Why Industrial Process Controllers shouldn’t have any access to the Internet

A Silent Attack, But Not a Subtle One

This is another article about the Stuxnet worm. It’s becoming more apparent that the actual target was the Nuclear Program in Iran. However, the worm is spreading throughout the world affecting virtually any Siemens Industrial Controls.

This underlies a problem that plagues most manufacturing plants around the world: computers which are used to control processes that have access to the Internet. According to this article, it’s estimated that industrial plants have about 90 days before hackers start using the worm (and the vulnerabilities that it targets). The first 30 to 45 days should be spent isolating the process control systems from the Internet (and from any Internet capable computers).

This will require them to reconfigure routers and switches and the computers themselves. Sort of creating a network inside of the network. In theory, the easiest way to do this is to create a subnet (and Virtual LAN) that is specifically used for the Process. At the router levels, create ACL’s which deny any traffic between that subnet and the outside world. Then in the offices and control rooms, configure one set of computers to use that subnet, and another set for the regular plant’s networks. The only exception to the ACL would be a server which is used for VPN access into the network.

For access outside of the plant, engineers and other authorized persons would have a laptop that VPN’s into the subnet for the process OR the plant subnet–but not both at the same time. The security of this system can be maintained through a combination of means.

  • For instance, Microsoft created a networking system which refuses connections from devices that are not updated completely. This could be used to ensure that the laptop isn’t infected (or potentially infected).
  • Secondly, as of right now, the Unix/Linux Operating Systems are virus free. So, the worms which are infecting Windows computers (and then the Process Control Systems via the network) will be rendered useless. ***Note this is a double-edged sword***
  • Finally, company policies which prohibit the use of their laptops for personal business (read as surfing the Web, playing videos and music, etc) and prohibit the use of Thumb Drives or other non-company approved devices on the Process Systems, would go a long ways towards slowing this. Not only do the Policies need to be in place, but they need TEETH. If an employee signs a paper which specifically states that they are personally liable for any damages resulting from violations of the policy, they’re less likely to violate the policy.

I mentioned that the second means was a double-edged sword. This is because as of right now, there are virtually no viruses or malware aimed at the *nix Operating Systems (this includes Unix, Linux, Mac OS, and BSD variants). However if they are being used for Process Controls, you can bet that virus writers will start targeting those operating systems. So, the people in charge of securing them need to step up NOW to make sure that their tag-line of the “secure operating system” holds true.

Have a great day:)
Patrick.

Leave a Reply

Your email address will not be published. Required fields are marked *