Thursday, February 24, 2022
Just because your computer control system is running well does not mean it is secure. So why bother with cyber security?
There’s a story about a system integrator who was sent to a plant to install an HMI for one of the plant’s operating units. After initially struggling with the communication for several days, he determined that Windows security was preventing him from communicating with the drivers (which connect software applications to controllers like a PLC or RTU). To avoid further delays, he gave everyone read and write permissions. He didn’t have to worry about the “bad guy” outside the plant, because the Information Technology folks already had the plant’s business system protected. With security out of the way, the project was a breeze and he was done in only two weeks. The Site Acceptance Test (SAT) passed and the customer was happy with their new system.
Within a few months, a manager in a separate business unit decided he wanted to connect to one of his department’s applications. He downloaded a free “testing” software application from a website. Unfortunately, the remote computer to which he needed to connect had a similar name to the computer recently installed by the system integrator (a few months earlier). So the manager made an honest mistake and connected to the wrong computer. Without the security to stop him, the manager easily connected his “testing” software to the driver (that’s the power of plug-and-play).
The manager was curious about his new connection. Initially, he was only collecting values once every 10 seconds. He wasn’t satisfied, so he raised the update rate to 100 times per second. Indeed the rate of data updates increased. But at the same time, operators started having a problem getting timely responses from their controllers. It seemed their new HMI wasn’t performing well after all... or at least not consistently. Over next few days, intermittent problems would surface (each time the manager would make a connection). It wasn’t until the manager decided to write to the driver (and to the PLC by extension) that the plant was able to isolate the cause of the problem. It happed immediately after the unplanned shutdown.
Yes, it’s important to secure cyber communication from Dr. Evil (the bad guy), but it is equally important, perhaps even more so, to protect the communication from “trusted” sources like plant personnel (with well-meaning intentions) and otherwise good applications. It’s not as if these people mean to do harm (they don’t), but their curiosity (and even lack of knowledge) can sometimes lead to trouble.
It would be irresponsible to lay blame on the system integrator alone. Although he was the one to turn off the security, several checkpoints missed the fault as well:
Once the plant commissioned the working system, the ease of connectivity quickly morphed into “an accident waiting to happen.” It would be easy for anyone to mistakenly make a connection without full realization of the consequences.
It is my opinion that the main cause of this problem was a security distraction. Simply put, most doomsday scenarios go along these lines: “the bad guy” cracks a plant's network after penetrating their “impenetrable” firewall. He then attacks computers inside the Business (Level 4) Network. After cracking the plant’s internal Human Resources database (with 128-bit encryption), he focuses on the plant’s Operations (Level 3) Network. He then tunnels through the plant’s Historian, only to infect a computer that only had 10-letter passwords. Once the “easy” job is done, he uses a PLC’s proprietary protocol (downloaded freely from the Internet) and bam! We have a problem.
These are sexy scenarios for security “experts,” and billions of dollars are spent annually to protect plants from “super-villain” hackers. Could this scenario happen? Of course. But this is fear mongering. After all, the only truly secure network is a disconnected network (i.e. every network has vulnerabilities). The missing piece of the puzzle is a statement from the security “expert” about the likelihood of each penetration scenario. If unlikely, the plant is ill-advised to go to extra measures to provide additional protection.
Furthermore, plant personnel have become numb to fear mongers and doomsday scenarios, and as a result, they sometimes ignore security altogether. That’s what happened in this case. Windows (DCOM) provides highly secure communication with the necessary security services. But the system integrator turned it off, and no one cared to notice.
In the investigation that followed, among numerous other proposals the post- mortem analysis team made, the following are the noteworthy recommendations:
SAT requirements must include testing for security deficiencies and vulnerabilities. This will encourage the plant to audit automation projects that are affected by cyber-security issues.
As this case study points out, the intentional cyber threat from outside plants is obscuring the need for integration and training to prevent the danger of unintentional cyber security violations from inside. In the face of growing cyber security threats a cohesive approach is vital. It would include consolidation and standardization of infrastructure, consistent application of information security strategies, plus enhanced training and certification of security practitioners.
The bad news is that as networked applications increase in importance, securing data will only become more important. But this sounds more complicated than required. The good news, as this case study points out, is that simple measures could have stopped this deficiency. By simply configuring DCOM properly, the system integrator could have secured the entire installation in only a few minutes. Security doesn’t have to be difficult; it just takes a bit of desire and know-how.
OPCTI is the global leader in OPC training for automation professionals, and is the largest OPC training company in the world. OPCTI offers hands-on training workshops in-person and online.
OPCTI is vendor-neutral, meaning that we will teach you how to establish and implement a robust and secure communication infrastructure, no matter what OPC products you use - the training that you receive from OPCTI can be immediately implemented at your workplace. Our progressive training will enable you to increase your efficiency, security, and productivity.
The Certified OPC Professional (COP) designation is only offered by OPCTI. The designation is awarded to those who have successfully completed our training, and who demonstrate proficiency with OPC technology, design architecture, and installations. The COP designation is endorsed by many OPC Foundation member companies.
OPCTI is an active member and a strong supporter of the OPC Foundation. Randy Kondor, President and Chief Instructor at OPCTI currently serves as the Vice President of Education at the OPC Foundation.
Visit our Training Schedule to see where OPCTI is currently offering training workshops, or contact us to find out more about private trainings for you and your team at your site.