Integrating Multiple Critical Systems

The folks at GrayMatterSystems.com have posted links to an interesting white paper on two different LinkedIn Groups, ICS-CS and Water Treatment Industry. It looks at work done by Longwatch, Inc integrating a video surveillance system, an access control system and a SCADA system for a public water utility across multiple sites.

The System

The paper concentrates on the difficulties involving adding video surveillance capabilities to the system that uses digital radio to link 32 remote sites to the central control/monitoring system. This diagram from the whitepaper shows how the video surveillance system at each site was integrated into the overall system with the control of that system using the same human machine interface (HMI) as the multiple facility access control system and the water treatment SCADA system.

In this case the link to the LAN was via a MDS iNET 900 transceiver, the same device used to connect the remote access control and SCADA systems to the LAN. A Wonderware HMI is used to monitor “the status of all doors, alarms, cameras and wireless systems” (pg 5). The whitepaper goes on to note that:

“Monitoring and control of the [water treatment] system is our highest priority, so it is very important that the access control and video do not interfere with process data on the radio network.”

Because of the relatively narrow bandwidth of the radio system (50 kb/sec), the paper describes some of the trade-offs that were made in the video surveillance system. The system transmitted stills to the LAN from each camera every 20 minutes and the operator could switch to live video on any camera when required.

System Security Compromised

While I do understand that utilities (and everyone else in our current economic environment) operate on tight budgets, it does seem to me that the integration of three separate control systems through a single HMI is just asking for security problems. You now have five different software systems (SCADA, HMI, video control, access control and communications) and an untold number of devices that may provide unintended remote access to all of the systems. And in this instance, they are all connected to a “corporate LAN or Internet”; no air-gap here.

A 0-day vulnerability in any of the interconnected systems and devices could lead to a compromise of the entire system. Since each of the remote video systems is specifically designed to allow for a thumb-drive download of video files at each of the remote sites, the system also seems to be inadvertently designed to allow for easy insider attacks, deliberate or otherwise.

Finally, this integrated-system makes water-system operators security-monitors. There is no doubt in my mind that water-system issues will receive priority attention from these personnel, not system security.

The integration of these three systems is certainly cost effective and that makes this an attractive option for many facilities. But the integration of control systems and security systems makes no more sense than integrating control systems and safety systems. A single point of failure or vulnerability compromises all of the integrated systems. The potential cost of failure is just too high.