I guess your control system is connected to the Internet then, isn't it? That might be once removed via the domain controller, but the DC is running the same OS and is vulnerable to the exact same viruses and worms that the SCADA or HMI system is. You don't have a true "air gap".

There was a nuclear power plant in the US whose control system was knocked out for hours by the SQL Slammer worm a few years ago. There was one PC on the control network that used MS Windows and had an MS SQL Server database. They <i>thought</i> the control system was isolated, but the control system was connected to business system, and the business system was connected to an outsourced financial consultant, who got the worm. That's all it took. Fortunately, the reactor was already shut down for other unrelated reasons.

Just to be clear, I don't think "isolate the control system" and "keep your patches and anti-virus up to date" can be reconciled. If the security patches and anti-virus updates can get through, the viruses can get through. It's not a winning strategy.

 

It is more than just hoping that your employees have common sense; the DCS system has to be properly isolated in the first place to be secure against general malware, DOS, and virus attacks. Most are, in the power generation industry at least--the unit control network is isolated from the plant control network, and the plant network is isolated from the corporate network. The problem is, one foolish employee can bypass all of the isolation by doing something stupid like installing unapproved software off of a USB drive or modifying the network settings. That is why I think every site with a DCS should be instilling a culture of security where employees know not to do that sort of thing (which is what I call common sense).

It is possible, of course, for a virus on a corporate network to attack a PC that is straddling both the Corporate and Plant Control networks. Typically this would be a windows PC running a historian service or OPC server. Those PCs absolutely have to be secure with the latest OS patches and virus protection. Sites with reason to be paranoid sometimes avoid the problem completely by not having any communication between the plant and corporate networks. I've seen sites where that communication is done via an industrial network like serial Modbus just to make sure nothing but data can make it across. Some customers require a physically one-way connection, where data literally cannot flow from the corporate network to the control network, but performance data can still be sent to the corporate network.

PCs straddling the unit and plant control networks are a tricky problem; from a defense in depth perspective, they should have all of the same updates and security, even though the plant network is theoretically secure. However, that can be tricky from both a connectivity and stability perspective. Internet updates are obviously out, and Windows updates can occasionally be incompatible with the DCS software. Getting updates from the DCS vendor can solve both problems; I can't speak for others, but we test our HMIs against the updates and make sure nothing breaks.

Traditionally, the defense-in-depth stops about there; DCS vendors have assumed that the unit control networks are secure, and not spent a lot of time hardening industrial protocols and services on them. That is changing, and you're going to see new features in DCS systems to protect against attack on a compromised unit control network. The Mark VIe DCS, for example, uses managed switches that are integrated into the DCS and can generate alarms when the network configuration is tampered with (ie plugging in a laptop, or even swapping which port a controller is plugged into) and shut down the offending ports.

 

Strangely enough, the US Department of Homeland Security has done a lot of work in this area, which is freely available, even to us foreigners <gripe>who get treated as potential terrorists even if we're just transitting through US airspace</gripe>).

Check out http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf. It seems pretty comprehensive, except that they have overlooked the USB drive as a source of infection.

Bruce.