Industrial Automation and Control System Security Principles (2nd Edition) PDF
Document Details
Uploaded by RejoicingTundra
2017
Ronald L. Krutz
Tags
Summary
This book, Industrial Automation and Control System Security Principles, is a comprehensive resource on securing industrial automation and control systems. It explores fundamental concepts, security technologies, and potential vulnerabilities. Examining different control systems and their importance in current infrastructure, it highlights relevant security precautions and considerations.
Full Transcript
Copyrighted Material Industrial Automation and Control System Security Principles, Second Edition Protecting the Critical Infrastructure Ronald L. Krutz, PhD, PE Setting the Sta11dardfor A11tomatio11...
Copyrighted Material Industrial Automation and Control System Security Principles, Second Edition Protecting the Critical Infrastructure Ronald L. Krutz, PhD, PE Setting the Sta11dardfor A11tomatio11 Copyrighted Material Krutz-2016.book Page i Tuesday, May 22, 2018 9:45 AM Copyrighted Material Industrial Automation and Control System Security Principles: Protecting the Critical Infrastructure Second Edition Copyrighted Material Krutz-2016.book Page ii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Copyrighted Material Krutz-2016.book Page iii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Industrial Automation and Control System Security Principles: Protecting the Critical Infrastructure Second Edition By Ronald L. Krutz, PhD, PE Copyrighted Material Krutz-2016.book Page iv Tuesday, May 22, 2018 9:45 AM Copyrighted Material Notice The information presented in this publication is for the general education of the reader. Because nei- ther the author nor the publisher has any control over the use of the information by the reader, both the author and the publisher disclaim any and all liability of any kind arising out of such use. The reader is expected to exercise sound professional judgment in using any of the information presented in a particu- lar application. Additionally, neither the author nor the publisher has investigated or considered the effect of any patents on the ability of the reader to use any of the information in a particular application. The reader is responsible for reviewing any possible patents that may affect any particular use of the information pre- sented. Any references to commercial products in the work are cited as examples only. Neither the author nor the publisher endorses any referenced commercial product. Any trademarks or tradenames refer- enced belong to the respective owner of the mark or name. Neither the author nor the publisher makes any representation regarding the availability of any referenced commercial product at any time. The manufacturer’s instructions on the use of any commercial product must be followed at all times, even if in conflict with the information in this publication. Copyright © 2017 International Society of Automation (ISA) All rights reserved. Printed in the United States of America. 10 9 8 7 6 5 4 3 2 ISBN: 978-1-941546-82-6 No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written per- mission of the publisher. ISA 67 T. W. Alexander Drive P.O. Box 12277 Research Triangle Park, NC 27709 Library of Congress Cataloging-in-Publication Data in process Copyrighted Material Krutz-2016.book Page i Tuesday, May 22, 2018 9:45 AM Copyrighted Material Dedication My loving family… The greatest blessing a man can have…… Copyrighted Material Krutz-2016.book Page ii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Copyrighted Material Krutz-2016.book Page iii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Acknowledgment I want to thank my wife, Hilda, for her encouragement and support during the writing of this book. I also want to thank ISA editors Chloe Tuck, Liegh Elrod, and Susan Colwell for their valuable insights and review of the text. ~ RLK Copyrighted Material Krutz-2016.book Page iv Tuesday, May 22, 2018 9:45 AM Copyrighted Material Copyrighted Material Krutz-2016.book Page v Tuesday, May 22, 2018 9:45 AM Copyrighted Material Contents About the Author.................................................. xiii Foreword.........................................................xv Preface.......................................................... xix Chapter 1 Industrial Automation and Control System Fundamental Concepts...............................................1 Industrial Automation and Control Systems........................ 1 SCADA Systems............................................ 3 Distributed Control Systems................................. 6 Safety Instrumented Systems................................. 8 Industrial Automation and Control System Protocol Summary...... 10 The OSI Model............................................ 11 The TCP/IP Model......................................... 12 Object Linking and Embedding for Process Control............ 13 OPC Unified Architecture................................... 14 Modbus/TCP Model....................................... 15 The Distributed Network Protocol........................... 15 Utility Communications Architecture Version 2.0/IEC 61850.... 16 PROFIBUS................................................ 17 Controller Area Network................................... 17 EtherNet/IP............................................... 17 openSAFETY Protocol...................................... 18 Issues in Industrial Automation and Control Systems Security....... 19 Summary..................................................... 20 v Copyrighted Material Krutz-2016.book Page vi Tuesday, May 22, 2018 9:45 AM Copyrighted Material vi Industrial Automation and Control System Security Principles, Second Edition Review Questions for Chapter 1.................................. 21 References.................................................... 26 Chapter 2 Information System Security Technology.....................29 Information System Security Fundamentals....................... 29 Confidentiality............................................ 30 Integrity.................................................. 30 Availability............................................... 30 Identification.............................................. 30 Authentication............................................. 31 Authorization............................................. 31 Accountability............................................. 31 Auditing.................................................. 31 Nonrepudiation............................................ 31 Related Terminology....................................... 32 Types and Classes of Attack..................................... 33 Additional System Security Concepts............................. 34 Complete Mediation........................................ 35 Defense in Depth........................................... 35 Economy of Mechanism..................................... 36 Fail-Safe.................................................. 36 Least Common Mechanism.................................. 36 Least Privilege............................................. 36 Leveraging Existing Components............................ 36 Open Design.............................................. 37 Psychological Acceptability................................. 37 Separation of Duties........................................ 37 Weakest Link.............................................. 37 Policies, Standards, Guidelines, and Procedures.................... 37 Policies................................................... 38 Standards................................................. 38 Guidelines................................................ 38 Procedures................................................ 39 Malicious Code and Attacks..................................... 39 Viruses and Worms........................................ 39 Trojan Horse.............................................. 39 Logic Bomb............................................... 39 Mobile Code.............................................. 40 Back Door................................................. 40 Scanning.................................................. 40 Man-in-the-Middle......................................... 40 Social Engineering......................................... 41 Guessing Passwords........................................ 41 Denial of Service/Distributed Denial of Service................ 41 Replay.................................................... 41 Copyrighted Material Krutz-2016.book Page vii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Contents vii Dumpster Diving.......................................... 41 Firewalls..................................................... 42 Packet-Filtering Firewall.................................... 42 Stateful Inspection......................................... 43 Application Firewall....................................... 44 Application-Proxy Gateway................................. 44 Screened-Host Firewall..................................... 45 Dual-Homed Host Firewall................................. 45 Screened-Subnet Firewalls.................................. 46 Cryptography................................................. 47 Symmetric Key Cryptography............................... 47 Asymmetric Key Cryptography.............................. 48 Digital Signatures.......................................... 50 Attacks Against Cryptosystems.................................. 52 Virtual Private Network........................................ 53 IPsec..................................................... 56 Secure Sockets Layer....................................... 56 Summary..................................................... 56 Review Questions for Chapter 2................................. 57 References.................................................... 63 Chapter 3 Industrial Automation and Control System Culture versus IT Paradigms................................................65 Differences in Culture, Philosophy, and Requirements.............. 65 Considerations in Adapting IT Security Methods to Industrial Automation and Control Systems....................... 70 Threats................................................... 71 Sensitivity of Industrial Automation and Control Systems to Upgrades and Modifications.............................. 72 IT and Industrial Automation and Control Systems Comparisons from a Standards Perspective....................... 76 Summary..................................................... 79 Review Questions for Chapter 3................................. 80 References.................................................... 84 Chapter 4 The Continuing Technological Evolution Affecting IAC Systems.......................................................85 Important Technological Trends................................. 85 Home Area Networks...................................... 86 Energy Storage............................................ 86 Analytics................................................. 86 Cloud Computing......................................... 87 Privacy................................................... 89 Social Networks........................................... 91 Mobile Technology........................................ 91 Copyrighted Material Krutz-2016.book Page viii Tuesday, May 22, 2018 9:45 AM Copyrighted Material viii Industrial Automation and Control System Security Principles, Second Edition Interoperability............................................ 92 The Smart Grid and Technological Trends......................... 93 The Bulk Generation Domain................................ 96 The Transmission Domain.................................. 96 The Distribution Domain.................................... 97 The Operations Domain..................................... 97 The Service Provider Domain................................ 97 The Markets Domain....................................... 98 The Customer Domain...................................... 98 Advanced Metering Infrastructure........................... 98 Energy Storage and Management of Stored Energy............ 101 Smart Grid Protocols...................................... 103 Mapping of Emerging Technology Issues onto an Example Automation System – The Smart Grid................... 105 Summary.................................................... 107 Review Questions for Chapter 4................................. 107 References................................................... 113 Chapter 5 Risk Management for Industrial Automation and Control Systems..................................................115 Risk Management............................................. 115 ANSI/ISA-62443-2-1 (99.02.01)-2009 Cyber Security Management System...................................... 117 Risk Analysis............................................. 118 Addressing Risk.......................................... 119 Monitoring and Improving the CSMS........................ 121 NIST SP 800-39 Integrated Enterprise Risk Management....... 122 NIST SP 800-37 Risk Management Framework................ 127 Threats...................................................... 128 The Insider Threat........................................ 128 Relevant IACS External Threats............................. 128 Summary.................................................... 136 Review Questions............................................. 136 References................................................... 144 Chapter 6 IAC Systems Security Methodologies and Approaches........147 Automation and Control System Security Standards and Guidelines............................................... 147 NIST Special Publication 800-53, Revision 4, Recommended Security Controls for Federal Information Systems............ 148 Minimum Assurance Requirements – Low-Impact Systems..... 154 Minimum Assurance Requirements – Moderate-Impact Systems.................................................. 155 Minimum Assurance Requirements – High-Impact Systems.... 156 Copyrighted Material Krutz-2016.book Page ix Tuesday, May 22, 2018 9:45 AM Copyrighted Material Contents ix NIST Special Publication 800-82, Guide to Industrial Control Systems Security.................................. 158 Network Segmentation and Segregation..................... 159 ICS Security Controls...................................... 161 NIST 800-53 Control Families............................... 164 Appendix G – ICS Overlay................................. 166 ANSI/ISA-62443-1-1 (99.01.01)-2007, Security Technologies for Industrial Automation and Control Systems................... 174 Authentication and Authorization.......................... 175 Filtering/Blocking/Access Control.......................... 176 Encryption Technologies Data Validation.................... 177 Management, Audit, Measurement, Monitoring, and Detection............................................ 178 Industrial Automation and Control Systems Computer Software....................................... 179 Physical Security Controls................................. 179 Personnel Security Controls................................ 180 North American Electric Reliability Corporation, Critical Infrastructure Protection Cyber Security Standards......... 180 Department of Homeland Security, Catalog of Control Systems Security: Recommendations for Standards Developers..... 192 AMI System Security Requirements............................. 194 Identification (FID)........................................ 196 Consolidation of Best Practices Controls for Industrial Automation and Control Systems............................... 197 Summary.................................................... 203 Review Questions for Chapter 6................................ 203 References................................................... 215 Chapter 7 Industrial Automation and Control System Security Training....217 Background.................................................. 217 Training Sources and Approaches.............................. 218 Idaho National Laboratory................................. 219 Sandia National Laboratories............................... 221 International Society of Automation........................ 221 U.S. Computer Emergency Readiness Team.................. 225 SANS................................................... 227 National Initiative for Cybersecurity Education............... 227 National Security Agency and the Department of Homeland Security National Centers of Academic Excellence... 229 Training Support Guidelines................................... 230 NIST Special Publication 800-50............................ 230 NIST Special Publication 800-16............................ 232 Common Training Subjects.................................... 238 Summary.................................................... 239 Copyrighted Material Krutz-2016.book Page x Tuesday, May 22, 2018 9:45 AM Copyrighted Material x Industrial Automation and Control System Security Principles, Second Edition Review Questions for Chapter 7................................. 239 References................................................... 244 Chapter 8 Industrial Automation and Control System Trends, Approaches, and Issues............................................245 Automation and Control System Trends......................... 245 Penetration Testing of Industrial Automation and Control Systems.......................................... 250 Formal Methods Used to Quantify and Standardize Important Concepts and Applications........................... 252 ISCM Strategy............................................ 252 The Smart Grid Maturity Model (SGMM).................... 259 Automation Maturity Model............................... 268 Future Smart Grid Issues and Automation Security Issues.......... 269 Smart Grid Electromagnetic Radiation Issues................. 269 NIST 7628................................................ 271 Summary.................................................... 273 Review Questions for Chapter 8................................. 274 References................................................... 280 Chapter 9 Emerging Approaches to Industrial Automation and Control System Security............................................281 Internet of Things............................................. 281 Open Platform Communications Unified Architecture............. 283 Industry 4.0.................................................. 284 Security and Privacy.......................................... 285 OWASP IoT Security Categories............................ 286 Big Data Analytics and the Industrial Internet of Things............ 289 Industrial Internet of Things.................................... 293 The NIST Cyber-Physical Systems (CPS) Framework.............. 296 CPS and Cybersecurity.................................... 303 Critical Infrastructure Security.................................. 308 Framework Fundamentals................................. 309 Framework Feedback...................................... 315 Software-Defined Elements..................................... 318 Summary.................................................... 320 Review Questions for Chapter 9................................. 321 References................................................... 329 Appendix A Review Questions and Answers..........................333 Appendix B ICS Supplemental Guidance for NIST SP 800-53 Security Controls..................................................409 Glossary and Acronyms............................................497 Copyrighted Material Krutz-2016.book Page xi Tuesday, May 22, 2018 9:45 AM Copyrighted Material Contents xi Bibliography......................................................563 Index............................................................569 Copyrighted Material Krutz-2016.book Page xii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Copyrighted Material Krutz-2016.book Page xiii Tuesday, May 22, 2018 9:45 AM Copyrighted Material About the Author Ronald L. Krutz, PhD, PE, CISSP, ISSEP Dr. Krutz is Chief Scientist for Security Risk Solutions, Inc. He has more than 30 years of experience in industrial automation and control systems, distrib- uted computing systems, computer architectures, information assurance methodologies, and information security training. He has been a Senior Infor- mation Security Consultant at Lockheed Martin, BAE Systems, and REALTECH Systems Corporation, an Associate Director of the Carnegie Mel- lon Research Institute (CMRI), and a faculty member in the Carnegie Mellon University Department of Electrical and Computer Engineering. Dr. Krutz founded the CMRI Cyber Security Center and was founder and director of the CMRI Computer, Automation and Robotics Group. He was also a lead instructor for (ISC)2 Inc. in its Certified Information Systems Security Profes- sionals (CISSP) training seminars He coauthored the CISSP Prep Guide for John Wiley and Sons and is coau- thor of the Wiley Advanced CISSP Prep Guide; the CISSP Prep Guide, Gold Edition; the Security + Certification Guide; the CISM Prep Guide; the CISSP Prep Guide, Second Edition: Mastering CISSP and ISSEP (Information Systems Security Engineering Professional); the Network Security Bible; the CISSP and CAP (Certification and Accreditation Professional) Prep Guide, Platinum Edition: Mastering CISSP and CAP; the Certified Ethical Hacker (CEH) Prep Guide; Cloud Computing Security; and Web Commerce Security. He is also the author of Securing SCADA Systems and of three textbooks in the areas of microcom- xiii Copyrighted Material Krutz-2016.book Page xiv Tuesday, May 22, 2018 9:45 AM Copyrighted Material xiv Industrial Automation and Control System Security Principles, Second Edition puter system design, computer interfacing, and computer architecture. Dr. Krutz has seven patents in the area of digital systems and has published more than 30 technical papers. Dr. Krutz is also a Senior Fellow of the International Cyber Center of George Mason University. Dr. Krutz holds BS, MS, and PhD degrees in Electrical and Computer Engineering, is a Registered Professional Engineer in Pennsylvania, and is a Senior Life Member of the IEEE. Copyrighted Material Krutz-2016.book Page xv Tuesday, May 22, 2018 9:45 AM Copyrighted Material Foreword I have known Ron (Dr. Krutz) for quite some time, and he has, for many years, done a great job of teaching people about information protection. His back- ground in electrical engineering is particularly important for the subject mat- ter because cybersecurity is not just about bits and bytes. It is about the interaction of digital content and mechanisms with the physical world. So let's talk about that for a minute. All of the standards, policies, frameworks, and everything else are meaning- less without the fundamental understanding that industrial automation and control systems are about automating processes that were once, or in some cases could never be, done by people. The most advanced technologies of this sort build each resulting thing or control each associated system as a unique activity never to be done again and never done before. Take for example 3D printing of custom parts for prototypes. Each iteration of the resulting device is unique and has to meet various engineering constraints. Once the prototype is done, the same design specs, or very similar ones, have to be manufactured, in some cases at high speed in high volume out of a different material. If there is a flaw, the result could be enormous losses. Integrated circuit fabrication lines are costing billions of dollars to build and errors of a few nanometers could make all of the produced chips fail. A failure in a chemical processing plant could, and in history has, killed thousands of people. Control systems run the machines of war and can fail in truly catastrophic ways. We have rov- ers on Mars and robots that clean floors in homes. We have quad copters and better shoes, and solar panels, and self-parking cars. And we have our future. xv Copyrighted Material Krutz-2016.book Page xvi Tuesday, May 22, 2018 9:45 AM Copyrighted Material xvi Industrial Automation and Control System Security Principles, Second Edition All of these are tied up in, built by, operated by, and dependent on control systems. And depending on the control system and requirements for its proper operation, delays of a few microseconds, location errors of nanome- ters, less than one degree of temperature change, or any number of other such things can cause not only their failure, but the failure of the things that depend on them being right. All of this “getting things right” is historically designed, engineered, and implemented with the assumption that “the other guy” is doing the right thing. It uses the assumption that the inputs are what they should be, the out- puts are used as they should be, and the thing we are responsible for can do its job in the environment specified. But then come the bad actors, and this assumption is no longer true. Here is a design problem that nobody can really solve. Lift anything of any size and shape 1 inch without breaking it. It is under-specified, so I will always be able to find something too heavy or ill shaped or imbalanced or made of the wrong material that causes it to fail. In some sense, that is the cybersecurity problem. The obvious solution to this problem is to simply provide additional specifica- tions. Go ahead... I'll wait... forever! In truth, cybersecurity is not a science and there is not adequate scientific understanding behind it to even create a theory of what a complete specification would be. We have lists of things that can go wrong and ways to address them, but no such list can be shown to be compre- hensive, and any attempt to create comprehensive coverage either results in so generic a model that it has almost no practical use or an even longer list with an idea of what the coverage is. As evidence of this, at a conference of security educators some years back, we were each to bring a sample home- work assignment for a graduate class. When I told everyone mine, they all said it was way too hard and that nobody could ever solve it. My assignment was to securely add two integers, always producing the correct result. My response to their complaint was, if we cannot add two integers together correctly, how can we reasonably hope to do anything else in any of their assignments? This was nothing novel to them. They knew they were trying to roll water up a hill to the moon with their hands. But making it so stark was problematic because it revealed the fundamental challenge we face. This was in the 1990s. It is now 20 years later and the challenge is harder because more complex things that interact more and in more complex ways are tied together Copyrighted Material Krutz-2016.book Page xvii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Foreword xvii with higher and higher consequences and more motivated and capable attackers. Ah! I may have failed to mention that. All of the normal design assumptions are based on benevolence by all actors. Random things happen, of course, and that is why it takes all of this design to deal with the realities of the environ- ment. But the safety systems in a plant will certainly fail if a worker or designer or implementer or inspector or all of them together collude to disable or bypass the safety feature. The resulting injury would constitute a cyberse- curity failure. The chief information security officer might get fired for failing to address the problem of collusion between eight different workers to cause a plant failure if the consequences and publicity were extreme enough. But understand clearly—the budget for all of this security is viewed as an unde- sired, after-the-fact, add-on to the operation of the company and directly takes away from the bottom line. So the CISO who fails to address this need likely has no budget for the proposed improvements that would have mitigated it to a limited extent. I would write my own book on this line, but I think my point is made. Ron has taken on the Herculean task of trying to explain all of this in a single book. And here it is… Fred Cohen Copyrighted Material Krutz-2016.book Page xviii Tuesday, May 22, 2018 9:45 AM Copyrighted Material Copyrighted Material Krutz-2016.book Page xix Tuesday, May 22, 2018 9:45 AM Copyrighted Material Preface Industrial Automation and Control System Security: A Component of a Nation’s Critical Infrastructure As defined by ANSI/ISA-62443-1-1 (99.01.01)-2007, industrial automation and control systems (IACSs) include (but are not limited to) distributed control sys- tems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisi- tion (SCADA) systems, networked electronic sensing and control, and moni- toring and diagnostic systems. A SCADA system provides the ability to obtain information from remote installations and to send limited control commands to those installations. Industrial control systems (including DCSs, PLCs, and intelligent electronic devices) comprise real-time elements that control critical industrial processes in a wide variety of applications. Before the advent of local area networking, computer-based industrial auto- mation and control systems were generally isolated from the outside world and used their own proprietary communication protocols. Eventually, as net- working technology improved, interconnectivity among plants and other cor- porate units emerged as a way of obtaining increased knowledge of plant operations and more efficient management of resources. xix Copyrighted Material Krutz-2016.book Page xx Tuesday, May 22, 2018 9:45 AM Copyrighted Material xx Industrial Automation and Control System Security Principles, Second Edition With the maturation of the Internet and browsers, the TCP/IP protocol and Ethernet LANs found their way into SCADA systems as well as process and manufacturing plant control systems. In addition, computing platforms, such as PCs running Windows, were adopted for reasons of lower cost and standardization. However, with these advantages came the disadvantages of vulnerabilities and exposure to threats that plague these platforms. There is also an emerging trend in many organizations toward consolidating some overlapping activities in IACSs and corporate IT systems. This trend is motivated by the cost savings achievable by avoiding the use of disparate plat- forms, networks, software, and maintenance tools and by an increased capa- bility to run the total organization more efficiently and effectively. An important issue associated with the merging of these two systems is that, in many cases, both IACSs and corporate IT environments use the same secu- rity model. This overlap introduces the possibility of the corporate Internet connection exposing critical operations to additional threats and compromising the real-time, deterministic requirements of plant control systems. The emer- gence of the Stuxnet worm, aimed specifically at PLCs that transmit and receive real-time control bits, highlights the sophisticated threats that exist today and the critical need for IACS-optimized system security methods. Fol- low-up malware, such as Havex, Flame, or Flamer that have appeared, por- tend a trend of future attacks on these critical systems. This book develops a novel approach to securing industrial automation and control systems by generating applicable, useful, protection principles through the merging and adaptation of the best industrial and governmental standards and practices. Copyrighted Material Krutz-2016.book Page 1 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 1 Industrial Automation and Control System Fundamental Concepts The material in this chapter provides basic coverage of industrial automation and control system components and terminology, including supervisory control and data acquisition (SCADA) systems and distributed control systems (DCSs). However, because the focus of this book is the security of these systems, this chapter is not designed to be a comprehensive tutorial on industrial automation and control sys- tems. The material assumes that the reader is familiar with these systems and com- munications terminology. Note that the term DCS is also used to refer to digital control systems, but, unless otherwise stated, in this book DCS will denote a distributed control system. Industrial Automation and Control Systems Over the years, as industrial automation and control systems have evolved into DCSs and SCADA systems, the associated terminology has meant differ- ent things to different people. Control engineers, software engineers, plant personnel, and management have attached different meanings to commonly used terms, such as DCSs, industrial control systems (ICSs), supervisory control systems, and SCADA systems. This situation has been further complicated by the migration from relay logic, to programmable logic controllers (PLCs), to microcomputers, to the use of local area networks (LANS), Windows platforms, standard buses, and so on. 1 Copyrighted Material Krutz-2016.book Page 2 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 2 Industrial Automation and Control System Security Principles, Second Edition To establish a solid foundation for the material in this book, the definitions from ANSI/ISA-62443-1-1 (99.01.01)-2007 and NIST Special Publication (SP) 800-822 will be used. ANSI/ISA-62443-1-1 (99.01.01)-2007 defines ICSs, DCSs, PLCs, and SCADA systems as belonging to the class of industrial automation and control sys- tems (IACSs). Specifically, ANSI/ISA-62443-1-1 (99.01.01)-2007 states that an industrial automation and control system is: A collection of personnel, hardware, and software that can affect or influ- ence the safe, secure, and reliable operation of an industrial process. These systems include, but are not limited to: a. Industrial control systems, including distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition (SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context, process control systems include basic process control system and safety instrumented system [SIS] functions, whether they are physically separate or integrated.) b. Associated information systems, such as advanced or multivariable control, online optimizers, dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant information management systems. c. Associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes. NIST SP 800-82 defines an industrial automation and control system as “a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed con- trol systems (DCSs), and other control system configurations, such as skid- mounted programmable logic controllers (PLCs) often found in the indus- trial sectors and critical infrastructures.” In this text, the ANSI/ISA-62443-1-1 (99.01.01)-2007 terminology and defini- tions will take precedence over others where there are differences. Copyrighted Material Krutz-2016.book Page 3 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 3 SCADA Systems ANSI/ISA-62443-1-1 (99.01.01)-2007 defines a SCADA system as “a type of loosely coupled distributed monitoring and control system commonly associ- ated with electric power transmission and distribution systems, oil and gas pipelines, and water and sewage systems.” NIST SP 800-82 describes SCADA systems as: Highly distributed systems used to control geographically dispersed assets, often scattered over thousands of square kilometers, where cen- tralized data acquisition and control are critical to system operation. They are used in distribution systems, such as water distribution and wastewater collection systems, oil and natural gas pipelines, electrical power grids, and railway transportation systems. A SCADA control center performs centralized monitoring and control for field sites over long-distance communications networks, including monitoring alarms and processing status data. ANSI C37.13 defines SCADA as a system operating with coded signals over communication channels to control RTU equipment. The supervisory sys- tem may be combined with a data acquisition system by using coded signals over communication channels to acquire information about the status of RTU equipment for display or for recording functions. A SCADA system comprises both hardware and software, and the classical SCADA system model includes the following components: Human-Machine Interface (HMI) – A program that provides the operator with an easy-to-read graphical and textual display of the SCADA system elements. The HMI displays warnings and alerts and supports the operator in analyzing system performance, spotting trends, and changing controls. Some commonly used HMI software packages are Wonderware, RSView, and iFIX. An HMI is typically a resident in the master control center as well as on the plant floor. Master Terminal Unit (MTU) or SCADA Server at a Master Control Center – A SCADA element at the control center that provides two-way data communication and control of field devices, such as RTUs, PLCs, programmable automation controllers (PACs), and intelligent electrical devices (IEDs). Two-way communications between the MTU and field devices are usually low bandwidth and can be implemented Copyrighted Material Krutz-2016.book Page 4 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 4 Industrial Automation and Control System Security Principles, Second Edition through a variety of technologies, including telephone, VHF/UHF radio, spread-spectrum radio, satellite, and microwave. Remote Terminal Unit (RTU) – In a typical application, the RTU serves as a data concentrator and is an interface between the MTU and field devices, such as PLCs, PACs, or IEDs. The RTU gathers information from the field devices and stores it until interrogated by the MTU. Conversely, the RTU receives commands for the field devices and passes these on to be executed. There are some PLCs or PACs that incorporate the functions of the RTU by communicating with the MTU and providing remote data acquisition and control of field devices, such as actuators and pumps. Programmable Logic Controller (PLC) – A PLC is defined as “a solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions, such as I/O control, logic, timing, counting, three-mode (PID) control, communication, arithmetic, and data and file processing.”3 A PLC uses a standard instruction set, such as IEC 61131-3, to implement control logic functions. IEC 61131-3 is a vendor-independent international standard for PLC programming languages for industrial automation. It includes standards for the following PLC programming languages: – Function Block Diagram (FBD) – Instruction List (IL) – Ladder Diagram (LD) – Sequential Function Charts (SFC) – Structured Text (ST) Programmable Automation Controller (PAC) – A PAC is similar to a PLC, but has additional capabilities, such as more robust communications, higher-speed processors, integration with organizational databases, and a common development environment for integration of software and hardware components. Intelligent Electronic Device (IED) – IED is a general term for a device that can communicate directly with the MTU or through the RTU and provide direct connections for controlling and polling field equipment, such as actuators. Copyrighted Material Krutz-2016.book Page 5 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 5 Classical SCADA systems provide a dependable means of collecting informa- tion from multiple RTUs. However, in many current applications, SCADA systems are used in production environments and perform calculations and data analysis in real time on a plant floor, with HMI capabilities. Thus, in many instances SCADA and HMI reside on the same system to perform oper- ations at the equipment level in a real-time, data-driven production environ- ment. The discussions in this book are meant to encompass both classical and current SCADA environments. The SCADA control center serves as the central location for monitoring and analyzing data acquired from the field devices and for sending control com- mands to these devices. Because of its criticality, in many instances there is a duplicate control center at a backup site connected to the main site by a wide area network (WAN). Additional important capabilities that reside in the con- trol center are archiving historical data, providing operations information to business managers and accounting, and restoring lost data. Data historians, real-time relational databases, and yield accounting systems usually provide these capabilities. The data historian acquires and stores data and provides for prompt recovery of that data, if required. It differs from a real-time database in that the historian only archives information and provides no outputs to other system devices. It offers additional capabilities, such as compressing data to store large amounts of data more efficiently and organizing the data into save-sets, which are histo- ries of the system for specific time periods. A real-time relational database supports interactive storage and retrieval of detailed contextual information when production processes are involved and can interface with business applications, other databases, forms, and XML files. A yield accounting system interacts with the real-time, relational database, pro- cesses plant production data, and generates production accounting informa- tion. Typical information provided by a yield accounting system includes: Inventory discrepancies Material balances in different areas of the plant and for the total plant Plant material movement Copyrighted Material Krutz-2016.book Page 6 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 6 Industrial Automation and Control System Security Principles, Second Edition Total amount of product made by a particular unit Total volume of a finished product shipped to a customer over a specified time interval For planning and scheduling purposes, condensed versions of production data are transmitted from the yield accounting system to the enterprise resource planning (ERP) system for processing. SCADA systems can be configured in a wide variety of architectures with vari- ous components, depending on the application and other plant and corporate requirements. Figure 1-1 is an example of a SCADA system client-server model that incorporates fundamental SCADA elements. The figure is pre- sented to provide a conceptual view of a SCADA system and is not intended to represent all the various SCADA system architectures that are employed in the field. Distributed Control Systems A DCS includes a supervisory controller running on a control server and a number of distributed controllers. The supervisory controller transmits data set points to the remote controllers and acquires data from them. The distrib- uted controllers control process elements by communicating with them over a fieldbus-type network based on the information received from the supervisor. ANSI/ISA-62443-1-1 (99.01.01)-20075 classifies a distributed control system as: A type of control system in which the system elements are dispersed but operated in a coupled manner. NOTE Distributed control systems may have shorter coupling time constants than those typically found in SCADA systems. NOTE Distributed control systems are commonly associated with continuous processes, such as electric power generation; oil and gas refining; and chemical, pharmaceutical, and paper manufacture, as well as discrete processes such as automo- bile and other goods manufacturing, packaging, and ware- housing. Copyrighted Material Krutz-2016.book Page 7 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 7 HMI SCADA Client Data SCADA Client Historian Backup SCADA SCADA Server Server Remote Remote Terminal Unit Terminal Unit (RTU) (RTU) Programmable Intelligent Programmable Logic Controller Electronic Automation Controller (PLC) Device (IED) (PAC) Programmable Intelligent HMI Logic Controller Electronic (PLC) Device (IED) Sensors Motor Figure 1-1. A Client-Server SCADA Architecture Example NIST SP 800-826 defines a distributed control system as “control achieved by intelligence that is distributed about the process to be controlled, rather than by a centrally located single unit.” In a DCS, subsystems have their own controller elements to manage local pro- cesses and to communicate with an operator console for overall supervisory functions. The individual controllers are integrated and communicate through local area networks. Figure 1-2 illustrates a typical DCS. In the fig- ure, the engineering workstation supports distributed system security func- tions, serves as a development facility, and is used to set alerts and alarm conditions. The operator workstation provides the operator interface and is Copyrighted Material Krutz-2016.book Page 8 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 8 Industrial Automation and Control System Security Principles, Second Edition used by the operator to monitor the DCS, sense alerts and critical situations, and conduct system diagnostics. HMI HMI HMI Client Client Client OperatorWorkstation Operator workstation Engineering Workstation Ethernet Process Historian SCADA Server SCADA Server Modbus, TCP/IP LAN or WAN Remote Terminal Unit (RTU) Programmable Input/output Input/Output Field Devices to Logic Controller subsystem Subsystem be Controlled (PLC) HMI Programmable Logic Controller HMI (PLC) Sensors Motor Figure 1-2. Example of a Distributed Control System Safety Instrumented Systems Safety instrumented systems (SISs) have been widely used in the process industry to maintain a process in a safe condition during a hazardous situa- tion; for example, if critical set points are exceeded or safe operating condi- tions are breached. SISs are sometimes referred to as safety shutdown (SSD) systems or emergency shutdown (ESD) systems. ANSI/ISA-84.00.01-2004, Part 1 (IEC 61511-1 Mod)7 defines an SIS as an “instrumented system used to implement one or more safety instrumented functions (SIFs). An SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).” The standard also defines an SIF as a “safety Copyrighted Material Krutz-2016.book Page 9 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 9 function with a specified safety integrity level, which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function.” Figure 1-3 illustrates the relationship between safety instrumented functions and other process functions. Start No Is it an Yes instrumented function? Safety Yes Safety No No Yes instrumented related? function Not relevant Continuous Demand Safety instrumented Mode protection function Prevention Mitigation Type? Other means Basic process control Safety Safety Safety of risk and/or asset instrumented instrumented instrumented reduction protection function control prevention mitigation function function function Standard specifies activities which are to be carried out but requirements are not detailed. IEC 324 3/02 Figure 1-3. Safety Instrumented Functions versus Other Process Functions Source: ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod) An SIS is usually implemented in parallel with conventional control systems to reduce the risks associated with explosive or other dangerous environments. Thus, the proper application of an SIS should be preceded by a formal risk assessment to identify possible threats, vulnerabilities, and likelihoods of occurrence. An excellent guide to risk management is NIST SP 800-398 which takes a global, multi-tiered approach to risk management, where system risk is one part of a hierarchy of risk management levels. The document is aimed toward IT applications, but many of the principles are applicable to industrial automation and control systems. The document describes the fol- lowing three tiers of an organization-wide risk management paradigm: 1. Tier 1: Organization – Establishes and implements governance structures consistent with the organizational mission and goals Copyrighted Material Krutz-2016.book Page 10 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 10 Industrial Automation and Control System Security Principles, Second Edition 2. Tier 2: Mission/Business Processes – Designs, develops, and implements mission/business processes to support the mission defined in Tier 1 3. Tier 3: Information Systems – Integrates risk management activities into the system development life cycle (SDLC) of organizational information systems and addresses the resilience of organizational information systems NIST SP 800-39 will be discussed in more detail in Chapter 5 of this book. ANSI/ISA-84.00.01-2004 Part 1(IEC 61511-1 Mod) promotes two important concepts associated with an SIS, namely the safety life cycle and safety integrity levels, and defines these terms as follows: Safety Life Cycle – Necessary activities involved in the implementation of safety instrumented function(s) occurring during a period of time that starts at the concept phase of a project and finishes when all the safety instrumented functions are no longer available for use. Safety Integrity Level (SIL) – Discrete level (one of four) for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instrumented system. Safety integrity level 4 is the highest level of safety integrity; safety integrity level 1 is the lowest. Figure 1-4 provides a flow diagram of the SIS life-cycle phases and functional safety assessment steps. The clauses cited in the figure refer to clauses in the ANSI/ISA-84.00.01-2004 document. Industrial Automation and Control System Protocol Summary A protocol defines the rules for entities to use in communicating with each other. In order to better manage communications and compartmentalize the activities required to establish, maintain, use, and close communication links, high-level models are used. In particular, layered architectures are useful in defining the various communication functions in a hierarchical manner. Two widely popular implementations of the layered architecture paradigm are the Open Systems Interconnection (OSI) model and the Transmission Control Protocol/Internet Protocol (TCP/IP) model. Copyrighted Material Krutz-2016.book Page 11 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 11 Hazard and risk assessment Verification Safety 1 Clause 8 Management life cycle of functional structure and safety and planning Allocation of safety functional functions to safety protection layers assessment and auditing 2 Clause 9 Safety requirements specification for the safety instrumented system 3 Clauses 10 and 12 Stage 1 Design and Design and engineering of development of other safety instrumented system means of risk reduction 4 Clauses 11 and 12 Clause 9 Stage 2 Installation, commissioning, and validation 5 Clauses 14 and 15 Stage 3 Operation and maintenance 6 Clause 16 Stage 4 Modification 7 Clause 17 Clauses 7, 12.4 and Stage 5 Clause 6.2 12.7 Clause 5 Decomissioning 11 9 10 8 Clause 18 Key: NOTE 1 Stages 1 through 5 inclusive Typical direction of information flow are defined in 5.2.6.1.3. No detailed requirements given in this standard NOTE 2 All references are to Part 1 Requirements given in this standard unless otherwise noted. Figure 1-4. SIS Life Cycle and Functional Safety Elements Source: ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod) The OSI Model In the early 1980s, the International Organization for Standardization (ISO) developed the OSI reference model. The model functions by encapsulating data and transferring it to an adjacent lower level, where the data is again encapsulated by the lower level, for example by adding a header. Table 1-1 summarizes the OSI model layers and the protocols associated with each layer. Copyrighted Material Krutz-2016.book Page 12 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 12 Industrial Automation and Control System Security Principles, Second Edition Table 1-1. OSI Model Layers Layer Role Protocols 7-Application Provides for application support and SMTP (Simple Mail Transport verifies receiver availability. Protocol) FTP (File Transfer Protocol) SNMP (Simple Network Management Protocol) 6-Presentation Conducts translations and MPEG (Motion Pictures Experts conversions for the application layer, Group) including compression, decryption, HTTP (Hypertext Transfer Protocol) and encryption. JPEG (Joint Photographic Experts Group) 5-Session Sets up communication connections, NFS (Network File System) which controls the data transmission during supports file sharing a session, and terminates the RPC (Remote Procedure Call) connection. 4-Transport Sets up a logical connection TCP (Transmission Control between the transmitter and Protocol) receiver. The transport layer is UDP (User Datagram Protocol) connection-oriented and ensures data delivery to the receiver. 3-Network Performs error checking, addressing, IP (Internet Protocol) routing, and node traffic control. ICMP (Internet Control Message Protocol) 2-Data Link Includes the media access control PPP (Point-to-Point Protocol) (MAC) sublayer and logical link ARP (Address Resolution Protocol) control sublayer. Performs error-free packet transmission. 1-Physical Converts packets into electrical or EIA-232C (RS-232C) optical signals for sending on the EIA-422-B (RS-422) transmission media, such as wiring or cables. Defines network electrical and mechanical interfaces to the network transmission media. The TCP/IP Model In the 1970s, the U.S. Department of Defense developed the TCP/IP, which is the basic protocol of the Internet. It was developed prior to the OSI model and is named from two of its most important protocols: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). The OSI model is a more formalized layered suite of protocols, but it inherited some of its architecture from TCP/IP. Table 1-2 summarizes the four TCP/IP layers and the protocols associated with each layer. Copyrighted Material Krutz-2016.book Page 13 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 13 Table 1-2. TCP/IP Model Layers Layer Role Protocols 4-Application Provides the interface to the user. Telnet FTP SNMP SMTP 3-Host-to-Host or Transport Provides connection-oriented TCP end-to-end communications, UDP supports error-free packet delivery, and organizes data into packets. 2-Internet Performs addressing and routing IP functions. ARP ICMP PPP 1-Network Access Combines the operations of the EIA-422-B (RS-422) OSI physical and data link layers. EIA-232C (RS-232C) IEEE 802.2 Logical Link Control With this background of the OSI and TCP/IP models, the salient points of some control system protocols can be reviewed. This summary is not intended to be a comprehensive coverage of all protocols in use but a sampling of some of the popular approaches. Object Linking and Embedding for Process Control NIST 800-829 defines OPC (Object Linking and Embedding [OLE] for Process Control) as “a set of open standards developed to promote interoperability between disparate field devices, automation/control, and business systems.” The OPC standards specifications are now known as the Data Access Specifi- cation. OPC was built on the OLE Component Object Model (COM) and Distributed Component Object Model (DCOM) technologies of Microsoft, which specified a standard set of objects, interfaces, and methods for use in process control and manufacturing automation applications. Due to some vulnerabilities in Microsoft’s software, OPC should only be applied between the demilitarized zone (DMZ) and control networks and not used between the corporate network and the DMZ. Copyrighted Material Krutz-2016.book Page 14 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 14 Industrial Automation and Control System Security Principles, Second Edition The following list summarizes some of the popular OPC specifications: OPC Alarms and Events – Supports process alarms, messaging, and event notifications on demand OPC Batch – Provides OPC functionality to batch processes OPC Command – Provides interfaces that support OPC clients and servers in managing commands sent to devices OPC Data Access – Provides for the transmission of data from PLCs, IEDs, and DCSs to HMI clients OPC Data eXchange – Supports interoperability among a variety of vendors and communication and management services among Ethernet fieldbus connections OPC Historical Data Access – Provides archiving of historical data OPC Security – Safeguards critical data through access control and integrity protection mechanisms OPC Unified Architecture – Defines specifications that do not use Microsoft COM in order to enhance cross-platform usage OPC Unified Architecture OPC Unified Architecture (OPC UA) is an OPC Foundation10 web services technology designed to provide the functions of OPC, but to support interoper- ability among different platforms and achieve independence from Microsoft COM/DCOM. It can also interface easily with corporate enterprise systems and manufacturing management systems. Some of the features of OPC UA are: Integrated security Multiplatform compatibility Scalable Object-oriented Ability to identify specific components Information modeling, including how data is communicated Copyrighted Material Krutz-2016.book Page 15 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 15 Modbus/TCP Model Modbus is an OSI Layer 7 serial communication protocol that was developed by Modicon in 1979 for use with data acquisition and control systems. Modbus enables reliable communication among various control devices, including PLCs. Several significant modifications to Modbus have evolved, such as Modbus/TCP, which was developed to be compatible with the TCP/IP model. Additional Modbus variants include Modbus ASCII, Modbus RTU, Modbus RTU/IP, and Modbus over UDP. The Distributed Network Protocol The Distributed Network Protocol (DNP3) is an open SCADA protocol that is used for serial or TCP/IP communications between control devices. It is widely used by utilities, such as water companies and electricity suppliers, for the exchange of data and control instructions between master control stations and remote computers or controllers called outstations. Figure 1-5 is an example of a SCADA application, using DNP3 with a data concentrator in a hierarchical mode. DNP3 Master Unit A DNP3 Master Outstation Data Concentrator Unit A Outstation Unit A Outstation Figure 1-5. DNP3 Example Usage Copyrighted Material Krutz-2016.book Page 16 Tuesday, May 22, 2018 9:45 AM Copyrighted Material 16 Industrial Automation and Control System Security Principles, Second Edition Utility Communications Architecture Version 2.0/IEC 61850 The Utility Communications Architecture (UCA) Version 2.0 comprises a set of communications protocols for use by electric utilities. In 1999, UCA 2.0 evolved to the layered architecture standard IEC 61850 for substation automa- tion. IEC 61850 enabled IEDs to obtain power grid condition data via an Ether- net process bus and from merge units, which provide interfaces to field devices. Legacy devices utilize an IEC 61850 wrapper around legacy proto- cols for compatibility. IEC 61850 includes the following features: Abstract definitions of services and data Definitions for IED communications IED communications through substation buses Mapping of services to protocols Object-oriented approach Standardized configuration language (SCL) Figure 1-6 provides an overview of an IEC 61850-based substation. IEC 61850 substation Ethernet bus for substation (10/100/1000 Mbps) HMI Meter Control device IEC 61850 wrapper Ethernet process bus (1/10 Gbps) Legacy IED1 Merge IED2 unit To Internet Figure 1-6. AN IEC 61850 Substation Copyrighted Material Krutz-2016.book Page 17 Tuesday, May 22, 2018 9:45 AM Copyrighted Material Chapter 1 – Industrial Automation and Control System Fundamental Concepts 17 PROFIBUS Process fieldbus or PROFIBUS is an open standard that defines the electri- cal, mechanical, and functional aspects of a fieldbus that addresses determin- istic data acquisition implementations. It is compatible with European international fieldbus standard EN 50 170. There are three versions of PRO- FIBUS: PROFIBUS Process Automation (PA), PROFIBUS Decentralized Peripherals (DP), and PROFIBUS Fieldbus Message Specification (FMS). PROFIBUS PA communicates with control devices and data acquisition components through a common serial bus and is specifically designed for use in hazardous and explosive environments through current limiting ele- ments. PROFIBUS DP communicates over a high-speed network with sen- sors and actuators through a central controller and is suited for factory automation requirements. PROFIBUS FMS supports communications among a large number of high-level applications at moderate transmission rates. Controller Area Network Controller area network (CAN) protocols (also known as ISO Standard 11898-1) were developed in 1986 by Robert Bosch GmbH in Germany for control applications in automobile production lines. The protocol uses an altered form of Ethernet Carrier Sense Multiple Access with Collision Detection (CSMA/ CD) to implement a deterministic protocol for SCADA systems. In a determin- istic system, an element must respond to events in a predictable manner with a known response time. For example, when contro
