As a software engineer who creates industrial security technologies I am often asked “Why are industrial networks so hard to secure?” This is a big topic, so today I will address only “Why are PLCs so insecure?”
The answer to this requires a walk down memory lane. If you are a controls engineer you already know some of what I have to say, though maybe not the security considerations this article addresses.
If you have another job function or work in another group such as IT, this article might provide you with useful baseline knowledge about industrial control system (ICS) security./span>
Industrial Control Systems: The History of PLCs
Historically speaking, PLCs (programmable logic controllers) have been around since the early 1960s. The PLC started to be used shortly after the microprocessor was invented, as it allowed companies to replace the racks of relays that had previously performed industrial control. These panels of relays were difficult to modify, were hard to maintain and were a challenge to diagnose if a problem arose. Fixing a set of relays was a difficult task, especially since failures had the annoying tendency to happen at 3:00 am!
Before PLCs, racks of relays, like the ones shown above (circa 1965), controlled industrial automation systems.
Source: XL Technology Systems.
As you know, the ICS industry covers a lot of ground: power generation and transmission, water/wastewater systems, oil and gas pipelines and manufacturing, to name a few. PLCs were initially concentrated in the manufacturing sector, but soon they migrated to applications in most industries. For example, they were quickly selected as an ideal way to control very sensitive high speed systems, such as the compressors and turbines on natural gas pipelines.
Initially the PLC was a completely isolated device, but by the mid-70s communications capabilities started to be added. Soon companies realized that getting data from PLCs was necessary to monitor the efficiency and effectiveness of the plant floor. Furthermore, networking controllers together also helped optimize the safety and reliability of systems.
As companies grew, other systems were often added and they required an interface with the existing systems. For example, if a new gas turbine is brought online at a compressor station, then the data from that new turbine needs to be monitored in the same location as the other turbines.
Now PLCs tend to have very long life spans; often 20 years or more. Many of the PLCs in use today have been in operation for at least a decade or more, and back then, memory and CPU horsepower was very limited compared to what is available today. So while the new PLC might have lots of spare CPU power, the original PLCs that control the gas turbines noted earlier probably have just enough working memory to perform the control functions and barely enough storage space for their small operating systems. Adding new features, such as security, is a very tight fit!
A natural gas compressor station like this would have many PLCs controlling and managing the safety of both the prime movers and compressors.
Industrial Cyber Security Was Not a Concern 25 Years Ago
Twenty-five years ago, who thought of cyber security? At that time, the word security referred to a set of keys to lock or unlock the door to the control room in the oil refinery. There was no Stuxnet back then, in fact, at that time the Internet was just coming online.
The external world has changed immensely since then, but as I noted before, the PLC controlling the gas turbine is at least a decade old and is likely based on a design yet another decade older. And since no one knew about security 20 years ago, security was never designed into that PLC. Security was an afterthought or not even a thought at all.
The goal at the time was to provide the correct functionality to control various systems using that PLC. This goal was achieved and is now an integral cog in any control system. The other goal was to make interconnection as easy as possible. There is, however, a negative impact. This interconnectedness means it provides easier access for a hacker or virus to propagate a network. An unknown entry point in the office network may contain a long forgotten link to the plant floor.
Imagine if ICS Security was Addressed 25 Years Ago
Since I love utopian thought, let us imagine that the engineers 25 years ago were paranoid. Let us imagine they had envisioned the interconnectedness of their PLCs and had worried about security holes and hackers, and let us imagine they had decided to build security into the PLC as an integral part of its functionality.
This would involve doing things such as:
- Creating a risk analysis of their PLC during the design phase
- Examining all the methods of access to the PLC. These would include HTTP (web service), Telnet, Modbus etc.
- Thinking about “How could an enemy take advantage of this design?”
In addition, a code review of the network stack used could illuminate memory usage problems or holes in the Modbus server design, for example. Imagine how many attacks could have been mitigated, how many hours of downtime avoided, how much money saved if this kind of thinking had occurred.
Vendors need to include Security in Product Design and Development
While there is no silver bullet in security, there are at least ways to be prepared and lessen threats.
What does this mean? It’s well past the time for vendors to take action.
Vendors, start putting code reviews, security analysis and risk assessments into practice. With the large increases in processor power and flash space in the last two decades, there is no excuse to not build a security layer into your current families of PLCs.
This forward thinking should become common place in the SCADA and ICS industry. Interconnectedness is not going away, nor is the threat of outside malware attacks or even inside actions of disgruntled employees.
The good news is that automation vendors are taking this to heart, and standards groups, particularly ISA, have developed certifications that provide assurance that products have been securely designed.
The question arises then, what do I do with my old devices? These ideas about security are great for the PLCs being designed and installed now, but what if I can’t retrofit my entire plant with new PLCs.
Rest assured there are ways to become more secure even with legacy devices. My recommendations are:
1. Become knowledgeable about ICS security and industry standards
You are already doing this as you are reading this article. Keep reading our articles and take advantage of the many presentations, white papers, articles and ideas this site has to offer.
In terms of industry standards, no matter what industry you are in, I recommend that you become familiar with the key concepts in the ISA IEC 62443 standards (formerly called ANSI/ISA-99 Standards).
2. Use ICS Specific Security Technology
Security technology exists today that:
- Protects legacy devices and systems
- Is installed in live systems without harm to production
- Can be implemented with no configuration required
- Is installable by field maintenance people
- Allows rules to be tested and changed without putting plant operations at risk
Of course I recommend the Tofino Xenon Security Appliance, our own product, but you are welcome to look at others.
What is your ideal scenario for ensuring plant security? How much do you expect the vendors to do, and how much do you think needs to be done at the operator’s initiative? I look forward to hearing from you.
- Blog: Understanding SCADA Jargon
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- ISA Webpage: ISASecure
- Blog: SCADA Security Improves with ISASecure Certifications
- Blog: Ukraine Power Outage Exposes Industrial Networking Risk
- Blog: IT and OT Must Adapt for the IoT – 13 Experts Share How
- Webpage: Tofino Xenon Security Appliance
- Webpage: Security & Firewalls