Process control systems (PCSs) are instrumental to the safe, reliable and efficient operation of many critical infrastructure components. However, PCSs increasingly employ commodity information technology (IT) elements and are being connected to the Internet. As a result, they have inherited IT cyber risks, threats and attacks that could affect the safe and reliable operation of infrastructure components, adversely affecting human safety and the economy. This paper focuses on the problem of securing current and future PCSs, and describes tools that automate the task. For current systems, we advocate specifying a policy that restricts control network access and verifying its implementation. We further advocate monitoring the control network to ensure policy implementation and verify that network use matches the design specifications. For future process control networks, we advocate hosting critical PCS software on platforms that tolerate malicious activity and protect PCS processes, and testing software with specialized tools to ensure that certain classes of vulnerabilities are absent prior to shipping.
Keywords: Process control systems, access control, intrusion detection, secure platforms, vulnerability testing
Chapter PDF
Similar content being viewed by others
Keywords
- Intrusion Detection
- Intrusion Detection System
- Process Control System
- Enterprise Network
- Access Control Mechanism
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
3Com Corporation, 3Com embedded firewall solution (www.3com. com/ other/pdfs/products/en US/400741. pdf), 2006.
T. Aubuchon, I. Susanto and B. Peterson, Oil and gas industry partner- ship with government to improve cyber security, presented at the SPE International Oil and Gas Conference, 2006.
S. Boyer, SCADA: Supervisory Control and Data Acquisition, Instrumen- tation, Systems and Automation Society, Research Triangle Park, North Carolina, 2004.
E. Byres, J. Carter, A. Elramly and D. Hoffman, Worlds in collision: Eth- ernet on the plant floor, Proceedings of the ISA Emerging Technologies Conference, 2002.
S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner and A. Valdes, Using model-based intrusion detection for SCADA networks, presented at the SCADA Security Scientific Syposium, 2007.
Cisco Systems, Cisco security agent (www.cisco. com/en/US/products/sw/secursw/ps5057/index. html), 2006.
C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang, StackGuard: Automatic adaptive detection and prevention of buffer overflow attacks, Proceedings of the Seventh USENIX Security Symposium, pp. 63-78, 1998.
Digital Bond, SCADA IDS signatures (digitalbond. com/index. php/category/scada-ids), 2005.
Edison Design Group, C++ front end (www.edg. com/index. php?location=c frontend), 2006.
J. Eisenhauer, P. Donnelly, M. Elllis and M. O’Brien, Roadmap to Secure Control Systems in the Energy Sector, Energetics, Columbia, Maryland, 2006.
Embedded C++ Technical Committee, The embedded C++ specification (www.caravan. net/ec2plus/spec. html), 2006.
P. Heidelberger, Fast simulation of rare events in queueing and reliability models, ACM Transactions on Modeling and Computer Simulations, vol. 5(1), pp. 43-85, 1995.
V. Kiriansky, D. Bruening and S. Amarasinghe, Secure execution via program shepherding, Proceedings of the Eleventh USENIX Security Symposium, pp. 191-206, 2002.
R. Lindner, Software development at a Baldridge winner: IBM Rochester, presented at the Total Quality Management for Software Conference, 1991.
U. Lindqvist and P. Porras, Detecting computer and network misuse through the production-based expert system toolset (P-BEST), Proceed-ings of the IEEE Symposium on Security and Privacy, pp. 146-161, 1999.
National Institute of Standards and Technology, CVE-2004-0775: Buffer overflow in WIDCOMM Bluetooth Connectivity Software (nvd. nist. gov/ nvd. cfm?cvename=CVE-2004-0775), 2005.
National Institute of Standards and Technology, CVE-2004-1390: Multiple buffer overflows in the PPPoE daemon (nvd. nist. gov/nvd. cfm?cvename =CVE-2004-1390), 2005.
National Institute of Standards and Technology, National Vulnerability Database Version 2. 0 (nvd. nist. gov), 2007.
National Security Agency, Security-enhanced Linux (www.nsa. gov/selinux/index. cfm).
netfilter. org, The netfilter. org iptables project (www.).
P. Neumann and R. Feiertag, PSOS revisited, Proceedings of the Nineteenth Annual Computer Security Applications Conference, pp. 208-216, 2003.
C. Piller, Hackers target energy industry, Los Angeles Times, July 8, 2002.
P. Porras, M. Fong and A. Valdes, A mission-impact-based approach to INFOSEC alarm correlation, in Recent Advances in Intrusion Detection (LNCS 2516), A. Wespi, G. Vigna and L. Deri (Eds. ), Springer, Berlin- Heilderberg, pp. 95-114, 2002.
M. Roesch, Snort: Lightweight intrusion detection for networks, presented at the Thirteenth USENIX Systems Administration Conference, 1999.
O. Ruwase and M. Lam, A practical dynamic buffer overflow detector, Proceedings of the Network and Distributed System Security Symposium, pp. 159-169, 2004.
S. Singh, J. Lyons and D. Nicol, Fast model-based penetration testing, Proceedings of the 2004 Winter Simulation Conference, pp. 309-317, 2004.
S. Smith, Trusted Computing Platforms: Design and Applications, Springer, New York, 2005.
K. Stouffer, J. Falco and K. Kent, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security -Initial Public Draft, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.
A. Valdes and K. Skinner, Adaptive model-based monitoring for cyber attack detection, in Recent Advances in Intrusion Detection (LNCS 1907), H. Debar, L. Me and S. Wu (Eds. ), Springer, Berlin-Heilderberg, pp. 80-92, 2000.
A. Valdes and K. Skinner, Probabilistic alert correlation, in Recent Advances in Intrusion Detection (LNCS 2212), W. Lee, L. Me and A. Wespi (Eds. ), Springer, Berlin-Heidelberg, pp. 54-68, 2001.
A. Wool, A quantitative study of firewall configuration errors, IEEE Computer, vol. 37(6), pp. 62-67, 2004.
M. Zhivich, Detecting Buffer Overflows Using Testcase Synthesis and Code Instrumentation, M. S. Thesis, Department of Electrical Engineering and Computer Sciences, Massachusetts Institute of Technology, Cambridge, Massachusetts, 2005.
M. Zitser, R. Lippmann and T. Leek, Testing static analysis tools using exploitable buffer overflows from open-source code, Proceedings of the International Symposium on the Foundations of Software Engineering, pp. 97-106, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cunningham, R. et al. (2008). Securing Current and Future Process Control Systems. In: Goetz, E., Shenoi, S. (eds) Critical Infrastructure Protection. ICCIP 2007. IFIP International Federation for Information Processing, vol 253. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-75462-8_8
Download citation
DOI: https://doi.org/10.1007/978-0-387-75462-8_8
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-75461-1
Online ISBN: 978-0-387-75462-8
eBook Packages: Computer ScienceComputer Science (R0)