SAVANNAH, Ga. -- The security associated with industrial control systems (ICS) is facing heavy criticism this week at the ICS Joint Working Group 2012 Spring Conference, sponsored by the U.S. Department of Homeland Security (DHS). DHS is concerned cyberattacks could disrupt America's energy, water and manufacturing facilities.
But DHS is also taking concrete steps to improve ICS through a joint effort that includes Motorola Solutions, DHS and Israel's National Information Security Authority -- the Israeli government agency tasked with protecting its critical infrastructure. Together, under what's called the "Secure Controller Joint Project," it has led to Motorola coming up with the security-hardened ACE-3600, which was unveiled today at the conference.
"We live in a tough neighborhood in the Middle East with our neighbors," said Erez Kreiner, director of Israel's National Information Security Authority (NISA), speaking today about the development of Motorola's ACE-3600. He noted there had been more than a few attempts by attackers to take control of ICS systems in Israel in order to try to wreak harm.
ICS systems are typically not known for good security, and in fact, Kreiner said he's even aware of industrial controllers that shipped with viruses inside of them, sardonically calling it "virus-added technology from the vendor."
But DHS, Motorola Solutions and the Israeli government are hoping Motorola's ACE-3600 raises the bar for security in ICS. Israel's NISA has just completed the testing and certification of it for use in Israel, and in the U.S., Idaho National Lab is reviewing it as well. Motorola Solutions product manager Kobi Levin said Motorola expects to begin selling it in June.
The ACE-3600 is a souped-up ICS that does a lot of what ICSs do not do today in terms of security, including working with an authentication server for secure user-access control and role-based permissions. It can encrypt data at rest and in transit, log security events, has secure programming to avoid back doors, has an integrated IP firewall, and uses McAfee whitelisting technology to make sure no unauthorized applications are added to the console. The RTU controller itself doesn't have a way to use whitelisting yet, but McAfee is working on that, says Levin.
McAfee, the security company that's now part of Intel, today also presented a security approach for ICS-based networks used in plants and manufacturing, which increasingly have some way to access the corporate business networks that have Internet access, which heightens risk.
Eric Knapp, director of critical infrastructure markets at McAfee, noted that it's not feasible to run antivirus software for a controller because of the CPU consumption. But other controls, such as whitelisting, which restricts unauthorized applications, can be used on consoles, for example. McAfee is working on some security products especially designed for use in the ICS environment.
Despite the differences, there are also a lot of similarities between the engineer's ICS and SCADA networks and the company's typical IT business network, Knapp points out. Like the IT business network, ICS networks can use products such as firewalls, intrusion-prevention systems security information and event management (SIEM) as well.
"But you shouldn't rely on IT's -- you need your own," said Knapp about how engineers operating ICS networks need to tailor network security design to meet the unique needs they have. Often, there are older systems used in round-the-clock operation that simply can't face disruptions since critical industrial processes are at stake.
In a separate session today, security analyst Jonathan Pollet with firm Red Tiger Security, which focuses on industrial control systems, delivered a withering assessment of the current state of security in ICS.
ICS security lags five to 10 years behind what's commonplace in business IT systems today, Pollet said. That's even though these industrial control system networks look more and more like business IT because they're running Cisco equipment, Windows and Active Directory and file and print services, said Pollet.
Pollet said he and his associates will walk into any variety of plants and manufacturers as consultants to do security assessments, and what they see can be astonishing in terms of security weaknesses. He says the latest security blunder involves plugging smartphones into operator consoles, which can bridge the control systems to the Internet. "We ask them why they're doing this, and they say, 'We're trying to get some more juice.'"
Pollet noted that stealthy attacks to compromise networks are on the rise, such as those against the gas pipeline industry announced by DHS this week, which he said isn't a rare phenomenon. Social networks are also a place where social-engineering ploys can be used to gain information that shouldn't really be publicly shared.
He said his firm in the past has even found shocking evidence of rootkits in control systems. And he noted that if anyone doubts cyberwar is a possibility, "we were contacted by two governments overseas -- not China -- to help them create a cyberwar campaign. They wanted SCADA capabilities.
"We're still struggling as an industry to develop secure products," he concluded.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.