Defense In Depth Enables Protection Of Critical Pipeline Assets

By Torjus Gylstorff | November 2012, Vol. 239 No. 11
Buyer's Guide

Industrial Control Systems (ICS) - such as supervisory control and data acquisition (SCADA) systems - manage and monitor critical storage, refining and distribution operations at many energy pipeline companies. These systems collect data from points throughout the operation and communicate control commands to equipment located both locally and remotely.

These systems have typically run behind the scenes, but have more recently become front and center as information about real and potential cyberattacks have appeared in the media. Hostile governments, competitors, terrorist groups, disgruntled employees and other malicious intruders know these systems offer a trove of confidential and potentially very damaging data.

The types of critical infrastructure that industrial control systems manage include physical and IT assets, networks and services that, if disrupted or destroyed, could have a serious impact on the health, security and/or economic well being of both people in the immediate area and the country at large.

Due to the critical nature of ICSs and the facilities they control and manage, all levels of management at these facilities must put security of these systems at the top of their agendas.

Until recently, security concerns over ICSs were limited to physical attacks. Because these were closed systems, managers assumed that if operational consoles were isolated and only authorized personnel were allowed to gain access to the network, any security issues were covered. There was limited risk of malfeasance since few people had the technical expertise to operate the system and data communication paths were isolated.

Today’s situation is completely different. IT teams at energy companies have recognized that lower costs, easier accessibility and improved efficiency can be gained thorough connecting their IP-based operations network to their ICSs. Today’s systems are directly or indirectly connected to corporate networks and the Internet, which exponentially increases the security risks to which they are exposed far beyond physical attacks. Multiple factors have contributed to the increased exposure of industrial control systems, these include:

1) Technical information availability – public information about infrastructure and control systems is available to potential hackers and intruders. Potential hackers can easily find design and maintenance documents and technical standards for critical systems on the Internet, threatening overall security.

2) Remote connections that are vulnerable – Connections such as virtual private networks (VPNs) and wireless networks are used for remote diagnostics, maintenance and examination of system status. If users fail to incorporate robust identification, authentication and encryption into their communications, the integrity of any information transmitted is in question.

3) Networking of control systems – Organizations have increased connectivity through the integration of their control systems and enterprise networks. Any breach at any point in the network, exposes all the information – ICS-related data, e-mails, corporate information, et al. to intruders.