Understanding Industrial Control System Vulnerabilities

Wednesday, March 21, 2012

Infosec Island Admin



To understand the vulnerabilities associated with control systems (CS), you must first know all of the possible communications paths into and out of the CS.

Figure 1 presents various devices, communications paths, and methods that can be used for communicating with typical process system components (click image to enlarge):

figure   1
Figure 1: Communications access to control systems

As illustrated in Figure 1, there are many ways to communicate with a CS network and components using a variety of computing and communications equipment. A person who is knowledgeable in process equipment, networks, operating systems and software applications can use these and other electronic means to gain access to the CS. Wireless access points that allow unauthorized connection to system components and networks present vulnerabilities.

In a typical large-scale production system utilizing SCADA or Distributed Control System (DCS) configuration there are many computer, controller and network communications components integrated to provide the operational needs of the system. A typical network architecture is shown in Figure 2 (click image to enlarge):

figure   2
Figure 2: Typical two-firewall network architecture

Controller units connect to the process devices and sensors to gather status data and provide operational control of the devices. The controller unit communicates to a CS data acquisition server using various communications protocols (structured formats for data packaging for transmission). Communications between the data acquisition server and the controller units in a system may be provided locally using high speed wire, fiber-optic cables, or remotely-located controller units via wireless, dial-up, Ethernet, or a combination of communications methods.

The operator or dispatcher monitors and controls the system through the Human-Machine Interface (HMI) subsystem. The HMI provides graphical displays for presentation of status of devices, alarms and events, system health, and other information relevant to the system. The operator can interact with the system through the HMI displays to remotely operate system equipment, troubleshoot problems, develop and initiate reports, and perform other operations.

System data is collected, processed and stored in a master database server. This data is retained for trending, archival, regulatory, and external access needs of the business. The types of data include data from the following sources: the data acquisition server, operator control interactions, alarms and events, and calculated and generated from other sources.

Most control systems utilize specialized applications for performing operational and business related data processing. These tasks are typically performed on advanced applications servers pulling data from various sources on the control system network. These applications can result in real-time operational control adjustments, reports, alarms and events, calculated data source for the master database server archival, or support of real-time analysis work being performed from the engineering workstation or other interface computers.

An engineering workstation provides a means to monitor and troubleshoot various aspects of the system operation, install and update program elements, recover from failures, and miscellaneous tasks associated with system administration.

A mission-critical control system is typically configured in a fully-redundant architecture allowing quick recovery from loss of various components in the system. A backup control center is used in more critical applications to provide a secondary control system if there is a catastrophic loss of the main system.

The control system network is often connected to the business office network to provide real-time transfer of data from the control network to various elements of the corporate office. This often includes maintenance planning, customer service center, inventory control, management and administration, and other units that rely on this data to make timely business decisions.

An attacker who wishes to assume control of a control system is faced with three challenges:

  1. Gain access to the control system LAN
  2. Through discovery, gain understanding of the process
  3. Gain control of the process.

Source: http://www.us-cert.gov/control_systems/csvuls.html#under

Possibly Related Articles:
Industrial Control Systems
SCADA Vulnerabilities Network Security Architecture ICS LAN ICS-CERT Industrial Control Systems HMI
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.