review of some important principle of ICS cybersecuriTY
Now it may seem that the current, one might say, avalanche-like growth of the market for equipment, software and services for solving the problem of ICS cybersecurity is due to the emergence of threats to influence technological processes from the outside, which also leads to a natural increase in the government regulatory. This opinion is largely true, however, it seems that the foundation of these processes is the uncontrolled spread of the Ethernet interface as a de facto standard for organizing industrial networks of industrial control systems. Why uncontrollable? How can we say so? In my opinion, there is every reason for this. The topic of ISC cybersecurity appeared not so long ago, and before that, any designer of an ICS or a subsystem, with a light movement of his hand, connected the networks of the power unit, the substation, the main control level and many more small and not automated control systems. All this was done according to the instructions of the customer in order to ensure greater observability of the facility and improve the quality of control and management.
What are the results of these good intentions? Specialists in the maintenance of technological monitoring and control systems have largely lost their understanding of the processes occurring in these LANs and their possible impact on maintaining the operability of the technological process. You might think that this is a consequence of the low qualifications of the staff. But in many cases this is not true. The fact is that the scale of information for analysis by personnel affects the adequacy of the perception of the state of the controlled object. The amount of industrial networks and the number of active devices today is such that even a qualified specialist cannot foresee the possible consequences of making changes to the settings of the controllers of the automated process control system, network equipment, installing new devices, or even putting the control subsystems into repair or routine adjustment modes. And I am not yet touching on the issues of external hackers with various tasks and means of penetration and influence.
Thus, the occurrence of information security specialists at industrial facilities at checkpoints, in general, organically coincided with this increasing pressure of industrial networks, under which the backs of the valiant operating personnel have already begun to bend. These knights of firewalls, anti-virus defenses and intrusion detection systems were supposed to take up the banner of industrial security and ensure its smooth operation in modern conditions with Internet connections, remote communication channels, MES and ERP sucking gigabytes of data from the process control system.
I believe that in many respects this task is being solved by modern developers of information security systems for process control systems, or will be mainly solved in the few years. Of course, there are difficulties, not all automated control systems are steadfastly transferring the integration of information security tools into their sensitive architectures. But these are working moments. However, I think that there are a number of conceptual issues that should be analyzed by suppliers and integrators of ICS cybersecurity tools.
In order to understand the effectiveness of the means of ensuring information security of the ICS, it is useful to consider those means that ensure its target tasks. The main tasks of the ICS, in order of priority, are:
1. Maintenance of the technological process
2. If it is impossible to keep the 1st, provide safety of technological equipment and the life of personnel
In the event of a technological accident, there are two options for the growth of the situation. The development of an emergency situation can be stopped by the automatic action of the protection subsystem as part of the software and hardware complex of the ICS, or by stopping the technological process by the on-duty personnel using the emergency control panel. In this case, a routine shutdown of the technological process will be implemented. If, for some reason, these measures did not allow to routinely stop the technological process, an emergency situation may growth with unpredictable consequences. So, all modern ICS include software and hardware and hardware designed for automatic or manual safe shutdown of the technological process.
Now we will consider the target tasks of the information security of the ICS. Companies developing software and hardware for ICS information security have historically been the developers of the same solutions for the IT market. But the tasks of information security IT and ICS information security are ideologically different. In the part of information security IT, the task is to maintain the operability of the entire IT infrastructure of the organization, including all links (connection to the Internet, vpn to branches, etc.). We can even say that the operation of these connections is one of the main priorities, since a useful product of many companies, when disconnected, for example, the connection to the Internet tends to zero. As for the information security of the process control system, today the main task is formulated as:
1. Ensuring the functioning of the ICS including all external connections
Attention is drawn to the fact that in the event of an information security incident, its outcome can be any, up to a technological accident, and practically does not depend on the facility's personnel on duty. Currently, SOC for objects with ICS are rare, and their appearance can be restrained by an assessment of their financial and especially target efficiency for ICS. This means that the existing paradigm for the development of ICS is distinguished by the absence of means of active influence on the growth of an ICS cybersecurity incident after the moment of successful penetration into the LAN of the ICS.
In fact, at an industrial facility, we can decompose all industrial networks into conditionally isolated segments, which by themselves ensure the operation of the technological process. Thus, in critical situations, or situations with an increased level of danger for the information security of an industrial facility, the connections of such subnets are not valuable from the point of view of the technological process. And here there is the first dissonance - information security specialists are used to seeing as their goal the preservation of the operability of the entire infrastructure of the organization, while in the part of ICS information security, they must begin to understand that not all connections are valuable. Therefore, in certain situations, they can be physically disabled to minimize or stop the spread of destructive processes in the ICS network.
Let me give you one example. We all know the accident at the Sayano-Shushenskaya HPP in Russia. I will not touch upon this object itself, the development of the accident is well described. One of the factors that led to it was the transfer of the Sayano-Shushenskaya HPP to the frequency control mode in the power system. The reason for this transfer is that a fire broke out in the communication room of the Bratsk Hydroelectric Power Station, which is the main frequency regulator in the Siberian power system. As a result, the main dispatch center of Siberia completely lost communication with all automated systems of the Bratsk HPP, including the automatic frequency and power control system. Thus, one of the key energy facilities in Siberia dropped out of the automatic regulation process. The communication of the automated systems was broken. How did this affect the functioning of the Bratsk hydroelectric power station itself? Actually, almost nothing. Of course, the station no longer performed automatic regulation, but the generators remained in operation, the station was controlled via voice communication channels from the Siberian dispatching center, and the station automation systems worked. This example shows that even the loss of important control and management channels may not lead to a process shutdown. What can we say about the numerous, in fact, informational connections of the ICS - data transfer to ERP and MES, general facility control center, remote access channels, etc. Consequently, in terms of ensuring measures for ICS cybersecurity, a new principle should appear - not all LAN connections of ICS are valuable, such connections should be identified when developing ICS cybersecurity projects, the project must provide tools (for example such as etherCUT) for the possibility of physically disconnecting such connections.
The second dissonance that I feel relates to the response to incidents of information security ICS. As a person involved in automated process control systems, I am accustomed to the fact that when any indignation appears, the control system with its algorithms compensates for this indignation. That is, there is an active reaction. And what is meant by the term "Response to an incident of information security in an automated process control system"? In most cases, at an industrial facility, this action implies a post-analysis of the incident and the adoption of measures to adjust the protections and settings in terms of information security and ICS to prevent such a case in the future. One case of a regular shutdown and subsequent restart of a large technological unit can cost tens of millions of dollars, a shutdown of a technological unit with damage to technological equipment can cost hundreds of millions of dollars. And what, all attacks and penetrations occur so quickly that the on-duty personnel (the information security specialist of the facility, at least now, is not the duty personnel) cannot do anything? In most cases, no. Modern IDS software, together with the analysis of the valubility of the LAN connections of the ICS, make it possible to form effective scenarios for the response of the facility personnel on duty to incidents in the ICS industrial networks.
Disabling unnecessary connections can stop an attack, or prevent it from spreading to other connected ICS LANs. Of course, in this matter, it is necessary to form certain scenarios for analyzing IDS messages and assessing the adequacy of an object's controllability in an incident, on the basis of which it is necessary to formulate instructions for the actions of operational and duty personnel in conditions of a threat or the implementation of an information security incident. To implement the function of disconnecting unnecessary links, an Emergency LAN Control Panel of the ICS can be provided, which contains Ethernet interface breakers (like etherCUT) for connections defined as non-important for technological process operation.