The ICS security community is seeing a lot of new products and advertisements offering the ability to monitor and control your process from anywhere with a smartphone or iPad. The trend is almost certainly going to increase with the growing market penetration and reliance on these devices for many other business and personal apps. This can be terrifying for those responsible for DCS and SCADA security, especially when you see products saying:
“ScadaMobile is a HMI app for the iOS platform that will allow you to monitor Registers and Values in Programable Logic Controllers (PLCs) and RTUs in real time, create customized lists with pages, sections and controls, track alarms and events, display trend graphs and much more.” They show this iPhone/iPad app communicating directly to PLC’s via Modbus TCP or EtherNet/IP.
All with hardly a mention of security risks of doing this beyond saying they use SSL. And even the SSL claim isn’t accurate if the smartphone is connecting directly to the PLC rather than through a intermediary web or terminal server. The EnergySec gang was busy tweeting on this topic late last week.
Maybe it’s time to break down mobile ICS access so we can focus on the real issues. It really isn’t significantly different than remote access via laptop except a lot more of your people will be wanting it.
Control and Administration
This is what people get nervous about, and for good reason. Remote access that provides control, or the ability to affect control, of a process should only be used for emergency access and with about every security measure possible. Many owner/operators actually don’t allow remote control by policy even if they have an emergency remote access capability for the operations equivalent of system admins. The remote users make the system changes and then the operators in the control room perform all control functions.
Emergency remote access is required for most systems. The SCADA or DCS vendor may need to be brought into the picture in an emergency and most ICS still have a small number of people who can quickly solve the most complex problems. If you don’t have a secure emergency remote access capability, odds are an insecure method will be quickly put in place during an emergency.
This is not a new problem. Owner/operators have had emergency remote access capability that is air gapped until it is needed. Some even have this on a timeout just in case disconnect is forgotten. Remember they are engineers so they know how to create an actuator to open a circuit. They also use VPN’s and strong two-factor authentication.
Accessing data is actually a solved problem as well. The data can be pushed out as far as you want with the appropriate security controls – – from the control center to the ICS DMZ to the Enterprise to the Enterprise DMZ or a combination of these. The biggest risk is that the data privacy will be compromised, not the integrity or availability of the process.
The question we always ask clients is if there is a compelling business reason for this data to be available. This is why we selected the picture of a man looking at his iPad in a subway station. Does he really need process data or KPI there? This is not a security question; it’s a business question. It also isn’t an all or nothing question. Owner/Operators can determine what data is available where and for whom.
You could argue that the pushed out data communication chain could be exploited all the way back to the control center because there is some allowed communication between each hop – – unless you have implemented one-way security / data diode some where. In fact pushing data from the control center to a less secure zone is a good place for a one-way security solution.
It is true there is some additional risk if there is a new communication flow, but I’d argue that the additional risk is very small if a solution with the typical Internet access security controls are in place. In almost all networks there is communication from the enterprise to the control center through one or more ICS DMZ’s. So the risk of an attacker with access to the enterprise trying to work back a communication chain to the control center is already there.
So the summary is:
- have a highly secure emergency remote access capability,
- don’t allow any regular remote control, administration or other access to operations,
- and determine if there is a legitimate need with real benefits before pushing the process data out to the mobile devices.
Image by robzand