Chapter 17 - Cyber-security in Industrial Measurement and Control Systems

Chapter 17 - Cyber-security in Industrial Measurement and Control Systems

PDF Version

As digital technology finds greater application in industrial measurement and control systems, these systems become subject to digital vulnerabilities. Cyber-security, which used to be strictly limited to information technology (IT) systems such as those used in office and research environments (e.g. desktop computers, printers, internet routers), is now a pressing concern for industrial measurement and control systems.

There exist many points of commonality between digital IT and digital control systems, and it is at these points where mature protection concepts may be borrowed from the world of IT for use protecting industrial control systems. However, digital measurement and control systems have many unique features, and it is here we must develop protection strategies crafted specifically for industrial applications.

The chief difference between industrial controls and IT systems is, of course, the fact that industrial controls directly manage real physical processes. The purpose of an IT system, in contrast, is to manage information. While information can be dangerous in the wrong hands, physical processes such as chemical plants, nuclear power stations, water treatment facilities, hazardous waste treatment facilities, can be even more so.

This chapter will primarily focus on digital security as it applies to industrial measurement and control systems. The opening section is a case study on what has become a famous example of an industrial-scale cyber-attack: the so-called Stuxnet virus.

As control system professionals, it is in our interest to ensure our measurement and control systems are secure from unauthorized access. It is helpful to regard system security similarly to how we regard system safety or reliability, as these concerns share many common properties:

  • Just as accidents and faults are inevitable, so is unauthorized access to any digital system
  • Just as 100% perfect safety and 100% perfect reliability is unattainable, so is 100% security
  • Digital security needs to be an important criterion in the selection and setup of industrial instrumentation equipment, just as safety and reliability are important criteria
  • Maximizing security requires a security-savvy culture within the organization, just as maximizing safety requires a safety-savvy culture and maximizing reliability requires a reliability-centric design philosophy

Also similar to safety and reliability is the philosophy of defense-in-depth, which is simply the idea of having multiple layers of protection in case one or more fail. Applied to digital security, defense-in-depth means not relying on a single mode of protection (e.g. passwords only) to protect a system from attack.

It should be noted that cyber-security is a very complex topic, and that this chapter of the book is quite unfinished at the time of this writing (2016). Later versions of the book will likely have much more information on this important topic.