There’s an interesting blog post over at TofinoSecurity.com that looks at the cost of SCADA security. The author, Frank Williams, identifies the need for risk assessment as a key starting point for making decisions on security upgrades, but doesn’t go into a great deal of detail on how that is done. I have an interesting thought experiment here for chemical facilities that addresses that issue in a little more detail.
ACME Control Systems PLCs
Our friends at ACME Control Systems have just introduced a new line of high-security PLCs (HSPLC). These PLCs have a number of interesting design features that help to ensure that when installed in a properly designed control system with a secure communications system that the operations of the PLCs are protected against unauthorized changes to their operation and provide security system alerts when such unauthorized changes are attempted.
Along with the HSPLCs ACME has an upgraded high-security HMI and a secure Ethernet communications protocol that they are offering as an upgrade to their standard control system. The upgrades on the HMI and Ethernet systems are modestly priced, but each new PLC costs about four times the current installed cost of existing PLCs.
As the head control systems engineer and designated control system security manager for Tetramethyl Death Chemicals you are excited about the possibility of actually having a secure control system until you realize that your current equipment budget will only allow the purchase of the system upgrades and a limited number of HSPLCs. How do you determine which PLCs to replace?
Ranking PLC Vulnerabilities
With any kind of luck this type of scenario will be played out in any number of chemical facilities in the not too distant future. Wholesale replacement of entire control systems will just not be practical for large chemical facilities. With the long expected life-times of control system components I would expect that high-security PLCS and other control system components will probably be replaced piecemeal. A methodology will need to be developed to determine which components need to be replaced with high-security drop-ins first. Each PLC will have to be ranked based upon its risk ranking.
While changing out the oldest least secure PLC’s seems to be an obvious choice, I think that it is more important to evaluate each PLC on the basis of the consequences of a successful cyber-attack on that particular device; what could happen if a sophisticated cyber-terrorist were able to take control of the device.
We can start by assigning each consequence to one of four categories:
• Nothing costly can go wrong (a really limited category);
• Quality consequences (un-shippable product for instance);
• Local safety consequences (on-site personnel or equipment injured or damaged); and
• Off-site safety consequences (off-site personnel or equipment injured or damaged).
The last category is the one that society and politicians want us to pay the most attention to followed by the third category. Some management teams may switch the second and third in their priority rankings depending on the unit cost of the bad product. The corporate cost of minor injuries or equipment damage can quickly dwarfed by the cost of unsellable products.
Assuming that the above list is appropriately risk ordered (highest risk at the bottom of the list) one would assume that replacing the PLCs in the final category would have the highest priority. Priority ranking within each category would then be necessary. That becomes a tad bit more complicated. If only one dangerous chemical is involved then it is just a matter of ranking the PLCs by the amount that could be released by a successful attack. As the number of dangerous chemicals becomes larger it quickly becomes obvious that not all releases are equally dangerous so some system of qualitative risk analysis will have to be employed. Attention to chemical interactions will also have to be included in this analysis.
Don’t Replace All PLCs
As one goes through this exercise it becomes readily apparent that there is no necessity to replace all of the PLCs in a facility. If the HMI is replaced with a high security version most attack modes are dealt with. If secure communications exist between the HMI, the main control software and the PLCs, then the attack possibilities are further restricted.
While it is still possible to attack vulnerable PLCs it becomes much more difficult and will require a great deal of effort and planning on the part of an attacker. This is no longer in the realm of script kiddies. Appropriately skilled attackers are only going to be interested attacking high-consequence targets; thus only those PLCs that have large consequences, mostly off-site consequences, associated with them will be targets. Replacing them with HSPLCs will essentially take care of the control system security problem.