reaction or catastrophic release.
While those definitions seem to be clearly defined, it may not be so clear cut in practice. If data entry keyboards are not locked or left in a secure area when unattended, anyone with access to the facility has limited access to the SCADA system. If someone with full access can use those same keyboards (with the appropriate password) to modify the system, the distinction between limited and full access is determined by the password control system actually in use. The use of compromised, easily hacked, or infrequently changed passwords makes the distinction unimportant.
All employees need to be trained in the importance of the SCADA system for both process safety and protection against terrorist attack. That training should include the importance of reporting any signs of tampering with the SCADA system or attempts by outsiders to gain information about the system. Personnel with any level of access should be trained in the importance in securing data entry devices and the proper selection and use of passwords. Personnel with full access should receive additional training and repeated reminders from management about the importance of security of SCADA interface devices.
Personnel Surety Program
The Risk Based Performance Standards in Section 27.230 of the CFATS regulations require that anyone with unaccompanied access to critical parts of the high-risk chemical facility undergo a background investigation. This certainly applies to personnel with full access to the SCADA. In practice, since it is nearly impossible to prove that someone with limited access does not have full access, those personnel with limited access should probably also undergo the same background investigation.
DHS has not provided any detailed guidance on what sort of background investigation is required under 27.230, but they have volunteered, for high-risk facilities, to complete a check against DHS known and suspected terrorist lists. This leaves the facility management with a great deal of leeway in what to check and what findings require dismissal of individuals as a facility security risk.
A one time background check is not an adequate surety program. Supervisors at all levels need to be aware of personality changes and negative changes in an employee’s attitude toward the facility, co-workers and management. The reasons for these type changes need to be identified as soon as possible. Obviously this means that supervisors need training in the early identification of these personality changes.
IT Security Professionals?
There is, of course, a great deal more that goes into setting up an adequate IT security program for a vulnerable SCADA system. Those details are better left to those with that particular expertise. The decision to hire the services of an IT Security professional should be predicated on the initial analysis of the threat to the SCADA system. Some things to consider are:
· Can a runaway reaction or catastrophic release of a COI be caused by the manipulation of the SCADA? If yes,
· Does the company have a trained IT security specialist on staff? If no,
· Can the SCADA be accessed from off site? If yes, consult with a professional. Or, if no,
· Can access to the SCADA be completely isolated to vetted and trusted employees? If no, consult with a professional.