Security? Nobody is Interested in Our Data, Are They?
I recently had the pleasure of attending a meeting organised by the Information Systems Security Group (ISSG) of the British Computer Society (BCS). The meeting was held at the Southampton Street headquarters of the BCS, near Covent Garden in London.
The subject of the meeting was Security in Real Time Industrial Control Systems (ICS) and the guest speaker was David Spinks, a time-served professional and acknowledged expert in the arena of security and compliance in real time systems. In these days of always-on internet access and high speed mobile data connections, managers are accustomed to having access to live information about their production and control systems. The problem of course, is that allowing access to a control system for a manager’s mobile phone is effectively poking a hole in your plant security. If the manager can get in, who is to say the bad guys can’t?
So how do we secure real time systems? When talking about real time systems as opposed to standard IT, it is important to note that although these days they are more often based on standard PC platforms, their methodology is somewhat different. A “real time” system is live. Anything that affects the processing of control data could result in loss of data, loss of production or at worst, loss of life. A Windows “blue screen” on a home PC or even an enterprise workstation would be an inconvenience. The same problem on an embedded controller could result in a significant problem. Windows Embedded operating systems have gone a long way in reducing this sort of issue by dispensing with unnecessary “bloatware” but the majority of real time PC systems would use operating systems such as QNX or Real Time Linux.
With an enterprise PC, the company firewall is the first line of defence but users will still be accessing the internet and receiving e-mail. The corporate network will generally have anti-virus software installed on all client computers, prepared to pounce on any suspicious link or message. Many of us will have experienced the slowdown in computer performance that is unavoidable when the AV program starts to scan. In a real time scenario, the performance hit could have far greater consequences. Missing the signal to close a valve or slow a pump, by even a few seconds, could result in potential disaster or at best embarrassment. Therefore, real time systems need alternative approaches to security.
Real time systems are seldom connected to the internet directly but via an interface to the company network. Security should be applied at that point to ensure that unwanted visitors cannot access control systems. Some large scale data breaches that have been reported were not necessarily gained through enterprise IT but through other peripheral systems such as building management or telephone.
One of the main routes into control systems and one that is often overlooked is the insider threat. This can be intentional, such as a disgruntled employee, or accidental such as the security guard booting the office PC to a USB pen to watch videos on the night shift. Many large organisations are implementing joint Security Operations Centres, involving staff from IT, ICS and HR. This enables sharing of information between all interested parties, developing a holistic approach to security across the board.
All in all, the session was a very interesting couple of hours on a subject that is not often explored in the depth it should be.
If I could suggest one take home message from this. Should a production manager wish to keep an eye on things from his mobile whilst on annual leave, it may not be the best idea to open the firewall to allow it!