Operators of America’s power, water, and manufacturing facilities use industrial control systems (ICS) to manage them. However, the security of these systems, increasingly linked with Microsoft Windows and the Internet, is now under intense scrutiny because of growing awareness that they could be attacked and cause massive disruptions.
Industrial facility operators are making efforts to follow security procedures, such as using vulnerability-assessment scanning tools to check for needed patches in Windows. That said, ICS environments present special problems, said managers who spoke on the topic at a conference organized by the DHS.
"A lot of my ICS systems are running on Windows Server 2003," said Tracy Waller, a manager in the process and controls engineering division at Savannah River Site, the sprawling Department of Energy facility in Aiken, S.C. where nuclear-weapons-related tasks, such as processing tritium and managing waste, is done. Supervisory control and acquisition systems (SCADA) "don't play well with Microsoft patches," he noted. The problem is that it's not always clear ICS will work properly after Microsoft patches are applied. Sometimes vendors want customers to buy new ICS gear to keep up with Windows releases.
Currently, energy and manufacturing facilities are being openly warned by DHS and its Industrial Control Systems Computer Emergency Response Team that they are being targeted by attackers who will often try to infiltrate business networks, often through spear phishing attacks against employees, in order to also gain information about ICS operations.
While ICS and SCADA once seemed safely tucked away in the depths of engineering, they are now subject to security demands from the IT and security departments, and the two groups don't always get along. Eric Cosman, engineering consultant at Dow Chemical said cooperation there is fostered by inviting the IT division into the plants to promote constructive discussion and choices. But at the same time, he said he hoped IT security professionals would abandon the role of "high priest." Infighting between IT and the process engineers makes everyone look like "the kids who can't get things done," he warned.
The idea of cyberwar is starting to transform the once closed world of ICS vendors and users, forcing them to more vigorously debate the status of security on ICS networks. Based on much debate heard at this conference, there's tension between ICS vendors and users over security. Vendors say they want to improve their products, but when they do, they aren't even sure their customers know and make use of the security they provide.