POWER June 2012 - 28
CYBERSECURITY
IT security, and one part ICS security to
properly function. Physical security is
generally well-understood and is often
addressed by experts coming from the
military or law enforcement. IT security
typically deals with commercial off-theshelf
hardware and software and connections
to the Internet, with experts coming
from IT and the military. ICS security, in
contrast, is an engineering problem requiring
engineering solutions. Resilience and
robustness are the critical factors in the
survivability of compromised ICSs.
ICS security requires a balanced approach
to technology design; product development
and testing; development and application
of appropriate ICS policies and procedures;
analysis of intentional and unintentional security
threats; and proactive management of
communications across view, command and
control, monitoring, and safety. It entails a
lifecycle process, beginning with conceptual
design and ending with retirement of the systems.
In other words, ICS security is not only
more difficult to design than physical and IT
security, but it also requires an added level of
expertise not usually held by physical and IT
security experts.
The triad of confidentiality, integrity, and
availability (CIA) effectively defines the attributes
needed for securing systems. In the
IT domain, cyber attacks often focus on the
acquisition of proprietary information. Consequently,
confidentiality is the most important
attribute, which usually dictates that
encryption is required.
However, in the ICS domain, cyber attacks
tend to focus on the destabilization of assets.
Moreover, most ICS cyber incidents are unintentional
and often occur because of a lack
of effective message integrity and/or appropriate
ICS security policies. Consequently,
integrity and availability are much more important
than confidentiality in ICSs, which
lessens the importance of encryption and
significantly raises the importance of authentication
and message integrity. That is why
ICS security research and education should
focus on technologies that address integrity
and availability over confidentiality.
Differences Between IT and ICS
Systems
Cybersecurity in the U.S. is generally viewed
in the context of traditional business IT systems
and Department of Defense systems. IT
systems are " best effort " in that they complete
the task when they get the task completed. Unlike
IT systems, ICSs are not general-purpose
systems and components but are designed for
specific applications. The ICS design criteria
are performance and safety, not security. ICS
systems are " deterministic " in that they must
28
do their jobs immediately; they cannot wait,
because later is too late.
Legacy ICSs were not designed to be
secured or easily updated. Nor were they
designed to enable efficient security troubleshooting,
self-diagnostics, and network
logging. A security-not a design or safety-flaw
was exploited by the Stuxnet virus.
(Enter " Stuxnet " in the search box at www
.powermag.com for POWERnews coverage
of related events.) The same flaw exploited
by Stuxnet is inherent in all of the programmable
logic controller (PLC) designs and
cannot be easily fixed. It was never a problem
because it did not affect performance or
safety. This leads to a double negative conundrum
for the IT security practitioner: When it
comes to security, control systems don't do
what they weren't designed to do.
The table compares key characteristics of
business IT systems and ICSs. These differences
can have very dramatic impacts on ICS
operation and education.
Unfortunately, the distinctions between IT
systems and ICSs are not recognized by regulators
and politicians, and the consequences
of this are grave. The smart grid initiative is
already providing real case histories of what
happens when those without an understanding
of the operational domain try to set the
rules for systems they do not understand.
The smart grid today is actually two domains
" bolted together. " The first is the
" smart home, " including smart meters and
(in some cases) home area networks. This is
where the majority of smart grid security efforts
are being focused by industry and the
National Institute of Standards and Technology
smart grid program. The second piece is
the electric grid and power plants. There is
significantly less research and investment focused
on these critical facilities.
1. Control system basics. This diagram shows the different aspects of an ICS using a
Windows-based workstation with secure field elements but with generally little to no security
in the overall control system. Source: Applied Control Solutions
Sensors
Control
valves
Programmable logic
controllers (PLC)
Motor
controls
I/O
Meters
Sensors
Field
devices
Field devices
Remote
PLC
IED
RTU
Controller
Comms
Protocols
Ethernet
Serial
Wireless
Master
SCADA
server
HMI
EMS
DCS
Control center
Comparison of typical IT system and ICS characteristics. Source: Applied
Control Solutions
Attribute
Confidentiality (privacy)
Message integrity
Availability
Authentication
Time criticality
High
Low-medium
Medium
Medium-high
Delays tolerated
Security skills/awareness Usually good
Security education
Good
Engineering education
Certification
Life cycle
Forensics
Impacts
Usually none
Certified Information Systems Security
Professional (CISSP)
3-5 years
Available
Business impacts
www.powermag.com
Information technology
Low
Very high
Very high
High
Critical
Usually poor
Usually poor
Required
Professional Engineer (PE)
15-25 years
Minimal
Business impacts, safety, environmental
POWER | June 2012
Industrial control systems
Human machine
interfaces (HMI) and
operator displays
http://www.powermag.com
http://www.powermag.com
POWER June 2012
Table of Contents for the Digital Edition of POWER June 2012
Contents
POWER June 2012 - Cover1
POWER June 2012 - Cover2
POWER June 2012 - Contents
POWER June 2012 - 2
POWER June 2012 - 3
POWER June 2012 - 4
POWER June 2012 - 5
POWER June 2012 - 6
POWER June 2012 - 7
POWER June 2012 - 8
POWER June 2012 - 9
POWER June 2012 - 10
POWER June 2012 - 11
POWER June 2012 - 12
POWER June 2012 - 13
POWER June 2012 - 14
POWER June 2012 - 15
POWER June 2012 - 16
POWER June 2012 - 17
POWER June 2012 - 18
POWER June 2012 - 19
POWER June 2012 - 20
POWER June 2012 - 21
POWER June 2012 - 22
POWER June 2012 - 23
POWER June 2012 - 24
POWER June 2012 - 25
POWER June 2012 - 26
POWER June 2012 - 27
POWER June 2012 - 28
POWER June 2012 - 29
POWER June 2012 - 30
POWER June 2012 - 31
POWER June 2012 - 32
POWER June 2012 - 33
POWER June 2012 - 34
POWER June 2012 - 35
POWER June 2012 - 36
POWER June 2012 - 37
POWER June 2012 - 38
POWER June 2012 - 39
POWER June 2012 - 40
POWER June 2012 - 41
POWER June 2012 - 42
POWER June 2012 - 43
POWER June 2012 - 44
POWER June 2012 - 45
POWER June 2012 - 46
POWER June 2012 - 47
POWER June 2012 - 48
POWER June 2012 - 49
POWER June 2012 - 50
POWER June 2012 - 51
POWER June 2012 - 52
POWER June 2012 - 53
POWER June 2012 - 54
POWER June 2012 - 55
POWER June 2012 - 56
POWER June 2012 - 57
POWER June 2012 - 58
POWER June 2012 - 59
POWER June 2012 - 60
POWER June 2012 - 61
POWER June 2012 - 62
POWER June 2012 - 63
POWER June 2012 - 64
POWER June 2012 - 65
POWER June 2012 - 66
POWER June 2012 - 67
POWER June 2012 - 68
POWER June 2012 - 69
POWER June 2012 - 70
POWER June 2012 - 71
POWER June 2012 - 72
POWER June 2012 - 73
POWER June 2012 - 74
POWER June 2012 - 75
POWER June 2012 - 76
POWER June 2012 - 77
POWER June 2012 - 78
POWER June 2012 - 79
POWER June 2012 - 80
POWER June 2012 - 81
POWER June 2012 - 82
POWER June 2012 - 83
POWER June 2012 - 84
POWER June 2012 - 85
POWER June 2012 - 86
POWER June 2012 - 87
POWER June 2012 - 88
POWER June 2012 - Cover3
POWER June 2012 - Cover4
https://www.nxtbook.com/accessintelligence/POWER/pwr_august-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_june-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_july-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_may-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_april-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_march-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_february-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_january-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_december-2023
https://www.nxtbook.com/accessintelligence/POWER/pwr_november-2023
https://www.nxtbook.com/accessintelligence/POWER/power-october-2023
https://www.nxtbook.com/accessintelligence/POWER/re-tech-supp-to-power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-august-2023
https://www.nxtbook.com/accessintelligence/POWER/power-july-2023
https://www.nxtbook.com/accessintelligence/POWER/power-june-2023
https://www.nxtbook.com/accessintelligence/POWER/power-may-2023
https://www.nxtbook.com/accessintelligence/POWER/power-april-2023
https://www.nxtbook.com/accessintelligence/POWER/power-march-2023
https://www.nxtbook.com/accessintelligence/POWER/power-february-2023
https://www.nxtbook.com/accessintelligence/POWER/power-january-2023
https://www.nxtbook.com/accessintelligence/POWER/power-december-2022
https://www.nxtbook.com/accessintelligence/POWER/power-november-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-140th-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-and-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-august-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-July-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-july-2022
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-april-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-April-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-march-2022
https://www.nxtbook.com/accessintelligence/POWER/power-february-2022
https://www.nxtbook.com/accessintelligence/POWER/power-january-2022
https://www.nxtbook.com/accessintelligence/POWER/power-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-top-plants-supp-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-november-2021
https://www.nxtbook.com/accessintelligence/POWER/power-october-2021
https://www.nxtbook.com/accessintelligence/POWER/power-september-2021
https://www.nxtbook.com/accessintelligence/POWER/power-august-2021
https://www.nxtbook.com/accessintelligence/POWER/power-july-2021
https://www.nxtbook.com/accessintelligence/POWER/power-june-2021
https://www.nxtbook.com/accessintelligence/POWER/power-may-2021
https://www.nxtbook.com/accessintelligence/POWER/power-april-2021
https://www.nxtbook.com/accessintelligence/POWER/power-march-2021
https://www.nxtbook.com/accessintelligence/POWER/power-february-2021
https://www.nxtbook.com/accessintelligence/POWER/power-january-2021
https://www.nxtbook.com/accessintelligence/POWER/power-december-2020
https://www.nxtbook.com/accessintelligence/POWER/power-november-2020
https://www.nxtbook.com/accessintelligence/POWER/power-october-2020
https://www.nxtbook.com/accessintelligence/POWER/power-september-2020
https://www.nxtbook.com/accessintelligence/POWER/power-august-2020
https://www.nxtbook.com/accessintelligence/POWER/power-july-2020
https://www.nxtbook.com/accessintelligence/POWER/power-june-2020
https://www.nxtbook.com/accessintelligence/POWER/power-may-2020
https://www.nxtbook.com/accessintelligence/POWER/power-april-2020
https://www.nxtbook.com/accessintelligence/POWER/power-march-2020
https://www.nxtbook.com/accessintelligence/POWER/power-february-2020
https://www.nxtbook.com/accessintelligence/POWER/power-january-2020
https://www.nxtbook.com/accessintelligence/POWER/power-december-2019
https://www.nxtbook.com/accessintelligence/POWER/power-november-2019
https://www.nxtbook.com/accessintelligence/POWER/power-october-2019
https://www.nxtbook.com/accessintelligence/POWER/power-september-2019
https://www.nxtbook.com/accessintelligence/POWER/power-august-2019
https://www.nxtbook.com/accessintelligence/POWER/power-july-2019
https://www.nxtbook.com/accessintelligence/POWER/power-june-2019
https://www.nxtbook.com/accessintelligence/POWER/power-may-2019
https://www.nxtbook.com/accessintelligence/POWER/power-april-2019
https://www.nxtbook.com/accessintelligence/POWER/power-march-2019
https://www.nxtbook.com/accessintelligence/POWER/power-february-2019
https://www.nxtbook.com/accessintelligence/POWER/power-january-2019
https://www.nxtbook.com/accessintelligence/POWER/power-december-2018
https://www.nxtbook.com/accessintelligence/POWER/power-november-2018
https://www.nxtbook.com/accessintelligence/POWER/power-october-2018
https://www.nxtbook.com/accessintelligence/POWER/power-september-2018
https://www.nxtbook.com/accessintelligence/POWER/power-august-2018
https://www.nxtbook.com/accessintelligence/POWER/power-july-2018
https://www.nxtbook.com/accessintelligence/POWER/power-june-2018
https://www.nxtbook.com/accessintelligence/POWER/power-may-2018
https://www.nxtbook.com/accessintelligence/POWER/power-april-2018
https://www.nxtbook.com/accessintelligence/POWER/power-march-2018
https://www.nxtbook.com/accessintelligence/POWER/power-february-2018
https://www.nxtbook.com/accessintelligence/POWER/power-january-2018
https://www.nxtbook.com/accessintelligence/POWER/power-december-2017
https://www.nxtbook.com/accessintelligence/POWER/power-november-2017
https://www.nxtbook.com/accessintelligence/POWER/power-october-2017
https://www.nxtbook.com/accessintelligence/POWER/power-september-2017
https://www.nxtbook.com/accessintelligence/POWER/power-august-2017
https://www.nxtbook.com/accessintelligence/POWER/power-july-2017
https://www.nxtbook.com/accessintelligence/POWER/power-june-2017
https://www.nxtbook.com/accessintelligence/POWER/power-may-2017
https://www.nxtbook.com/accessintelligence/POWER/power-april-2017
https://www.nxtbook.com/accessintelligence/POWER/power-march-2017
https://www.nxtbook.com/accessintelligence/POWER/power-february-2017
https://www.nxtbook.com/accessintelligence/POWER/power-january-2017
https://www.nxtbook.com/accessintelligence/POWER/power-december-2016
https://www.nxtbook.com/accessintelligence/POWER/power-november-2016
https://www.nxtbook.com/accessintelligence/POWER/power-october-2016
https://www.nxtbook.com/accessintelligence/POWER/power-september-2016
https://www.nxtbook.com/accessintelligence/POWER/power-august-2016
https://www.nxtbook.com/accessintelligence/POWER/power-july-2016
https://www.nxtbook.com/accessintelligence/POWER/power-june-2016
https://www.nxtbook.com/accessintelligence/POWER/power-may-2016
https://www.nxtbook.com/accessintelligence/POWER/power-april-2016
https://www.nxtbook.com/accessintelligence/POWER/power-march-2016
https://www.nxtbook.com/accessintelligence/POWER/power-february-2016
https://www.nxtbook.com/accessintelligence/POWER/power-january-2016
https://www.nxtbook.com/accessintelligence/POWER/power-december-2015
https://www.nxtbook.com/accessintelligence/POWER/power-november-2015
https://www.nxtbook.com/accessintelligence/POWER/power-october-2015
https://www.nxtbook.com/accessintelligence/POWER/power-september-2015
https://www.nxtbook.com/accessintelligence/POWER/power-august-2015
https://www.nxtbook.com/accessintelligence/POWER/power-july-2015
https://www.nxtbook.com/accessintelligence/POWER/power-june-2015
https://www.nxtbook.com/accessintelligence/POWER/power-may-2015
https://www.nxtbook.com/accessintelligence/POWER/power-april-2015
https://www.nxtbook.com/accessintelligence/POWER/power-march-2015
https://www.nxtbook.com/accessintelligence/POWER/power-february-2015
https://www.nxtbook.com/accessintelligence/POWER/power-january-2015
https://www.nxtbook.com/accessintelligence/POWER/power-december-2014
https://www.nxtbook.com/accessintelligence/POWER/power-november-2014
https://www.nxtbook.com/accessintelligence/POWER/power-october-2014
https://www.nxtbook.com/accessintelligence/POWER/power-september-2014
https://www.nxtbook.com/accessintelligence/POWER/power-august-2014
https://www.nxtbook.com/accessintelligence/POWER/power-july-2014
https://www.nxtbook.com/accessintelligence/POWER/power-june-2014
https://www.nxtbook.com/accessintelligence/POWER/power-may-2014
https://www.nxtbook.com/accessintelligence/POWER/power-april-2014
https://www.nxtbook.com/accessintelligence/POWER/power-march-2014
https://www.nxtbook.com/accessintelligence/POWER/power-february-2014
https://www.nxtbook.com/accessintelligence/POWER/power-january-2014
https://www.nxtbook.com/accessintelligence/POWER/power-december-2013
https://www.nxtbook.com/accessintelligence/POWER/power-november-2013
https://www.nxtbook.com/accessintelligence/POWER/power-october-2013
https://www.nxtbook.com/accessintelligence/POWER/power-september-2013
https://www.nxtbook.com/accessintelligence/POWER/power-august-2013
https://www.nxtbook.com/accessintelligence/POWER/power-july-2013
https://www.nxtbook.com/accessintelligence/POWER/power-june-2013
https://www.nxtbook.com/accessintelligence/POWER/power-may-2013
https://www.nxtbook.com/accessintelligence/POWER/power-april-2013
https://www.nxtbook.com/accessintelligence/POWER/power-march-2013
https://www.nxtbook.com/accessintelligence/POWER/power-february-2013
https://www.nxtbook.com/accessintelligence/POWER/power-january-2013
https://www.nxtbook.com/accessintelligence/POWER/power-december-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2012
https://www.nxtbook.com/accessintelligence/POWER/power-october-2012
https://www.nxtbook.com/accessintelligence/POWER/power-september-2012
https://www.nxtbook.com/accessintelligence/POWER/power-august-2012
https://www.nxtbook.com/accessintelligence/POWER/power-july-2012
https://www.nxtbook.com/accessintelligence/POWER/power-june-2012
https://www.nxtbook.com/accessintelligence/POWER/power-may-2012
https://www.nxtbook.com/accessintelligence/POWER/power-april-2012
https://www.nxtbook.com/accessintelligence/POWER/power-march-2012
https://www.nxtbook.com/accessintelligence/POWER/power-february-2012
https://www.nxtbook.com/accessintelligence/POWER/power-january-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2011
https://www.nxtbook.com/accessintelligence/POWER/power-october-2011
https://www.nxtbook.com/accessintelligence/POWER/power-september-2011
https://www.nxtbook.com/accessintelligence/POWER/power-august-2011
https://www.nxtbook.com/accessintelligence/POWER/power-july-2011
https://www.nxtbook.com/accessintelligence/POWER/power-june-2011
https://www.nxtbook.com/accessintelligence/POWER/power-may-2011
https://www.nxtbook.com/accessintelligence/POWER/power-april-2011
https://www.nxtbook.com/accessintelligence/POWER/power-march-2011
https://www.nxtbook.com/accessintelligence/POWER/power-february-2011
https://www.nxtbook.com/accessintelligence/POWER/power-january-2011
https://www.nxtbook.com/accessintelligence/POWER/power-december-2010
https://www.nxtbook.com/accessintelligence/POWER/power-november-2010
https://www.nxtbook.com/accessintelligence/POWER/power-october-2010
https://www.nxtbook.com/accessintelligence/POWER/power-september-2010
https://www.nxtbook.com/accessintelligence/POWER/power-august-2010
https://www.nxtbook.com/accessintelligence/POWER/power-july-2010
https://www.nxtbook.com/accessintelligence/POWER/power-june-2010
https://www.nxtbook.com/accessintelligence/POWER/power-may-2010
https://www.nxtbookmedia.com