Tuesday, December 27, 2011

Reader Email – ICS Safety Misconceptions

I got an interesting email from a reader of my post yesterday on Digital Bond’s SCADA Security Portal. I’m not sure what the reader’s background is, but I am assuming that it isn’t control system engineering. The misunderstandings that form the basis of the questions are so important that I thought that I would address them in a post instead of an email reply.

Here is what the Reader wrote:

“We read your blog on Digital Bond about the various legislative efforts to make ICS safe. We would like to ask your opinion about how can any ICS/SCADA be safe when the programmed memories of the controllers are corruptible, that is, endlessly rewriteable?

“Cannot the process control engineer pause the system for, say, 2 minutes to change to another preprogrammed no-write memory?”

There are three basic misconceptions here and I’ll address them in turn. They are:

• Legislation can make something safe;
• Re-writeable memories are corruptible; and
• Un-rewriteable controllers are possible.


One of the great misconceptions of the modern liberal era is that government legislation or regulation can make anything safe. At the most legislation or regulation can mandate that something should (or should not) occur, that certainly does not make it happen. A perfect example of that can be found in the illicit drug trade; numerous laws and regulations at the local, State, Federal and international level make the transport of, for example, cocaine illegal. Has it stopped or even seriously slowed that trade? Not hardly.

Even in the safety realm, OSHA regulations have not stopped companies and facilities from allowing unsafe conditions to exist. OSHA, even including State and local inspection officials, does not have enough manpower to go around and ensure that everyone is following the rules. What the OSHA regulations have done to increase workplace safety (and they have certainly done that on a gross basis) is to provide a basic set of guidelines for safe practices and provide sanctions for violations of those guidelines when those violations result in worker injuries and deaths. Avoidance of those sanctions have made most companies follow most of those guidelines on a fairly consistent basis (lots of deliberate weasel wording there). And the worst violators are sanctioned out of business.

ICS security legislation at its best will not make control systems secure or safe. At most it can establish a program for determining minimum standards for security in the design and implementation of control systems and provide incentives for (or disincentives for not) applying those standards. They would help provide a level playing field for those companies that design, install or maintain a secure control system. That would raise the general level of security in the control system community, but it WOULD NOT SECURE CONTROL SYSTEMS. I don’t think that that is actually possible.

Corruptible Memories

Okay, I guess that I will have to concede that re-writeable memories are inherently ‘corruptible’. Whether or not that is a good thing or a bad thing depends on how those memories are deployed. In a “properly” designed system only the owner of the system (through their engineering staff of course) will have the ability to re-write the memory. In an adequately designed system the owner will know when the re-writeable memory is re-written and will be able to react in a timely manner when it is re-written by an unauthorized individual or re-written in an unacceptable manner (either accidentally or purposefully).

PLC’s Require Re-writeable Memories

The modern control system is predicated on the ability of the owner to buy a programmable [emphasis added] logic controller (PLC) and make it perform a specific function in his system (and perhaps change that function as his process changes). There is no way that PLC manufacturers can make a controller for each specific function in every process.

Okay, technically they could. They would be prohibitively expensive (thousands of times more expensive than they now are) and they wouldn’t work. That’s because no design engineer has successfully documented the requirements of more than a single controller system (and I would be surprised if even one single-controller system was successfully specified in advance) without there being a need for tweaking the controllers to perform properly in the real world. Controllers must be programmable at the installation where they are put into use and that requires re-writeable memories.

Even if a controller could be specified and produced for a single purpose application at a reasonable cost, no one would buy it because it would not allow for process improvements or process changes.

Process Control Systems Must be Modifiable

Modern manufacturing processes require control systems that can be modified to meet changing conditions. This means that systems engineers must be able to modify the actions of the various components of the systems. This can only be done with some sort of programmable logic controller.

Security for PLC’s has to be designed to limit communications to and from the PLC’s to routing through a secure network to a protected control system computer. The more levels of protection provided to the system the more likely it will be that an attacker will be unable change the programing of the PLC’s. That is how you protect the operating end of an industrial control system.

1 comment:

Anonymous said...

In our original communication to you, additional memories were mentioned. We did not mean to restrict the Control Room to a single memory, as you assumed in your blog. The control room could program a number of memories for an individual PLC. The fact that IT staff and management people cannot conceive of a person taking a selected (from a chart) memory down to the PLC, removing the present memory (a slot socket as on a digital camera), inserting the replacement memory, the control room verifying that the replacement memory is fully inserted, the control room checking the specific identity of the replacement memory, and the person bringing the removed memory back to the control room, is because the process outlined is not instant. Big iron does not shift fast, it possesses rotational kinetic energy.

/* Use this with templates/template-twocol.html */