In last week's blog, Heather wrote an excellent summary of Mark Cooksley's network security presentation regarding "Why Industrial Networks are Different than IT Networks". In it she noted that the number one goal of ICS security is based on the concern for safety. This is spot-on in my opinion. However, there is more to consider when it comes to industrial security priorities…
Last week’s article included the following table:
The first thing to take from this table is that (in general) IT and SCADA/ICS have different risk management priorities. Confidentiality is paramount for IT, while Availability is paramount for SCADA and ICS, followed by Integrity and Confidentiality (A-I-C). So far so good.
Or is it? Is Availability really the top priority for all control systems?
This table is taken directly from the IEC/ISA 62443-2-1 standards (formerly ISA-99) so it comes with excellent credentials. However, within a few hours of the blog going live, two readers immediately commented:
The above examples make sense - Integrity is more important that Availability for a safety system or a network management system.
Now these two exceptions got me wondering about ICS in general - have we got it wrong when we show availability being above integrity for control systems in general? The more I think about it, the more I think IEC/ISA 62443 is wrong. Integrity is nearly ALWAYS more important than availability in control systems (Confidentiality is still last).
Let's take a more general case than a safety system, one where production has limited impact on safety. For example, take an automation line making 10” frozen pizzas and putting them into cardboard packages for shipping to food stores. Now imagine that the control system sent the wrong message and the line started making 15" pizzas, ones too big for the boxes? As the production manager, which would you prefer to do:
a) continue making pizzas (even if they don't fit in the packaging) or
b) shut down and fix the issue?
If you picked the latter, then you choose integrity of your process over the availability of your process.
I think most engineers and most companies, even if safety isn't an issue, would pick integrity over availability. Certainly there is tolerance for some error (15.1" pizzas are fine), but ultimately there is a threshold where integrity trumps all.
In the case of food processing, production problems have limited impact on safety. If something goes wrong, it is likely more important to fix the production problem rather than keep the system running. This is a case where Integrity trumps Availability.
In fact, I think this preference has been built into our communications since the early days of control systems. What do we find in the last 2 or 4 bytes of every message set over a wire in a factory? Depending on the technology, you find a Frame Check Sequence (FCS), Cyclical Redundancy Check (CRC) or Block Character Check (BCC). And what do these bytes do? Allow the receiving device to validate the Integrity of a message. And what do they do if the integrity check fails? Discard the message. And if too many checks fail, the system goes down. So much for Availability.
If availability was more important than integrity, control systems vendors would let users turn off the integrity checks. But vendors don't give us that option - they quickly realized that bad information is worse than no information at all. Customers will be far more upset if a PLC opens the wrong valve rather than opening no valve at all.
I think that for nearly all modern production systems, integrity is what really matters the most, even when safety isn't involved. And if this is true, then we need to remember that in our security designs for ICS.
It doesn't mean that we say availability isn't important, because it is. Nothing ends a security project faster than a self-induced "Denial of Service".
But we need to demand that the ICS vendors supply products with integrity that can't be easily circumvented. This is a requirement that will not be answered by throwing encryption at the problem.
At the same time the user community needs to figure out how it can add integrity checks to the control systems that are installed and running today in our factories, refineries and utilities.
Without both users and vendors working on this, our SCADA and ICS systems will stay vulnerable for the next 20 years. That is something our world cannot afford.
Let me know your thoughts on Integrity and Availability and what needs to be done to secure systems for both types of risk.
© Tofino Security 2012 | All Rights Reserved | Tofino Security is part of Hirschmann, a Belden Brand