Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
The number one goal of ICS security is based on the concern for safety. That theory is spot-on in my opinion. However, there is more to consider when it comes to industrial security priorities.
In a recent blog, Tofino’s Heather MacKenzie wrote a summary of Mark Cooksley’s network security presentation regarding “Why Industrial Networks are Different than IT Networks.” One of the thoughts shared was the traditional IT priority compared to the SCADA/ICS mindset. She wrote about the CIA model that talks about Confidentiality, Integrity and Availability compared to the SCADA/ICS model of Availability, Integrity and Confidentiality.
The first thing to take is (in general) IT and SCADA/ICS have different risk management priorities. Confidentiality is paramount for IT, while Availability is paramount for SCADA and ICS, followed by Integrity and Confidentiality (A-I-C). So far so good.
Or is it? Is Availability really the top priority for all control systems?
This table is taken directly from the IEC/ISA 62443-2-1 standards (formerly ISA-99) so it comes with excellent credentials. However, within a few hours of the blog going live, two readers immediately commented:
“With the network management systems and control centers, the priority should be 1- Integrity, 2-availability 3-confidentiality”
“While AIC may be the priority for a production system, I’d suggest that, for a Safety PLC, the priority should be IAC”
The above examples make sense – Integrity is more important that Availability for a safety system or a network management system.
Now these two exceptions got me wondering about ICS in general – have we got it wrong when we show availability being above integrity for control systems in general? The more I think about it, the more I think IEC/ISA 62443 is wrong. Integrity is nearly ALWAYS more important than availability in control systems (Confidentiality is still last).
Let’s take a more general case than a safety system, one where production has limited impact on safety. For example, take an automation line making 10” frozen pizzas and putting them into cardboard packages for shipping to food stores. Now imagine that the control system sent the wrong message and the line started making 15″ pizzas, ones too big for the boxes? As the production manager, which would you prefer to do:
a) Continue making pizzas (even if they don’t fit in the packaging) or
b) Shut down and fix the issue?
If you picked the latter, then you choose integrity of your process over the availability of your process.
I think most engineers and most companies, even if safety isn’t an issue, would pick integrity over availability. Certainly there is tolerance for some error (15.1″ pizzas are fine), but ultimately there is a threshold where integrity trumps all.
In fact, I think this preference has been built into our communications since the early days of control systems. What do we find in the last 2 or 4 bytes of every message set over a wire in a factory? Depending on the technology, you find a Frame Check Sequence (FCS), Cyclical Redundancy Check (CRC) or Block Character Check (BCC). And what do these bytes do? Allow the receiving device to validate the Integrity of a message. And what do they do if the integrity check fails? Discard the message. And if too many checks fail, the system goes down. So much for Availability.
If availability was more important than integrity, control systems vendors would let users turn off the integrity checks. But vendors don’t give us that option – they quickly realized that bad information is worse than no information at all. Customers will be far more upset if a PLC opens the wrong valve rather than opening no valve at all.
For nearly all modern production systems, integrity is what really matters the most, even when safety isn’t involved. And if this is true, then we need to remember that in our security designs for ICS.
It doesn’t mean that we say availability isn’t important, because it is. Nothing ends a security project faster than a self-induced “Denial of Service”.
But we need to demand the ICS vendors supply products with integrity that can’t be easily circumvented. This is a requirement that will not be answered by throwing encryption at the problem.
At the same time the user community needs to figure out how it can add integrity checks to the control systems installed and running today in our factories, refineries and utilities.
Without both users and vendors working on this, our SCADA and ICS systems will stay vulnerable for the next 20 years. That is something our world cannot afford.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.