Enterprise IoT Control System Cyber Security Deep Dive

HAL Software CTO, Cormac Garvey, CISSP, deep dives into modern .NET software development, creating tamper proof, strong assemblies, and implementing ISA-S99-01/02/03.

HAL Software EIOT Security challenges August 2014

Garvey outlines mobile software risks, MILS (Multiple Independent Levels of Security), and a misalignment between the IT world, internet software development, and industrial automation security. Along the way, he discusses the drawbacks of using PKI for real-time control communications encryption, the pros and cons of moving your SCADA infrastructure to a sand-boxed web browser style architecture, and open source vs. proprietary software. He makes recommendations for both future control system specification and additions to existing testing, and outlines the technical holes for which there is presently no solution.

chain-break
Security is only as strong as its weakest link

The 9 Verizon threat areas as applied to industrial automation are reviewed, and the impact of Stuxnet through to Havex is discussed, together with what the Avionics Industry and embedded control systems are doing about it.

There are plenty of articles on cyber security but very few have anything new to add. Hopefully this paper is different and will help every factory IT & Automation manager to get up to speed, rapidly, on control system security in 2014.

An abridged version of this whitepaper was published by automation.com. Click here to view it.

Excerpt

Table of Contents
1  Stuxnet fallout. 4
1.1  Its been 4 years since Stuxnet. What’s changed?. 4
1.2  Executive Summary. 6
1.3  General IT Cyber security vs. Industrial Control Cyber security; A Misalignment. 7
1.4  When is security so complex as to be unusable?. 7
2  IT Access Control – Business as usual. 8
2.1  Developments in secure software architecture; All changed; changed utterly. 8
2.1.1  ‘Too many cooks in the kitchen’ ** The software is too complex to patch. 10
2.2  How the IT security department prevents hacking ; Back to basics. 11
2.2.1  Principal based security. 11
2.3  Microsoft .NET security model deep dive. 12
2.3.1  .NET Security transparency model. 13
2.3.2  Strong Assemblies in C#/.NET and Visual Studio 2013. 14
2.4  Industrial Automation PC systems and SCADA application reality. 16
2.4.1  Embedded real-time control systems. 16
2.5  Commercial and standardised security solutions for industrial Automation. 17
3  Next generation security requirements of Industrial Automation applications. 18
3.1  HAL Software Spike and its applicability to robust security design. 18
3.2  The easy to implement requirements. 18
3.3  The hard to implement requirements. 19
3.4  Migration to  Web Browser application & architecture design and sand-boxing. 20
3.4.1  Sand-boxing and the .NET security Permission Model.20
3.4.2  Open Source software security risks. 21
3.5  ISA-S99 Security for Industrial Automation and Control Systems. 22
3.5.1  ISA99.01.01 – Terminology, Concepts, and Model.22
3.5.2  ISA99.02.01 – Establishing an Industrial Automation and Control Systems Security Program. 23
3.5.3  ISA99.03.03 – System security requirements and security levels. 25
3.5.4  S99.03 – Capability, target, and achieved security levels. 26
3.5.5  S99.03 – Malicious code protection, & mobile software technologies. 27
3.5.6  S99.03 – Cryptography. 27
3.5.7  S99.03 – Control system island mode. 28
3.5.8  S99.03 – Social apps. 28
4  What OPC UA gives us:  Security summary. 28
4.1  Disadvantages of OPC UA security. 28
5  2014 Industry moves. 29
5.1  References & Glossary. 30
5.2  Acronyms. 31
Comments are closed.