Industrial control systems security needs more work
Expert says standard antivirus protection and encryption technologies applied to industrial control systems could shut them down.
Federal agencies and industries that use industrial control systems must avoid applying standard information security measures to secure such systems, an engineering expert advised members of the federal Information Security and Privacy Advisory Board, which met Sept. 13.
Keith Stouffer, a mechanical engineer at the National Institute of Standards and Technology’s Intelligent Systems Division, said standard antivirus protection and encryption technologies applied to industrial control systems could shut them down and, in some cases, create a public safety hazard.
Industrial control systems are typically field devices known as programmable logic controllers. “They’re basically stripped down PCs,” Stouffer said. They can’t handle cryptographic functions, such as authentication and encryption, which makes them vulnerable, he added.
Newer industrial control systems are built with Microsoft Windows operating systems and IP protocols “because they’re cheaper and easier to use,” Stouffer said. But by replacing systems built with specialized proprietary software and protocols, government and commercial industries have made their industrial control systems vulnerable to cyberattacks.
“That transition happened without thinking about security,” Stouffer said. “Now we’re having to fix what we asked for.”
Work is under way to develop security configurations for industrial control systems, he added.
Stouffer said many industry executives are unaware of cybersecurity vulnerabilities in their factories and critical infrastructures. “A lot of the higher-ups don’t know they have modems connected to the Internet,” he said. Cyberattackers can use tools called war dialers to find modems connected to industrial control systems.
The nuclear industry is probably safer than most, added Bruce Brody, the Energy Department’s associate chief information officer of cybersecurity and a member of the security advisory board. The nuclear industry still relies on proprietary protocols, so the security threat is not as great, he said.