Introduction: Over the past nine years, while implementing various cybersecurity measures for industrial control systems, my country has also encountered difficulties and challenges completely different from those faced by internet security and information system security, which remain severe…
Source | National Engineering Laboratory for Industrial Control System Safety Technology, Zhejiang University
Author | Feng Dongqin
I. Industrial control systems have become an important battleground for cyberspace security.
In 2010, Iran experienced the shocking Stuxnet attack, in which the computer virus attacked the Siemens PCS7 control system used at Iran's Natanz uranium enrichment facility and Bushehr nuclear power plant, damaging a large number of uranium enrichment centrifuges and generating units at the Bushehr nuclear power plant, causing Iran's nuclear program to be delayed by at least two years.
The incident demonstrates that cybersecurity threats have rapidly expanded from traditional virtual spaces like the internet and computers to physical industrial control systems. In other words, "computer viruses" can manipulate industrial control systems without damaging the systems themselves, causing production disruptions, pipeline leaks, environmental pollution, equipment damage, and even disasters leading to social unrest, thus posing a significant threat to national security. Industrial control systems have become an increasingly important new battleground for cybersecurity. To distinguish it from viruses in traditional virtual spaces, Stuxnet has been called a "super cruise missile," a "software atomic bomb," and so on.
Since the Stuxnet incident, the threat of these "software atomic bombs" targeting industrial control systems has become increasingly common and closer to us. Even industrial control systems that we previously thought were physically isolated have not been spared:
(1) For example, in December 2015, the power monitoring system in the Ivano-Frankivsk region of Ukraine, which was believed to be using a private network, was attacked by the "BlackEnergy" malicious code. Ukrainian news media TSN reported: "At least three power areas were attacked, resulting in power outages for several hours"; "The attackers infiltrated the monitoring and management system, causing power outages for several hours in more than half of the region and parts of the Ivano-Frankivsk region." Kyivobblenergo power company issued a statement saying: "Due to the intrusion, seven 110kV substations and 23 35kV substations of the company malfunctioned, resulting in power outages for 80,000 users."
(2) On June 12, 2017, Industroyer, an industrial control network attack weapon that maliciously attacks power substation systems, was found to have launched an attack on the Ukrainian power grid. Unlike BlackEnergy, Industroyer reportedly did not exploit any vulnerabilities, but instead used the power system's own industrial control protocols to directly control circuit breakers, causing the substation to lose power.
(3) In December 2017, a piece of malware called TRITON targeting Schneider Electric's Triconex Safety Instrument System (SIS) controller was discovered. TRITON is said to be able to modify the voting mechanism of the Safety Instrument System (SIS), thereby disabling safety protection functions.
In addition, since industrial control systems use Microsoft operating systems in their operator interface software, viruses that target the Internet and computer operating systems (such as the WannaCry ransomware) have also had some impact on industrial control systems.
Second, my country has attached unprecedented importance to the cybersecurity of industrial control systems.
Since the Stuxnet incident in 2010, my country has placed unprecedented emphasis on the cybersecurity of industrial control systems, from the central government and various levels of government departments to major enterprises.
(1) At the national level, the central government not only established the Cybersecurity and Informatization Commission, but also successively issued documents such as the "Notice on Strengthening the Information Security Management of Industrial Control Systems" (MIIT [2011] No. 451) and the "Opinions of the State Council on Vigorously Promoting the Development of Informatization and Effectively Safeguarding Information Security" (State Council Document [2012] No. 23). The Standing Committee of the National People's Congress also approved and issued the Cybersecurity Law on November 7, 2016, which came into effect on June 1, 2017. This shows that cyberspace security, including the cybersecurity of industrial control systems, has risen to the level of the Party and the State and the law.
(2) From the perspective of the functions of state organs, all state and local functional organs and departments have placed industrial control security in a very important position. They have not only issued relevant documents, but also carried out various forms of industrial control security training, competitions and other popular science activities, as well as substantive work such as grade protection assessment, security evaluation, security testing and security inspection.
(3) From the standards perspective, the National Information Security Standardization Technical Committee TC260, the Industrial Measurement and Control Standardization Technical Committee TC124, and the National Power System Management and Information Exchange Standardization Technical Committee TC82 have all carried out a great deal of work in the field of industrial control security and released a series of national and industry standards related to industrial control security. On May 13, 2019, the Cybersecurity Classified Protection 2.0 standard (hereinafter referred to as Classified Protection 2.0 standard), which includes cloud computing, mobile internet, Internet of Things, industrial control and big data security, was also officially released amidst much anticipation and will be implemented on December 1, 2019.
(4) In terms of scientific research organization, the Ministry of Education has also established a new first-level discipline of cyberspace security, and major universities have also established relevant colleges and majors.
(5) In terms of industrial organization, the National Industrial Information Security Industry Development Alliance, the Industrial Control System Information Security Industry Alliance, the China Information Security Technology Industry Alliance, and the China Industrial Information Security Alliance are also developing rapidly.
(6) At the level of specific implementation, all industrial enterprises, especially key infrastructure enterprises, have established dedicated information security agencies, which shows their importance attached to it.
This demonstrates that my country has established an industrial control system security system covering all levels, from the national level, laws, and functional agencies to scientific research, standards, industries, and enterprises, which shows the importance attached to industrial control system security.
III. The security threats facing industrial control systems remain severe.
Currently, with the deepening of the integration of industrialization and informatization, many foreign control systems still widely used in my country's power system, oil refining, water conservancy, urban rail transit, oil pipelines, defense equipment, and other public works projects are difficult to physically isolate from the internet. Furthermore, the maintenance and repair of these industrial control systems are still undertaken by their manufacturers, thus the security situation remains severe.
(1) Remote attacks from the network, such as through the Internet, corporate intranet, and wireless network, allow hackers and attackers to remotely attack industrial control systems;
(2) Intrusion attacks via removable media, such as portable hard drives, USB flash drives, optical discs, mobile terminals, etc.;
(3) Latent attacks using pre-embedded code typically occur through pre-embedding during project implementation, pre-embedding through spare parts, or pre-embedding introduced during maintenance.
IV. The main threat to industrial control system security is organized, professional attacks.
From a technical perspective, the cybersecurity threats faced by industrial control systems come from two aspects: one is traditional cybersecurity threats, namely attacks that exploit vulnerabilities in operating systems and application software. These threats mainly target vulnerabilities in the computer's operating system and application software (such as office software and website software) used by the computer to gain access to the computer or steal privacy or sensitive information.
Another, more significant security threat stems from organized attacks that exploit deep knowledge of industrial control systems and the production equipment and processes they control. Publicly available information reveals that while Stuxnet utilized operating system vulnerabilities, these vulnerabilities were merely used to propagate the Stuxnet code. Its core code, however, leveraged the characteristics of the Siemens PCS7 control system and nuclear facilities to launch malicious manipulations and simultaneously send deceptive data to the operator interface software.
It is evident that hackers targeting the core components of industrial control systems not only need general knowledge of computer operating systems and software, but also exploit the weaknesses in the software and hardware characteristics, communication protocols, operating instructions, and infrastructure production devices of the industrial control systems themselves. This makes them difficult for general internet security technicians to detect, exhibiting characteristics of "high professionalism, high concealment, high complexity, difficulty in detection, and difficulty in tracking" (i.e., "three highs and two difficulties").
V. The security challenges of industrial control systems are much greater than those of general information systems.
In the nearly nine years since the Stuxnet incident in 2010, while implementing various measures for the cybersecurity of industrial control systems, my country has also encountered difficulties and challenges completely different from those for internet security and information system security. These difficulties and challenges mainly manifest in the following aspects:
(1) The understanding of industrial control security is still largely limited to Internet security and protocol level.
Compared to internet and information systems, industrial control systems are mostly closed-loop systems composed of multiple components such as sensors, control devices, and actuators. Their monitoring software is primarily for operators to monitor operating conditions and perform simple operations, while industrial control protocols are used to transmit data during the production process. Therefore, network security for industrial control systems requires comprehensive consideration of all these factors, as well as the production equipment itself.
(2) Limited understanding of the principles and mechanisms of malicious code attacks on industrial control systems.
Currently, various public reports, social media documents such as Weibo, and numerous articles and reports focus heavily on reporting industrial control system (ICS) security incidents, with relatively little technical analysis. There is a greater emphasis on exaggerating network threats to ICS security, and less analysis of threats within the ICS itself. There is more information on operating system "vulnerabilities," and less analysis of the hardware and software vulnerabilities of the ICS itself. There is more information on exploiting vulnerabilities in operating systems and email, but less research on the technical aspects of malicious ICS code, such as "what it looks like, when it appears, when it is triggered, how it is triggered, and when it leaves," hindering in-depth ICS security work.
(3) The effectiveness of current industrial control security protection measures and products needs to be tested.
Currently, although various forms of security level protection assessments, security evaluations, security testing, and security inspections for industrial control systems, as well as various industrial control security products, exist, their effectiveness is far from being recognized by users. In particular, the problem of "treating the wrong disease and prescribing the wrong medicine" regarding security threats faced by industrial control system terminal equipment has not yet been truly resolved.
(4) Industrial control security standards are difficult to implement at the industrial control system terminal.
Currently, there are many standards regarding industrial control system (ICS) security, such as the IEC 62443 international standard (ISA 99 of the American Institute of Automation, ISA), NIST SP-800.53, and my country's Cybersecurity Classified Protection 2.0 standard GB/T22239-2019 "Information Security Technology: Basic Requirements for Cybersecurity Classified Protection." However, in the implementation process, when dealing with operating ICS (especially its core components such as controllers), the awkward situation of "not being able to touch or budge" still arises.
(5) The implementation of industrial control security is difficult to obtain the cooperation of industrial control equipment manufacturers.
Industrial control systems differ from internet and information systems. They must not only ensure that the production process operates under predetermined conditions according to the process design requirements, but also prevent safety accidents. In other words, manufacturers and integrators of industrial control systems are responsible not only for the continuity and reliability of the production process, but also for its safety. This is something that traditional information security vendors and security products struggle to achieve.
VI. Several common misconceptions about industrial control system security that need to be avoided
As mentioned above, cybersecurity for industrial control systems needs to focus on the security of the control system itself and the production equipment. In practice, the following misconceptions should be avoided:
(1) Overemphasis on security protection based on vulnerability scanning
As mentioned earlier, industrial control system design and development engineers focus on making products more reliable and more available, and on developing control algorithms that make the controlled objects more stable and more robust to external interference. They pay less attention to network security, so their software and hardware have various vulnerabilities.
However, currently available vulnerability scanning products can only detect vulnerabilities that cause overflows and crashes in industrial control systems. Vulnerabilities that can be exploited, such as those from Stuxnet, Industroyer, and TRITON, are still difficult to detect using traditional methods.
(2) Overemphasis on patch upgrade management
As is well known, industrial control systems are tightly coupled between software and hardware, and use a large number of non-proprietary protocols, technologies and functional modules. If the system is patched or updated without rigorous testing, it may result in blue screens or even render the configuration and monitoring software unusable. Restarting an industrial control system is an extremely complex process, and if not handled carefully, it can easily lead to production interruption or damage to equipment due to incompatibility with production processes.
Therefore, patching and software version updates must be done with extreme caution for some important, especially core infrastructure, industrial control systems!
(3) Over-reliance on the isolation and security of industrial control systems
As mentioned earlier, with the continuous advancement of the integration of informatization and industrialization, the interconnection of production and management systems has become a basic architecture of industrial control systems, making complete isolation from the outside world virtually impossible. Furthermore, mobile devices or computers used for maintenance, as well as spare parts, can all become tools for importing code. Stuxnet is said to have been imported using a USB flash drive.
(4) Overestimating the role of traditional protection products such as industrial firewalls
In practice, industrial control systems (ICS) typically filter out all protocols other than their proprietary and publicly available proprietary protocols. In other words, ICS generally possess the capabilities of a standard firewall. Therefore, the so-called industrial firewalls currently on the market are merely a way to appease inspections and provide a false sense of security.
(5) Over-reliance on one-way communication isolation devices
As mentioned above, there are various attack methods targeting industrial control systems, including remote attacks via networks, wireless access, and attacks through mobile media, pre-installed engineering and maintenance systems, and pre-installed spare parts. One-way communication isolation devices can only play a partial role.
VII. Network security protection for industrial systems must cover all aspects, including the industrial control system itself, production processes, and operational procedures.
In practical terms, the network security protection of industrial control systems needs to be considered comprehensively from the following aspects:
The first layer, network security protection for industrial control systems, needs to cover all components of the industrial control system, including software, hardware, and network.
The second layer, the network security protection of industrial control systems, needs to be carried out in conjunction with production processes and operating procedures.
The third layer, regarding network security protection for industrial control systems, must also cover all aspects of the entire lifecycle of the industrial control system, including design, production, debugging, engineering implementation, maintenance, and operation.
Cybersecurity protection of industrial control systems is an extremely complex systems engineering project. It requires returning to the original purpose and essence of control systems, and simultaneously addressing multiple aspects such as the software, hardware, network, production processes, production equipment, etc., in order to truly and effectively protect the security of critical national infrastructure.
Disclaimer: This article is a reprint. If it involves copyright issues, please contact us promptly for deletion (QQ: 2737591964). We apologize for any inconvenience.
