IT security vendors seen as clueless on industrial control systems

Many IT security vendors have a minimal understanding of industrial control systems (ICS) and try to sell technology that could easily damage the devices found in plants running the nation’s critical infrastructure, experts say.

In a recent blog post, Joe Weiss, a well-known expert in industrial systems who has testified before Congress on cybersecurity, took the IT security industry to task for believing it can provide ICS security with only slight modifications of existing products. This approach, Weiss wrote, showed no understanding of the technology that the vendors were trying to protect.

“Before they really start providing technology that’s going to be applied at the real-time control layer, they better have a lot of domain expertise,” said Weiss, founder of consultancy Applied Control Systems and former technical manager for the Electric Power Research Institute. By domain, Weiss means the actual control system within a substation, power plant, refinery or pipeline.

Too often, vendors are trying to apply security designed for protecting data in a traditional information technology network, which has very few similarities with a network of ICS devices, experts said. For example, in the former environment, a malware-infected computer is simply taken off the network. The same approach in an ICS could lead to a catastrophe in a power plant, manufacturing facility or oil and gas pipeline.

“If you do that on the plant floor, you’ll blow things up and kill people,” said Walt Boyes, editor in chief of Control magazine and ControlGlobal.com, which specialize in covering the automation industry.

Within an industrial control environment, the data is only important in terms of what it is telling a device to do, such as opening or closing valves, increasing or decreasing the pressure of liquids flowing through pipelines or raising or lowering production temperatures in a manufacturing plant.

“One of the big things we care about is [machine-to-machine] authentication,” Weiss said. “We don’t care if you see it [the data], but we damn well care that it’s actually coming from where you thought it was coming from.”

Security vendors tend to be Windows centric, which is the dominating operating system within IT environments. In an ICS, the technology often include proprietary embedded operating systems, 1200 baud modems and applications where using a 286 processor is considered modern, Weiss said.

Such limited resources are not something IT security vendors are used to dealing with. For example, the processing power used in a typical update of signatures in antivirus software would take down some ICS devices for six to eight minutes.

[Also see: Insecure ICS, hacker trends prompt federal warnings] 

Even the most innocuous tasks in an IT environment could spell disaster in an ICS. For example, pinging all the devices in the former to see which hardware is running could easily cause a controller in an ICS to shutdown.

“You have two different mindsets,” Weiss said. “IT’s mindset is security for the sake of security. They don’t understand the physical manifestations [in an ICS] of doing something that may be perfectly fine on a desktop.”

IT vendors started rushing into the ICS security market after the federal budget cuts that took effect March 1, Boyes said. The cuts, called the “sequester,” marked an opportunity because they did not apply to spending in critical infrastructure security.

“What we’re seeing now is a new land rush of people who have been doing IT security for a long time, trying to move into the critical infrastructure cybersecurity space,” he said.

Securing the nation’s critical infrastructure is a priority of President Barack Obama, who has issued an executive order requiring government agencies to share cyberattack information with private industry. Congress is also addressing security through pending legislation. 

Collaboration between ICS and IT vendors is what’s needed to develop the right security technology. In some cases, existing technology can be modified for use in an ICS.

“The IT world has done an awful lot more on networking than we have, but they’re not looking at our types of applications and constraints,” Weiss said.

Security standards for industrial automation and control systems exist today. An example is ISA99, established by the International Society of Automation.

Matthew Luallen, president of CYBATI, which provides control system cybersecurity education, recommends that vendors thoroughly test their technology in an ICS environment and that buyers make sure the devices within that test bed match what they use.

“If you’re an educated customer, you’re going to be able to see the differences between a vendor, a consultant and who really has the skills and who doesn’t,” Luallen said.