A comprehensive cyber security program is designed to identify what assets needs to be protected (asset identification), the threats to those assets (vulnerability assessment), what could happen to those assets (risk assessment), and recovery (resilience). The cyber security risk assessment provides management the tools necessary to prioritize mitigation and establish a recovery plan. The assets to be protected should be those that are critical to achieving the entity’s mission. For an industrial organization, it could be those assets necessary to generate, transmit, and/or generate power in a reliable, safe, and economic manner; for a pipeline it is those assets necessary to transport product in a reliable, safe, and economic manner, for a chemical plant it is those assets necessary to manufacture products in a reliable, safe, and economic manner, etc. As cyber threats are different than previously analyzed threats, the risk assessment should identify all of the assets that could impact system reliability, availability, and safety.
For an industrial facility, the Purdue reference model identifies the layers in the enterprise:
Level 4 — Business systems —The Enterprise Resource Planning (ERP) is the primary system. Time frame: shifts, days, weeks, months.
- Level 3 — Plant operations systems —Manufacturing execution/operations management systems (MES/MOMS); laboratory, maintenance and plant performance management systems; data historians. Time frame: minutes, hours, shifts.
- Level 2 — Control systems —Distributed Control System (DCS), human-machine interface (HMI); Supervisory Control and Data Acquisition (SCADA) software. Time frame: minutes, hours.
- Level 1 — Field devices —Process sensors, analyzers, actuators, relays, breakers, and related instrumentation. Time frame: milliseconds, seconds, minutes.
In far too many instances, the focus has been exclusively at the levels 2-4 because these levels generally use commercial-off-the-shelf (COTS) technology. This is the technology that most IT organizations (end-users and vendors) are familiar with and have available training and tools. The cyber impacts at the Level 2-4 levels are generally short-term denial-of-service events.
In the IT domain which focuses on traditional IP networks, security organizations would be expected to have extensive training in testing IT networks usually using some form of penetration testing. However, in an industrial environment with legacy control systems and field devices, many IT tools can, and have, caused upsets with Programmable Logic Controllers (PLCs), Remote Terminal Units, variable frequency drives, etc. A good example of the focus on Level 2-3 is the article in this month’s Power Engineering magazine “Security in Real Life: Two Case Studies”. The entire focus of the article was on securing the Level 2-3 systems and segmenting them from the Level 4 environment. There was no mention of securing any of the Level 1 devices. However, Level 1 devices such as smart transmitters, chemical analyzers, variable frequency drives, etc utilize proprietary real time operating systems and proprietary communication protocols requiring their own cyber security approach (part of the rational for the ISA99 Cyber Security Standards – IEC-62443). Level 1 devices are well-known to the Operations and Maintenance staff but generally not to IT staffs. Few technologies exist to test Level 1 devices for security considerations.However, compromising Level 1 devices, whether intentionally or unintentionally, can impact the physics of the process thereby causing physical damage and/or personal injury with long term consequences. For example, Stuxnet targeted the Level 1 PLCs to destroy the centrifuges. The unintentional control system cyber incidents that have damaged equipment and/or killed people were a result of the Level 1 devices being compromised.
There needs to be more focus on securing Level 1 devices which requires an understanding of the devices, their uses, and limitations.