How Secure Is Your Control System?

-Maroochydore, Australia, April 2000- Fired by the contractor who installed the control system at the local water treatment plant, engineer Vitek Boden was then rejected for a job by city council. Laid off and ticked off, Boden sought his foul revenge. Using a stolen laptop and two-way radio, he connected wirelessly to the plant’s control system and issued a few lines of code. Over the course of several weeks, he presided over the release of hundreds of thousands of gallons of raw sewage into nearby waterways.

-Davis, Ohio, January 2003- The Davis-Besse nuclear power plant’s process computer and Safety Parameter Display System shut down for several hours. The culprit? The Slammer worm, inadvertently released by a contractor who established an unprotected computer connection to the corporate network, through which the worm reached the plant network and SQL server. Upon investigation, Davis-Besse discovered that plant engineers weren’t even aware of the Microsoft patch released six months earlier. Fortunately, the plant was off-line so neither of the affected systems caused safety failures.

What is the common thread connecting these two examples? Failure to act-not after the incidents occurred-but ahead of time to prevent them from happening in the first place. In the first situation, Boden’s ability to log onto the system should have ceased the moment his position was terminated. In the latter case, Windows security patches were not installed when they were issued. Even though the plant SQL Server may not have been attached continuously to the enterprise system, operating system (OS) updates and patches should have been applied in case of a breach.

Whether you have a small industrial I/O system that forms the guts of a packaging machine, a data acquisition and control system for a pilot plant, a PC/PLC-based control system, or a distributed control system, you can’t afford to take chances with security. Hackers bent on outright destruction may surprise you with their knowledge of PLC/DCS programs and networks. And just because you may have a proprietary PLC or DCS, or run a UNIX or Linux box, you’re not guaranteed security unless you take some initial steps. As a first line of defense you need to know where the attacks are coming from.

The Disgruntled Employee

Clarence is the “model” employee. Loyal, courteous, an astute problem solver, patient, efficient, and innovative. But lay him off due to downsizing or outsourcing and he could be a threat to security. What if the IT department kills his email box almost instantaneously with his layoff but no one thinks to remove his FTP logon, kill his TELNET logon to the data acquisition system, shut down his VPN connection, and kill his remote dial-in? What about the wireless connection? Has it been secured? You don’t need to provide hot spots for disgruntled employees. Let Starbucks® do that.

Once you’ve removed Clarence from all possible logon and database lists, make sure his “ghost” doesn’t return via a backup/restore operation. Check that his logon has also
been removed from any archives. And keep in mind that 70% of industrial cyber incidents originate from within the company.

The Unrelenting Hacker

“It’s been a quiet week in Lake Wobegon.” Maybe, but on the Internet, quiet weeks without hackers and the viruses they create are a faded memory. Whether or not your plant LAN ties into the enterprise LAN, it’s a good idea to have virus protection on all computers, unless, of course, you have an embedded system that isn’t exposed to the network. In one recent week alone, there were three or four McAfee® virus definition updates to combat various versions of MyDoom and Bagle worms.

While not all viruses or worms will destroy your data, they can steal sensitive information that you probably don’t want them to have. Assuming they do no damage to your computer and steal no data, worms can still decrease your network bandwidth to almost zilch, and that’s what shut down the Davis-Besse plant for about six hours. Once infected by email, a computer with a worm spreads its nasty germs to other computers on your network in peer-to-peer fashion, and to other computers around the world via email. Your computers become zombies, and when commanded by a hacker, join an army of computers directing denial of service attacks against a planned destination, for example, Microsoft®.

Not A Virus But Almost As Bad

If a plant floor, Internet-connected Pentium all of a sudden behaves like a 25 MHz 386, it may have an infection; or if this computer is also used to surf the Web, and allows downloadable installs, extreme slowness might be due to adware, spyware, or other unwanted Trojans. Some Web sites that add toolbars to your browsers can install as many as three or four programs or services that track your every move on the Web and relay the information to marketing firms. While these are technically not viruses, they can have the same effect on your machine – they bog it down to a crawl. Sometimes these programs will give you a warning about what they’ll install, but it’s usually buried in a couple thousand words of boilerplate. Sometimes, if you’re lucky, they’ll show up in “Add-Remove Programs,” where you can get rid of them.

How To Avoid Problems

Avoid connecting your HMI or control computer to the network and don’t connect a phone line for remote access. If either is necessary, and your plant LAN and enterprise LAN are tied together, talk it over with IT, and make sure you at least have routers/firewalls in between to control traffic, so only specific hosts get to talk to the plant floor system. Plant networks can be put on separate subnetworks, which provides some isolation. Use routers to close unnecessary ports, and firewalls to exclude hosts and domains.

Use only the “Professional” versions of Windows® 2000 and XP. If you still have Windows NT floating around, don’t expect Microsoft to support it much longer. Although it’s annoying to put up with frequent Windows updates (especially for servers because there’s never a good time to restart a server after installing the update), if you haven’t updated lately, you’re inviting problems. It’s probably a good idea to check with your HMI or DAQ software supplier before you apply updates, just in case there are any issues. Updates also mean “Service Packs,” which are up to Version 4 on Windows 2000, and Version 2 (soon to be released) on Windows XP.

If an HMI (human machine interface) must be connected to the Internet, virus protection is mandatory, and you might also want to consider the use of Spybot Search & Destroy®, Ad-aware® or similar tools to search for and eliminate any commercial spyware/adware that may exist on the computer. Checking the task list and running a sniffer program (like ActivePorts®) is a good way to see what’s going on behind the scenes, and what might be affecting your performance. Take a snapshot of the task list [ALT-Print Scrn], paste it into a Word document, and print it. Check your task list regularly to see if any “new” unauthorized tasks or programs are running, which might be viruses, spyware, adware, etc.

A good way to prevent spyware and adware from getting installed is to make sure user accounts don’t have any installation privileges. Don’t give operators any more privileges than necessary to get their job done. If you must use Internet Explorer, keep its security settings very high. It’s probably not a good idea to mix email with HMI, but if you must have email, why not try a more loosely-connected client such as Pegasus® or Eudora® instead of Outlook® or Outlook Express?

Be careful about assuming that embedded systems are safe. In August of 2003, several Diebold ATM machines running Windows XP Embedded were shut down because of a Windows XP Embedded RPC DCOM vulnerability, which was attacked by Nachi, a descendent of the Blaster worm. Ways to prevent infection include keeping up with Microsoft patches, installing only the modules needed for an application, closing all unneeded ports, and shutting down any services not needed, especially RPC. Also, a properly positioned and configured firewall can help. If you’re designing an embedded system from scratch, one way to eliminate the worms that run on Microsoft-based systems is not to use a Windows operating system. Instead, why not look into QNX®, Wind River®, or a flavor of a real-time Linux® OS?

Conclusion

In the “old days” computers got viruses from users exchanging infected floppy disks. The time it took to spread was very slow compared to today’s Internet-connected computers where viruses travel around the world many times over in less than an hour. Now you can get a computer virus simply by staying connected to the Internet. Your best remedy is to stay up to date with software patches and virus definition updates, and to shut off all Windows services you don’t need. The same applies if you’re running Linux/UNIX. For more information, see the sidebar, “Security helps and info.” And by the way, think twice before laying off Clarence.

Security Helps and Info

All about spyware:

http://www.spywareinfo.com

Forums on security:
http://www.wilderssecurity.com/index.php

ISA Security page: www.isa.org; click on “Technical Information and Communities,” then click on “Security”

Microsoft Security: www.microsoft.com/security

SecurityFocus (A Web site dedicated to security): http://www.securityfocus.com/

U. S. Government. Accounting
Office-Critical Infrastructure Protection: Challenges and Effort to Secure Control Systems:http://www.gao.gov/new.items/d04354.pdf

Windows Task List programs:http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

What Microsoft is doing for security:                                   

-Windows XP Service Pack 2 will ship with fire wall turned on as default.

-Future versions of Windows and microprocessors will feature a hardware-enforced “no execute” to minimize the possibility of running a worm or virus residing in data-only memory.

-Windows components are being recompiled with the newest compiler technology to help mitigate against buffer overruns.

-Windows Servers will be shipped with Internet Information Services (IIS) shut off as default.

-Software will become available to scan computers connected to a network for viruses, patch updates, and illegal open ports before they will be given full access to network services.

-Windows Rights Management Services will control email destinations, protect sensitive files, and safeguard Web portal content.

-Outlook Web access will pre-authenticate all users.

-ISA Server 2004 firewall protection will make email safer to outside employees.

Wayne Labs
Guest Writer

 Notebook-Fill-Image

Originally Published: Sept. 1, 2004