A survey of cyber security management in industrial control systems

https://doi.org/10.1016/j.ijcip.2015.02.002Get rights and content

Abstract

Contemporary industrial control systems no longer operate in isolation, but use other networks (e.g., corporate networks and the Internet) to facilitate and improve business processes. The consequence of this development is the increased exposure to cyber threats. This paper surveys the latest methodologies and research for measuring and managing this risk. A dearth of industrial-control-system-specific security metrics has been identified as a barrier to implementing these methodologies. Consequently, an agenda for future research on industrial control system security metrics is outlined. The “functional assurance” concept is also introduced to deal with fail-safe and fail-secure industrial control system operations.

Introduction

The number of security-related incidents involving industrial control systems (ICSs) in 2012 was more than five times their 2010 level (197 incidents in 2012 compared with 39 in 2010), according to a report by the Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT) [215]. The rising incident count has been a catalyst for the increased focus on securing industrial control systems.

The default perspective for industrial control system stakeholders has been to view security as a low priority goal, while relying on security through obscurity (i.e., using secrecy in an attempt to ensure security). This technique has seen consistent use, but its success has differed across the three generations of industrial control systems [2]. Security through obscurity largely worked for first generation (monolithic) and second generation (distributed) industrial control systems, which used proprietary and closed-source components and standards, with limited connectivity to non-industrial-control-systems. However, third generation (networked) industrial control systems frequently use open technologies, while connecting to and communicating over other (potentially non-industrial-control-system) networks. This openness has increased the susceptibility to attack, primarily due to greater awareness of industrial control system technologies and their use of standard protocols. Many industrial control systems are often seen as critical infrastructures, making them attractive targets for attack.

The openness of third generation industrial control systems can be illustrated through the use of a reference model (Fig. 1). The lowest level consists of devices that ensure that an industrial control system enters a fail-safe mode when dangerous conditions occur. Layer 0 includes sensors and actuators that interact with physical processes (without autonomy). Layer 1 devices monitor and control physical process using the sensors and actuators in layer 0; the devices include programmable logic controllers (PLCs) and remote terminal units (RTUs). Layer 2 handles supervisory and operational functions, and often shares data with layers 3–5; the devices include alert systems and human–machine interfaces (HMIs). Layer 3 is the highest level of what would traditionally be defined as the industrial control system network (i.e., manufacturing zone) and provides plantwide functions. Contemporary industrial control systems contain many information technologies at layer 3, and this layer frequently communicates with business applications at layers 4 and 5. The devices include historians (i.e., databases of time-stamped industrial control system events such as process outputs and alarms), and authentication, authorization and accounting (AAA) services. Layer 4 relies on standard information technologies and provides business administration services, such as enterprise applications (e.g., e-mail servers) and non-critical industrial control functions (e.g., inventory management). Layer 5 consists of the majority of centralized information technology services (e.g., business-to-customer services). The reference model highlights the multitude of interconnections between industrial control systems and information technologies both within and between layers. Furthermore, complexity increases due to the diverse communications media used for these interconnections. Although they may be located within a single facility, it is most common for devices within particular layers to be geographically distributed (e.g., a human–machine interface (layer 2) communicating with one or more programmable logic controllers (layer 1) at remote field sites over the Internet).

A challenge arises in the risk management of industrial control systems because standards and methodologies for traditional information technology systems cannot be applied directly. For traditional information technology systems, the order of prioritized security goals on which these approaches are based is typically confidentiality, integrity and then availability (CIA). For industrial control systems, the priority is generally reversed (AIC), with availability as the primary goal [185] (e.g., a utility prioritizing the continuity of service). There are, however, exceptions to the AIC generalization (e.g., when intellectual property is involved in a manufacturing plant). Issues are further compounded when one considers different subsystems with different goals. For example, does an interconnected corporate network exist as part of the industrial control system or as a distinct entity? Functionally, the corporate network is a traditional information technology system that may mandate many non-standard industrial control system requirements (e.g., for information security); however, its interconnection to an industrial control system provides routes for attack and, furthermore, it may also contain systems with control capabilities.

The European Network and Information Security Agency (ENISA) [77] has extended this debate by providing an alternative definition that maintains that industrial control systems are not ruled by CIA, but by safety, reliability and availability (SRA). Safety, in particular, is an important consideration due to its potential to be negatively influenced by security solutions. These complexities highlight the multi-dimensional nature of industrial control system security, and the challenges of measuring its constituent features.

This has led to a variety of new publications (e.g., standards, guidelines and best practices), legislation and other initiatives with the common goal of increasing industrial control system security. However, criticism can be leveled against this body of work due to the lack of guidance on conducting practical security evaluations. A fundamental reason for this criticism is the scarcity of industrial-control-system-security specific metrics. This claim is substantiated later in this paper based on an analysis of the literature (Section 4).

The availability of a comprehensive and robust set of security metrics is essential for organizations to meet various business objectives. These objectives are outlined in a number of publications (e.g., [45], [105], [126]); however, in summary, there are three broad uses.

The first is to meet demands from external sources. The quintessential example is the obligations imposed by regulations. Although regulations exist for specific use cases of industrial control systems (e.g., in defense), there are no cross-industry regulations. However, this is changing with the implementation of regulations that target critical infrastructures. For example, the European Union (EU) has issued a Directive on Network and Information Security [75], which is expected to be adopted by 2015. Another example of externally enforced usage is meeting contractual demands; this is typically the case for contracts involving government bodies or high-security activities.

The second use case is to evaluate compliance with standards such as ISO/IEC 27001 for information security. Motivations for compliance can be external (e.g., regulations) and internal (e.g., to improve risk posture).

The third use case is to evaluate the risk posture. Although this may be based on both regulatory and compliance motivations, neither is a prerequisite. Examples of this use case include integrating security during the product development cycle (e.g., to minimize software vulnerabilities), supporting strategic decision making (e.g., enterprise resource planning) [105] and evaluating the effectiveness of security controls (e.g., to estimate the return on security investments).

Each of these use cases falls within the scope of risk management. Security metrics are fundamental elements of the wider risk management process. They are the building blocks with which each of the basic risk management stages is constructed. The stages comprise the cyclic process of risk identification, assessment, prioritization and the recommendation and implementation of managerial responses (i.e., the choice to mitigate, transfer, accept or avoid each risk, collectively known as countermeasures or controls). Each stage uses metrics in some form, for example, during a threat assessment when classifying the types and numbers of vulnerabilities in an industrial control system. Subjectivity pervades the risk assessment process [110] and the lack of security metrics exacerbates the challenge of measuring risk in an objective manner. The problem is further compounded when attempts are then made to perform comparative assessments between peer organizations (e.g., within an industry).

This paper surveys approaches for measuring and managing industrial control system security. The survey culminates in the provision of an agenda for future research on risk management activities surrounding industrial control system security. No surveys of similar scope currently exist and what do exist predominantly focus on formal standards. For example, Nicholson et al. [153] introduce several industrial control system standards, while Alcaraz et al. [2] highlight various approaches for industrial control system security management and incident response. Deliverable 2.1 of the EU project ESCoRTS [45] provides a comprehensive overview of various industrial control system standards. Dzung et al. [66] describe the security concerns for industrial control systems in practical terms, but provide only a limited survey of research and industry efforts for mitigating them. Finally, Ralston et al. [169] identify several organizations focused on industrial control system security and introduce risk assessment techniques that could be applied to industrial control systems.

The remainder of this paper has five sections. The next section, Section 2, surveys the security literature that addresses components of the risk management process. Section 3 conducts a thorough examination of standards, guidelines and best practices that originate from government, industry and standardization (GIS) bodies. Section 4 analyzes publications specific to industrial control systems. Section 5 describes non-GIS research activities. The final section, Section 6, presents the conclusions. Two key contributions of this paper are the use of the concept of “functional assurance” to interlink industrial control system security and safety protection requirements, and the presentation of a research agenda focused on security metrics for industrial control systems.

Section snippets

Industrial control system risk management

Risk management is a broad term that encompasses a multitude of activities with the common goals of monitoring and minimizing risk. This section surveys the industrial control system literature covering activities within the risk management process. The activities, whose inter-relationships are illustrated in Fig. 2, are divided across several subsections. Section 2.1 discusses maturity model frameworks and their application in industrial control system environments to measure the maturity of

Security standards and guidelines

This section surveys the information security literature dealing with industrial control system protection. Also, it surveys the literature related to security standards and guidelines geared specifically for industrial control systems.

Analysis of control system publications

This subsection presents an analysis of industrial-control-system-specific security publications (i.e., standards, guidelines and best practices). The goal is to determine the scope of each publication, its ability to facilitate security assessments of industrial control systems through the provision of metrics and the extent to which the security and safety relationship is covered. The analysis, which is quantitative in nature, takes the form of a checklist table, and is followed by a summary

Control systems security research

The primary focus of the previous sections was on publications by authoritative stakeholders in the industrial control system space (e.g., government, industry and standardization bodies). Little attention was paid to the body of research by non-authoritative stakeholders (e.g., academia and private organizations). This section presents a discussion of this activity. In particular, it discusses large, collaborative public–private research projects conducted in Europe and the extensive body of

Current status and future of risk management

This paper has presented a survey and analysis of the literature that seeks to aid the measurement and management of cyber security in industrial control systems. This section describes two important outputs from the process. First, the concept of functional assurance is introduced in an attempt to bring together safety and security requirements. Second, an agenda for future research related to industrial control system security metrics is presented.

Conclusions

This paper has presented a survey of approaches for measuring and managing security in industrial control system environments. The thorough analysis of standards, guidelines and best practices originating from government, industry and standardization bodies, and publications specific to industrial control systems has produced several insights. Although information security and assurance standards do not completely address the security requirements of industrial control systems, they are still

Acknowledgments

This research was funded through an Industrial Case Ph.D. Studentship (IW201340) supported by the U.K. Engineering and Physical Sciences Research Council (EPSRC) and Airbus Group Innovations.

References (232)

  • M. Afzaal, C. Di Sarno, L. Coppolino, S. D׳Antonio and L. Romano, A resilient architecture for forensic storage of...
  • C. Alcaraz, G. Fernandez and F. Carvajal, Security aspects of SCADA and DCS environments, in Critical Infrastructure...
  • C. Alcaraz and J. Lopez, Analysis of requirements for critical control systems, International Journal of Critical...
  • American Chemistry Council, Guidance for Addressing Cyber Security in the Chemical Industry, Version 3.0, Washington,...
  • American Gas Association, Cryptographic Protection of SCADA Communications, Part 1: Background, Policies and Test Plan,...
  • American Petroleum Institute, Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical...
  • American Petroleum Institute, Security Guidelines for the Petroleum Industry, Washington, DC,...
  • American Petroleum Institute, Pipeline SCADA Security, Second Edition, API Standard 1164, Washington, DC,...
  • S. Amin, G. Schwartz and A. Hussain, In quest of benchmarking security risks to cyber-physical systems, IEEE Network,...
  • Z. Anwar and R. Campbell, Automated assessment of compliance with security best practices, in Critical Infrastructure...
  • Association of German Engineers (VDI), IT-Security for Industrial Automation – Example of use of the general model for...
  • Z. Aung and K. Watanabe, A framework for modeling interdependencies in Japan׳s critical infrastructures, in Critical...
  • N. Bartol, B. Bates, K. Goertzel and T. Winograd, Measuring Cyber Security and Information Assurance: A...
  • M. Beccuti, S. Chiaradonna, F. Di Giandomenico, S. Donatelli, G. Dondossola and G. Franceschinis, Quantification of...
  • M. Berg and J. Stamp, A Reference Model for Control and Automation Systems in Electrical Power, SAND2005-1000C, Sandia...
  • E. Bompard, T. Huang, Y. Wu and M. Cremenescu, Classification and trend analysis of threat origins to the security of...
  • E. Bompard, R. Napoli and F. Xue, Assessment of information impacts in power system security against malicious attacks...
  • C. Bowen, T. Buennemeyer and R. Thomas, A plan for SCADA security to deter DDoS attacks, Proceedings of the Department...
  • P. Bowen, J. Hash and M. Wilson, Information Security Handbook: A Guide for Managers, NIST Special Publication 800-100,...
  • W. Boyer and M. McQueen, Ideal based cyber security technical metrics for control systems, in Critical Information...
  • T. Brandstetter, K. Knorr and U. Rosenbaum, A manufacturer-specific security assessment methodology for critical...
  • British Standards Institution, Information Technology – Security Techniques – Information Security Management –...
  • W. Burr, D. Dodson, E. Newton, R. Perlner, W. Polk, S. Gupta and E. Nabbus, Electronic Authentication Guideline, NIST...
  • E. Byres, M. Franz and D. Miller, The use of attack trees in assessing vulnerabilities in SCADA systems, Proceedings of...
  • R. Caralli, J. Allen and D. White, CERT Resilience Management Model (CERT-RMM): A Maturity Model for Managing...
  • A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. Nai Fovino and A. Trombetta, A multidimensional critical state...
  • A. Cardenas, S. Amin, Z. Lin, Y. Huang, C. Huang and S. Sastry, Attacks against process control systems: Risk...
  • Carnegie Mellon University, Systems Security Engineering Capability Maturity Model (SSE-CMM), Model Description...
  • Center for Internet Security, CIS Security Benchmarks, East Greenbush, New York (benchmarks.cisecurity.org),...
  • Centre for the Protection of National Infrastructure, Good Practice Guide, Process Control and SCADA Security, Guide 2:...
  • Centre for the Protection of National Infrastructure, Good Practice Guide, Process Control and SCADA Security, Guide 4:...
  • Centre for the Protection of National Infrastructure, Good Practice Guide, Process Control and SCADA Security, Guide 7:...
  • Centre for the Protection of National Infrastructure, Resilience in Converged Networks: Good Practice Guidance, London,...
  • Centre for the Protection of National Infrastructure, Cyber Security in Civil Aviation, London, United Kingdom,...
  • M. Cheminod, I. Bertolotti, L. Durante, P. Maggi, D. Pozza, R. Sisto and A. Valenzano, Detecting chains of...
  • S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner and A. Valdes, Using model-based intrusion detection for...
  • E. Chew, M. Swanson, K. Stine, N. Bartol, A. Brown and W. Robinson, Performance Measurement Guide for Information...
  • P. Chopade and M. Bikdash, Structural and functional vulnerability analysis for survivability of smart grid and SCADA...
  • P. Cichonski, T. Millar, T. Grance and K. Scarfone, Computer Security Incident Handling Guide, NIST Special Publication...
  • D. Clark and D. Wilson, A comparison of commercial and military computer security policies, Proceedings of the IEEE...
  • G. Coates, K. Hopkinson, S. Graham and S. Kurkowski, A trust system architecture for SCADA network security, IEEE...
  • Community Research and Development Information Service, Critical Information Infrastructure Research Coordination...
  • Community Research and Development Information Service, Critical Utility Infrastructural Resilience (CRUTIAL), European...
  • Community Research and Development Information Service, Design of an Interoperable European Federated Simulation...
  • Community Research and Development Information Service, European Network for the Security of Control and Real-Time...
  • Community Research and Development Information Service, European Risk Assessment and Contingency Planning Methodologies...
  • Community Research and Development Information Service, Increasing Security and Protection through Infrastructure...
  • Community Research and Development Information Service, Semantically Enhanced Resilient and Secure Critical...
  • Community Research and Development Information Service, Tool for Systemic Risk Analysis and Secure Mediation of Data...
  • Community Research and Development Information Service, Vital Infrastructure, Networks, Information and Control Systems...

    • Cited by (0)

    View full text
    Copyright © 2015 Published by Elsevier B.V.