Research has shown that information infrastructures across many public and private domains share several common attributes in IT deployment and data communications for control systems. A majority of the systems use robust architectures to enhance business and reduce costs by increasing the integration of external, business, and control system networks. However, multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats. This document provides guidance and direction for developing 'defense-in-depth' strategies for organizations that use control system networks while maintaining a multi-tier information architecture that requires:

• Maintenance of various field devices, telemetry collection, and/or industrial-level process systems
• Access to facilities via remote data link or modem
• Public facing services for customer or corporate operations

Industry is aware of the need for Control System (CS) security, but in on-site assessments, Idaho National Laboratory (INL) has observed that security procedures and devices are not consistently and effectively implemented. The Department of Homeland Security (DHS), National Cyber Security Division (NCSD), established the Control Systems Security Center (CSSC) at INL to help industry and government improve the security of the CSs used in the nation’s critical infrastructures. One of the main CSSC objectives is to identify control system vulnerabilities and develop effective mitigations for them. This paper discusses common problems and vulnerabilities seen in on-site CS assessments and suggests mitigation strategies to provide asset owners with the information they need to better protect their systems from common security flaws.

Computer virus incidents cost companies billions of dollars every year. While antivirus technologies for detection and containment are attempting to keep pace, the threat is constantly evolving. The attack vector is no longer simply an infected executable on a floppy disk. Email, websites, macro-enabled documents, instant messages, peer-to-peer networks, cell phones, and other interconnected systems are all potential entry points onto our networks for a wide range of malware [1]. Our ability to successfully defend these entry points, as well as recover in the event of a given contamination, needs improvement. Such is the situation for the water treatment facility featured in this case study, where systems on its networks were repeatedly compromised by malware over the span of a couple days. Symptoms of this infection are first noted when network performance degrades significantly on several systems, but the actual compromise is not recognized until the Internet Service Provider (ISP) of the facility relays a message regarding a suspected worm outbreak emanating from the facility’s network. The offending systems are eventually identified, taken off-line, scanned, and disinfected. Unfortunately, the source carrier (a mobile laptop) of the worm is not identified and cleaned during the initial recovery process. Even though steps were being taken to address the vulnerability issues in the environment, the day after restoring operations, systems on the network are once again infected, further compounding the overall incident. Unable to effectively defend against and respond to the outbreak results in a loss of data, disruption in operation, and ultimately substantial financial impacts.

Control Systems (CS) manage the nation’s Critical Infrastructure; therefore, it is paramount that secure systems be established. However, integrating security into control system environments is a much more inflexible process than in general IT networks. In lieu of this and the incredibly varied architecture of CS network architecture, control systems administrators and operators must carefully review the recommendations for securing control system networks before applying the changes. Testing and deployment of security configurations or updates should be performed on development, test, or backup systems and monitored carefully for impact before being put into practice on a production control system.