Professional Documents
Culture Documents
04.managing Cybersecurity Risk in Process Control Systems
04.managing Cybersecurity Risk in Process Control Systems
Herlia M Fajarsari*
Rapid change of technology in process control, Specific to process control systems, summarized
government regulation, and business requirements from www.fireeye.com in December 2017,
have resulted in process control systems being TRITON malware was programmed for a number
connected to corporate business networks and even of functions including but not limited to read/write
to internet cloud. Internet is an open access for programs, read/write SIS controllers functions,
everyone to obtain information, any network and to query the current state of the SIS controller.
connection to Internet can be vulnerable for It was discovered and investigated, and was
cybersecurity attacks. subsequently identified the attacker obtained
remote access through a SIS engineering
Cited from Internet Security Threat Report (ISTR workstation. Once the engineering workstation
Government) June 2017 Volume 22, issued by was compromised, the TRITON malware
Symantec Page 18, 19, and 20. In 2016, they found framework was deployed with the intention of
zero-day vulnerabilities (vulnerabilities not reprogramming SIS Controllers. SIS controllers
discovered by software’s vendor), the report shows initiated shutdown during the re-programming due
zero - day vulnerabilities declined marginally from to application code failing a validation check
4,066 in 2015 to 3,986 in 2016 as describe in Figure between redundant processing units during the
2 below. attack. The malware attempted to return the
controller to a running state, and after a period of
This report also notes that it is becoming harder to time overwrote the malicious program as an
find attackers, so software vendors focus on obfuscation technique to hamper investigation.
developing their product, for example, in October
Adobe issued a patch for Flash Player, in August In general, there are three types of attacks, such as
three vulnerabilities in Apple iOS (collectively denial of service, malicious software, and
known as Trident), and in May Microsoft patched an unauthorized access. When process control
Internet explorer zero-day (which was exploited in systems are being attacked, there are some
targeted attacks in South Korea). symptoms in the system that can be detected such
Vulnerabilities have been disclosed in Industrial as process control performance suddenly slows
Control Systems. The number of Industrial Control down, the operator finds that operating values
System (ICS) vulnerabilities discovered fell change unexpectedly, monitoring from the system
compared to 2015, see Figure 3 below, this is further slows down significantly, or sometimes there is a
evidence to suggest that attackers are becoming more strange message or dialog pops up in the system
devious and harder to find. monitoring.
Industrial control was attacked by malware a few After symptoms occur typically it will be followed
years ago. Resumed from Internet Security Threat by a system reaction such as operator loss of
Report (ISTR Government) June 2017 Volume 22, process monitoring, some package in the plant
issued by Symantec Page 18, 19, and 20. In 2016, the suddenly shuts down, or operator loss of critical
sabotage attacks were come back. It was started with process control and view. In the worst case, the
a number of attacks against the Ukraine involving the plant loses its protection system that can lead to
use of disk-wiping malware. Trojan.Disakil hit process upset and cause safety health and
media organizations and the energy sector in the environment issues such as high flaring,
Ukraine which resulted in power outages in the condensate burned, release of toxic gas to the air,
country. Disakil also attacked Ukraine’s financial or even fatality.
sector in the late 2016. Another example is Shamoon
(W32.Disttrack) disk-wiping malware that attacked All the events caused by cyber security attacks
Saudi Aramco in 2012. In 2012, it infected may cause a loss of production, which may affect
computers had their master boot records wiped. It the company’s crude oil or gas production
commitment to the government. This would surely • Level 0 consist of field equipment such as
also impact the company’s profit and revenue. sensors and final control element, e.g. control
Worse, the attacks may result in process safety valves, transmitter etc.
incidents, impacting the Safety, Health, and
Environment performance and subsequently • Level 1 consist of DCS controllers and the
threaten company’s reputation and credibility. peripheral connected to it such as input/output
(I/O) modules.
PROCESS CONTROL SYSTEM DESIGN
• Level 2 consist of supervisory control such as
Oil Companies have to meet their production target DCS server, Operator monitor, Engineering
every day. Some oil companies may produce or work station etc.
process up to hundreds of thousands or even millions
of barrels of oil through a large capacity production • Level 3 consist of advance control or equipment
plant. These plants would usually have highly management system that is not directly control
advanced network-connected Distributed Control process such as historian server, domain control
System (DCS) which is integrated with the Safety server, antivirus server, time synchronization
Instrumentation System (SIS) and even the Fire & server etc.
Gas System (FGS) to run process control and
protection of the plant. • Demilitarize Zone (DMZ) is typically used by
process control system to have certain
The plant usually consists of several areas and each application that has the same data Level 3, for
of the areas may have several package equipment example Plant Historian Shadow.
which managed by a local Programmable Logic
Controller (PLC). Each of area usually will have • Level 4 is corporate business network.
Local Instrument Room (LIR). All instrument
equipment and package equipment PLC in the field Cybersecurity attack can get into the system thru
will be controlled by DCS controller which installed level 4, corporate business network, either from
inside LIR. All LIRs will be tied back all the way to internet service that required by business, or
Central Control Room (CCR) where operator removable media such as USB that is used by
controls and monitors the plant. The plant will have company personnel. In the previous section
over 100 controllers and over 100 PLCs to control mentioned that there is application that is used to
the plant distributed across the area. monitor process control system from L4, Plant
Information application. This application resides in
From network design perspective, company refers to the level 4 server. PI server receive data from
international standard in designing their network. Historian server in level 3. Any attack to PI server
Cited from Figure 3: Functional Hierarchy may also infect historian server. Cybersecurity attack
(American National Standard ANSI/ISA-95.00.01- also able get into process control system through
2010 (IEC 62264-1 Mod) Enterprise Control System external connection that directly connected to
Integration- Part 1: Models and Terminology, process control system such as online real-time
Approved 13 May 2010), the different levels of a monitoring system or from third party vendor
functional hierarchy model below (see figure 4). connection to do remote regular system maintenance
(e.g. software update, system configuration etc.).
In designing company network architecture, many of Both level 4 and level 3 connection shall equipped
company also will divide their network into several with Network Control Point (NCP) every time they
zone. Cited from International Standard IEC 62443- are connected to each other or connected to outside
2-1, Industrial Communication Network – Network of company network. Well designed and configured
and system security- Part 2-1: Establishing an NCP is a mandatory to prevent cybersecurity attack.
industrial automation and control system security
program, Edition 1.0 2010-11, page 90. Below is one Removable media that is used by company
of the sample of typical network architecture personnel, or removable media that is brought by
commonly used (see figure 5): third party vendor during regular maintenance also
can be one of the door for cybersecurity attack.
From above sample, normally in the oil and gas Company shall have a proper management of these
company, the layer above will be translated into removable media.
below samples:
Technology comes with its advantages and Risk is made up of both likelihood and
disadvantages. Cybersecurity is part of the consequence. Consequence is negative impact
technology changes. Cybersecurity is risk that we such as specific harm that will be experienced by
can prevent and mitigate. an organization that caused by specific threat
Before getting into the detail on how to manage a There are several items need to be considered
remote connection and removable media to prevent during risk assessment.
cybersecurity attack, there are some preventive
actions that need to set up by Oil and Gas Company: • Involve the right personnel. Owner,
custodian and system support have to be
Establish ownership and define Role & involved to ensure their system is well
Responsibility (R&R). Every system shall assessed and mitigated. Also involve
have at the minimum owner, custodian, and discipline engineer related and experienced
system support. R&R also need to be defined control advisor as a facilitator during the risk
to ensure there is segregation of duty among assessment.
owner, custodian, and system support. There
are 4 main area that need to be considered in • Use credible scenarios and brain storming.
determining segregation of duty among the 3 The quality of risk assessment will be
roles. They are management of change, access determined by scenario that is chosen.
management, risk management and asset
management. • Identify risk, severity & likelihood.
Risk assessments and stewardship • Identify action control, control action shall
management. This is critical actions that must be doable (some action items are not feasible
have by a company. Risk assessment activities because there is system limitation, then risk
in general will generate list of scenario assessment shall note the limitation as part of
the risk that is accepted), define number of • Specific procedure which consist of strategies
hours to complete the activity, and has for continuation of service in the event of
specific information on the group to close prolonged interruption of resources that
the task. impact the ability to operate. This procedure
may consider loss of personnel, systems
• Steward control action, stewardship can be peripheral, and also critical utility systems.
done through regular meetings with owner, Besides that, company also requires a guide to
custodian, and system support or by using recover system or data during emergencies or
existing system such as SAP as a reminder disasters such as fire, flooding, explosion and
for control action that recurrence. other catastrophic event. This guide shall
consider about well-trained recovery team
• Data classification. During risk assessment, personnel, spare part, vendor support, and set
data needs to be classified to ensure it has of standard operating procedure to resolve
appropriate level of protection. Over problem sue to unknown and anticipated
classification of data will lead to over failure modes.
controlled action which will lead to
inefficient time and cost in stewarding • User awareness training and refresher training.
control action. Usually data in process It is recommended to have a mandatory
control is unclassified, some sensitive training for new comer related to cybersecurity
information may also occur such as attack. At the minimum, company must
financially related, contract, sensitive conduct refresher training annually for the
custody transfer information, licensed, employee.
inventory volumes, etc. Required more
protection such as additional control points • Change management. Any permanent or
to be implemented. Company also must have temporary changes to the system shall be
lifecycle management of information to logged, reviewed, and approved. This
ensure how long the data need to be recorded management of change will be used during
and kept. investigation in the case there is any
cybersecurity incident.
Protect information
Removable Media in Process Control System
Data classification will lead into number of
information protection requirements. There is Below is some guidance related to Removable
some protection of information that can be Storage and Mobile Devices handling management
implemented such as:
• Connected to the control environment are
• Physical access restriction (e.g. attended dedicated to a single purpose especially Safety
post), site controlled access (site-building- Health Environment‐critical systems will not
room-cabinet). Sensitive data may need to be used for any other purpose
have extra protection for example, it is
located inside locked cabinet in the room • Used in the control environment are to be
that protected with access control system. physically secured when not in use
• Software and information protection such as
• Where technology is feasible, it is
unique logon ID for personnel, key-locked
recommended to disable USB port
consoles or workstations, access control list,
and Encryption. Sensitive data will need to
• Secure console port with password
be encrypted in the PC with unique log on
ID.
• Scanned for malware using internal updated
Protection of information need to be followed up virus scanner
by stewardship action. For example, system
owner conduct periodic access review related to • Only Removable Storage and Mobile Devices
IDs at the minimum annually, review system log, from reputable sources relevant to necessary
delete or disable any unused ID, and ensure all job function
password are regularly renewed.
Only allow authorized 3rd party access to the Communication Network – Network and system
system security- Part 2-1: Establishing an industrial
automation and control system security program,
o Escort 3rd party vendor to get into facility Edition 1.0 2010-11 -Management of deviations:
and into the system maintaining plant operations often requires that
deviations that have been detected because of normal
o Work under supervision conditions are recorded and that the response to the
deviation is recorded. Deviations are typically
o Only install and use authorized software measured differences between an observed value and
an expected or normal value, or an anomaly from a
o Ensure your vendor contract have an documented standard or process. Deviation
agreement that vendor shall kept our system management typically involves determination of the
clean related to removable media root cause of the deviation and may lead to corrective
management actions to remove the source of the deviations.
Remote Connection in Process Control System This deviation can be caused by cybersecurity attack
to the system. In the case cybersecurity attack
There are some rules of thumb that can be used in occurred, company needs to have proper mitigation
designing remote or external connections: steps. Referring to International Standard IEC
62443-2-1, Industrial Communication Network –
• Always choose conservative solution, if Network and system security- Part 2-1: Establishing
possible. For example, try to use direct analogue an industrial automation and control system security
signal connection for 2 network connection program, Edition 1.0 2010-11, table 17, there are
within acceptable distance. Hardwire connection some steps need to be considered by a company, they
does not involve any Internet Protocol (IP) are:
address, data communication is one way, so there
is no risk of having cybersecurity attack. • Implement an incident response plan:
Emergency response team (responsible
• If network infrastructure is required to build the personnel – R&R)
connection, the use network control point (NCP)
in the design is mandatory to protect the network. • Communicate the incident response plan: call
tree emergency response will be required
There are several items that need to be consider
in NCP implementation: • Reporting procedure for unusual activities and
events: trained personnel to report e.g. spam
o NCP must be configured in a way so that email flag, followed up by contacting IT
only certain data that is required can get department and email to respective supervisor.
through the system and block the rest of the
data. • Report cyber security incidents in a timely
manner
o NCP must be well designed, tested, and
certified by approved by qualified party • Identify and respond to incident: this activity will
(trusted third party) or company internal IT consist of how personnel are well trained to
department. identify any of system conditions that may be
recognized as a cybersecurity attack, contact the
o NCP must be periodically reviewed both expertise in the company, determine the severity,
physically (secured in the restricted location) do the network isolation, until determine process
and logically NCP set up and configuration consideration to minimize the impact to plant
(password regularly changed and unique ID operation.
for each of personnel).
• Identify failure and success of cybersecurity
Cybersecurity Attack Corrective Actions breaches: procedure shall be in place to identify
fail or successful breaches.
Corrective action is resulted from deviation of
system behavior in normal condition. Cited from • Document details of incident, this is crucial for
International Standard IEC 62443-2-1, Industrial investigations
• Address and correct issues discovered This paper is dedicated for Allah Subhanahu Wa
Ta’ala and Rasulullah Muhammad Sallallahu
• Conduct drills – annually at the minimum AIailihi Wasallam
Qindi and Gary (my sons), husband, and our
SUMMARY parents
Figure 3 - The number of Industrial Control System (ICS) vulnerabilities discovered in 2014-2016