IT security vendors seen as clueless on industrial control systems

Many IT security vendors have a minimal understanding of industrial control systems (ICS) and try to sell technology that could easily damage the devices found in plants running the nation's critical infrastructure, experts say.

In a recent blog post, Joe Weiss, a well-known expert in industrial systems who has testified before Congress on cybersecurity, took the IT security industry to task for believing it can provide ICS security with only slight modifications of existing products. This approach, Weiss wrote, showed no understanding of the technology that the vendors were trying to protect.

"Before they really start providing technology that's going to be applied at the real-time control layer, they better have a lot of domain expertise," said Weiss, founder of consultancy Applied Control Systems and former technical manager for the Electric Power Research Institute. By domain, Weiss means the actual control system within a substation, power plant, refinery or pipeline.

Too often, vendors are trying to apply security designed for protecting data in a traditional information technology network, which has very few similarities with a network of ICS devices, experts said. For example, in the former environment, a malware-infected computer is simply taken off the network. The same approach in an ICS could lead to a catastrophe in a power plant, manufacturing facility or oil and gas pipeline.

"If you do that on the plant floor, you'll blow things up and kill people," said Walt Boyes, editor in chief of Control magazine and, which specialize in covering the automation industry.

Within an industrial control environment, the data is only important in terms of what it is telling a device to do, such as opening or closing valves, increasing or decreasing the pressure of liquids flowing through pipelines or raising or lowering production temperatures in a manufacturing plant.

"One of the big things we care about is [machine-to-machine] authentication," Weiss said. "We don't care if you see it [the data], but we damn well care that it's actually coming from where you thought it was coming from."

Security vendors tend to be Windows centric, which is the dominating operating system within IT environments. In an ICS, the technology often include proprietary embedded operating systems, 1200 baud modems and applications where using a 286 processor is considered modern, Weiss said.

Such limited resources are not something IT security vendors are used to dealing with. For example, the processing power used in a typical update of signatures in antivirus software would take down some ICS devices for six to eight minutes.

[Also see: Insecure ICS, hacker trends prompt federal warnings]Ã'Â

Even the most innocuous tasks in an IT environment could spell disaster in an ICS. For example, pinging all the devices in the former to see which hardware is running could easily cause a controller in an ICS to shutdown.

"You have two different mindsets," Weiss said. "IT's mindset is security for the sake of security. They don't understand the physical manifestations [in an ICS] of doing something that may be perfectly fine on a desktop."

IT vendors started rushing into the ICS security market after the federal budget cuts that took effect March 1, Boyes said. The cuts, called the "sequester," marked an opportunity because they did not apply to spending in critical infrastructure security.

"What we're seeing now is a new land rush of people who have been doing IT security for a long time, trying to move into the critical infrastructure cybersecurity space," he said.

Securing the nation's critical infrastructure is a priority of President Barack Obama, who has issued an executive order requiring government agencies to share cyberattack information with private industry. Congress is also addressing security through pending legislation.Ã'Â

Collaboration between ICS and IT vendors is what's needed to develop the right security technology. In some cases, existing technology can be modified for use in an ICS.

"The IT world has done an awful lot more on networking than we have, but they're not looking at our types of applications and constraints," Weiss said.

Security standards for industrial automation and control systems exist today. An example is ISA99, established by the International Society of Automation.

Matthew Luallen, president of CYBATI, which provides control system cybersecurity education, recommends that vendors thoroughly test their technology in an ICS environment and that buyers make sure the devices within that test bed match what they use.

"If you're an educated customer, you're going to be able to see the differences between a vendor, a consultant and who really has the skills and who doesn't," Luallen said. Ã'Â

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags industrial control systemsapplicationsData Protection | MalwareICSlegalsoftwaredata protectioncybercrime

More about Electric Power Research Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place