The U.S. Department of Homeland Security (DHS) reports that attacks on U.S. critical infrastructure are happening with increased frequency. “For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when,” said the recent report Seven Steps to Effectively Defend Industrial Control Systems. Most vulnerable for the water industry are the supervisory control and data acquisition (SCADA) systems that utilities use to automate the operation of valves, flows, purification and other critical operations that impact the safety and quality of users.
The DHS report recommends seven strategies to protect industrial control systems, including application whitelisting, proper configuration and patch management, reducing attack surface area, building a defendable environment, managing authentication, monitoring and responding to anomalies, and implementing secure remote access (see Figure 1).
All approaches that DHS recommends can be valuable, but because they are applied to technology that was developed before cybersecurity was an issue, implementing them can require additional manpower and costs. Now, however, as many utilities are upgrading their automation systems to take advantages of the cost and performance benefits of open SCADA technology, some plants are reducing costs of ownership and operation by implementing communications and control systems with built-in cybersecurity functionality.
“The [programmable logic controllers (PLCs)] running automatic control of our digestion blowers, clarifiers, sludge pumps and chlorination chemical feed pumps have become obsolete,” said Steve Mallett Jr., P.E., general manager of the City Corp., a pollution control facility that serves the city of Russellville, Ark. ”So when one of our PLCs failed, we wanted to replace it with something that would provide a path to the future.” Driven in part by the security concerns of a retired general who sits on City Corp. board, this included implementing a control system with embedded cybersecurity.
In addition to cybersecurity, Russellville had objectives of improving communications with remote sites and reducing costs. It did this by implementing standards-based communications software that is designed to enable secure exchange of information between plant SCADA applications and the control system.
SCADA Vulnerability
Traditional SCADA systems are vulnerable in three main areas: the operational information on which it relies to supervise control and access to plant data; production data that emerges in the wake of plant operations; and the control logic that opens and closes valves, starts pumps, applies chemicals, etc. The more open the flow of this data, the more cost-effectively the plant can be run, so there is much to be gained by securing the data exchange.
“We are seeing increased interest in cybersecurity among municipal utility clients. Many want to control security functions from their tablets and control centers, because their networks are getting hammered every day by probes and attempted intrusions. A controller with embedded security provides another layer of protection beyond firewalls and [virtual private networks]. As it powers up, it checks to be sure that all hardware and software components are validated. Regular PLCs just can’t do that,” said Dee Brown, P.E., of Brown Engineers, the engineering firm that installed controls at Russellville.
One significant step in securing open communications is the advancement of Open Platform Communications Unified Architecture (OPC UA). This provides a standard for managing open communications across multivendor applications and devices. Its latest rendition includes protocols by which users can authenticate and encrypt communications so that each device or workstation participating in the network has maximum certainty that communications are protected and authentic.
Open secure automation controllers have cybersecurity authentication algorithms built into their electronics.
The OPC UA Connection
OPC UA is becoming the communication standard of choice for SCADA communications because it is simple and scalable, as well as more secure than other communications protocols. When used with a secure control system, the control system would have an embedded OPC UA server. The OPC UA software can easily discover any controller on the network that is running an OPC UA server and connect instantly to view the data. It would instantly know what data is available and whether the requestors have rights to it access it.
Once the OPC UA programs find a device running an OPC UA server, the server scales easily to allow multiple clients to connect and exchange data securely. That data can then be used in applications that run on PLCs or other controllers, drawing on industry-standard application software and engineering tools, which can be used to construct powerful, complex programs using reusable programming objects.
Object-oriented programming has been semi-available in industrial control system programming for many years, but the methodology has matured considerably, making it much easier to develop programs that are easy to build, easy to troubleshoot and able to scale by building on previous tested objects. If you have a pump station running three different motors, and then suddenly you need to bring online a pump station that has four motors, for example, you would not have to develop new code from scratch—you could just extend the three-motor version by dragging and dropping an already programmed motor block.
Options for defining the rules that govern data communications also contribute to the scalability. You can control the behavior of the data, allowing it to be read-only, write-only or read-write; and set triggers for data movement, e.g. whether it is transmitted on change or continuously updated.
Securing OPC UA Communications
Such attributes make OPC UA communications desirable for building efficient automation applications, but it is a third quality—the ability to help users manage authentication—that also makes it securable. When DHS uses the term “managing authentication,” it refers to preventing adversaries from gaining control of legitimate credentials, especially those associated with highly privileged accounts.
Compromising these credentials allows adversaries to masquerade as legitimate users. The ability to manage trusted information and access control are what make OPC UA more secure than other industrial communication protocols. It allows for at least two levels of cybersecurity protection, both of which require any code or process seeking to access or affect information to present credentials in the form of a signed electronic certificate.
In the default level, OPC UA enables the application developer to sign the certificate that contains the key that decrypts encrypted data. Suppose you built an online database and want to protect the data. You might encrypt it and assign a password, which would enforce a basic level of trust that whatever is trying to access the information and controls is properly authorized to do so. Security is limited, however, by the fact that anyone who knows the password is granted entry to the data.
The second approach also draws on the capability of OPC UA to facilitate cybersecurity, but takes it further by authenticating all communications according to encryption and decryption keys that are buried deeply and securely into the electronics of the control system and authenticated against a third-party root of trust. That way, anyone who obtained the password or access key also must pass muster of a third-party certification authority, which verifies the password against some other secret information it knows, but an unauthorized intruder would not know.
Imagine that additional point of verification deployed, not just at one point of entry but also thousands of times at light speed and at numerous gateways within and between system components, in a complex infrastructure of encryption and decryption keys that would take even the most powerful computers decades to crack. The technology for managing this is called a public/private key infrastructure (PKI) and embedding a PKI and an OPC UA server into an industrial control system enables a secure exchange of information between control systems, SCADA applications and industrial devices.
“Providing public access to the existing scanner/alarm in the current environment meant opening access to the SCADA system, which we could not do. With the cybersecurity embedded into the controller, we can monitor coverage with remote I/O video and a 900-MHz wireless radio, and feed the results in to the SCADA system, which can display levels, triggers alarms, and then issue secure public notifications as appropriate,” said Jason Hamlin, SCADA manager, city of Lynchburg, Va., discussing how embedded cybersecurity helps him communicate externally without jeopardizing the integrity of data used by the SCADA system.
Toward a Safe, Open Future
Looking at DHS strategies in the context of secured communications and control, we see that almost all of them, except proper configuration and patch management can now incorporated in a holistic cybersecurity protection plan that integrates OPC UA communications and intrinsically secure control systems.
Certainly, Intrinsic PKI “managed authentication” contributes to the “defendable environment” DHS calls for, and provides OPC UA a secure conduit to enforce “application whitelisting” and “secure remote access.” At least one secure controls vendor “reduces attack surface area” by replacing traditional circuit board pins with an electromagnetic backplane, and that same vendor will soon be announcing embedding of monitoring and response functionality.
Utility application developers who are now planning to full advantages of the cost and operational improvement benefits of open SCADA would do well to seek out control technology with embedded cybersecurity. It could significantly reduce the chances of a cyber-attack going forward, and should ideally come free with the cost of the control system.
