Information security of industrial enterprises is an integral part of national security. An information attack on an automated control system can be the cause of an accident and damage property, life and health of citizens.
Enterprise information security threats
Attention to the issue of information security of enterprises increased after many ICSs were infected with the Rootkit.Win32.Stuxnet virus. It spreads through flash drives, and any adjuster or foreman, removing information from the system health sensors, can infect the entire ICS without malicious intent. The virus exploits vulnerabilities in Windows operating systems, its activity can suspend the operation of the enterprise.
ACS, as an information system, differs from office systems, it is a multicomponent software and hardware complex, which consists of:
- automated workplaces;
- application servers and databases;
- controllers.
The interaction of components is ensured by the use of network devices designed for use in industry, specialized and standard communication protocols, including TCP / IP stacks for layer-by-layer transfer of information in small portions, when TCP is routed over IP, and it, in turn, over Ethernet. Management of scattered and dispersed in space, sometimes moving objects is carried out via wireless local area networks, access is realized via the Internet and web interfaces. But the integration of ICS with information systems of organizations has created new channels for the penetration of threats. If an external attacker previously found it extremely difficult to connect to the control channels of the ICS, now, after the proliferation of wireless technologies and the creation of interfaces that combine the ICS with enterprise control systems, it has become much easier to block production or cause an accident.
Information security risks are now divided into two groups:
- risks of external or internal intrusion into information management systems with the aim of stealing information or blocking activities;
- risks of external intrusion or deliberate actions of users aimed at destabilizing the operation of the automated control system.
- The features of the ACS make it impossible to use the entire complex of measures and means of a technical and software nature used to protect the information systems of the office. Additional security measures are required.
Automated control systems and their specificity
Automated control systems are most susceptible to the risks of losing information integrity. Spoofing or destroying a packet of data sent over the network can stop production or cause an accident. The inclusion of software protection tools in the architecture of the ACS should be minimal, taking into account the limited resources of its resources, they can negatively affect the main processes implemented by the system.
The main sources of risk for ACS are:
- actions of service personnel who violate established safety rules, for example, using flash drives without first checking them with antiviruses;
- errors of employees of companies that provide technical support for software products installed in the ACS, as well as personnel of system integrators;
- sniffing, or interception of information packets by external attackers. The controllers and SCADA systems used in the industry do not have sufficient resistance to incorrect input packets;
- obsolescence of the ACS. Its life cycle is 15-30 years, and many industrial facilities still operate SCADA systems configured to work with Windows NT or Windows 98, which creates an increased level of risks for information security of industrial enterprises. Now SCADA and OPC (OLE for Process Control) servers, PLCs and other components of automated control systems must be isolated from the Internet.
The risk of ICS obsolescence can be reduced by using virtualization systems, but their use entails other risks - the connection of hypothetical attackers to systems via wireless networks. This requires a directional antenna, even over a long distance. The ACS perimeter needs to be protected at the logical and physical levels, and for this, access systems, access control, and firewalls are used. A separate solution will be the creation of demilitarized zones for the exchange of information between ACS and information systems of offices, which excludes direct contact of networks and the possibility of direct access to the ACS from the office.
Basic situation with information security at enterprises
When starting to develop an enterprise information security system, it is necessary to audit not only the network architecture, but also the general situation with personnel management and information, technical, human and financial resources. Based on the audit, a set of organizational measures and technical measures is being implemented.
Standard inspection often reveals that:
- enterprises lack information security incident management systems and a decision-making system based on the results of their analysis;
- there are no software tools for detecting external intrusions at all;
- there are no software solutions for detecting external anomalies;
- systematic audit of the information security status is not provided;
- security analysis of ACS complexes is not carried out.
From the point of view of staffing, the absence of personnel responsible for the information security of the automated control system and qualified specialists in the field of information security in general is revealed.
From the point of view of documentation and organizational support, the following is often revealed:
- there are no clear procedures and regulations for ensuring information security in the ACS;
- companies refuse to comply with the basic requirements of economic and information security at the enterprise in terms of implementing the necessary organizational measures, for example, establishing different degrees of access for employees of different levels;
- the tasks of updating the software of both operating systems and application software are not performed, even if the updates are critical to the security of the system;
- most ICS components lack a multi-factor authentication model.
But the work to improve the security system does not stand still. Due to the fact that many enterprises belong to the objects of critical information infrastructure, new regulatory requirements begin to apply to them. FZ-183, which speaks of the safety of KII facilities, refers to them as objects of increased importance:
- social. Accidents on them can cause damage to the life, health and property of a large number of people;
- political. The failure of the facility can harm the interests of the Russian Federation in the field of domestic and foreign policy;
- economic;
- ecological;
- defense.
Most large production facilities are entered in the register of the KII, which automatically extends to them the requirements of the FSTEC for their protection, as well as the requirements of the FSB of the Russian Federation for connecting to the GosSOPKA system. The requirements are aimed at solving the following tasks:
- preventing unauthorized access to information processed at the facility, excluding its leakage, destruction, blocking, substitution;
- elimination of such an impact on information processing facilities, as a result of which the continuity of the production cycle could be disrupted;
- prompt restoration of the CII object after unlawful impact on the information infrastructure, due to backup storage of information and incident response tools;
- continuous interaction with the GosSOPKA system.
Software and hardware solutions do not stand still either. Modern SCADA and HMI (Human-Machine Interface) systems are significantly superior to their predecessors in terms of safety requirements. This leads to an increase in:
- fault tolerance;
- recovery speed in case of failure;
- quality of a role-based access control model based on separation of duties technology.
In addition, attack-resistant authentication and authorization mechanisms are implemented, and users are isolated from the interfaces of the operating system that controls the operation of the ICS.
Communication channels remain a weak point, unstable to external influences, if they are not implemented in the Ethernet format. Despite this, most of the models for implementing an enterprise information security system are based on software from Siemens, which has become a leader in this area. The experts identified shortcomings in the authentication mechanisms of the Siemens WinCC system and the digital automation system Emerson DeltaV, which allow not only bypassing the verification procedures, but also executing arbitrary code in SCADA. It was they who led to the systemic infection of the ICS with the Rootkit.Win32.Stuxnet virus.
If software manufacturers have eliminated the main problems in new versions, then the automatic control system update cycle, sometimes 20-25 years, does not make it possible to change the software. Updating and replacing ACS components is possible only during a planned shutdown of production for repairs and updates, which is extremely rare. Accordingly, vulnerabilities persist.
In this situation, the most common causes of interruptions in the operation of the automated control system are:
- failures of software and hardware that occur as a result of unintentional actions of ACS users;
- crashes due to software bugs;
- intentional or unintentional infection with malware;
- hardware and software failures;
- shutdown of ACS equipment as a result of power outage or other man-made reasons;
- failures of network equipment and disruptions in the operation of communication channels.
Modern ICS developers in Russia can in most cases eliminate these problems; they have the opportunity to use large-scale repository libraries with open source programs. Modern programming languages, foreign and domestic technical equipment are available. In the new ACS, most of the problems of the systems of the previous period will be solved.
ACS efficiency characteristics
Russian standard for assessing the effectiveness of ACS GOST 24.701-86 “Unified system of standards for automated control systems. Reliability of automated control systems "describes the following characteristics of the system's performance in terms of its information security:
- minimum recovery time after failure;
- the percentage of the likelihood of working without failures for a certain time;
- the probability of complete recovery.
If we talk about foreign standards of risk management, then in Russia they are reflected in GOST R 51901.5-2005 (IEC 60300-3-1: 2003) “Risk management. Guidelines for the Application of Reliability Analysis Methods ". The standards help to calculate the security parameters of the system at the hardware and software level, without taking into account the human factor.
In 1970-1990, a large-scale OGAS project was being implemented in the USSR, aimed at creating a unified enterprise management system, for the implementation and financing of which more was allocated than for space exploration and nuclear power combined. After the change of the business management system from a completely state-owned to a mixed implementation of the project, the project was terminated, but the documents created within its framework are now being analyzed for use in new general regional and sectoral systems of industrial enterprise management. Many of the solutions created in the 1980s are still not outdated, especially considering that the age of most automated control systems is approaching 15-20 years and they still support the viability of production. It is assumed that the next stage in the development of the GosSOPKA system will be the transfer of production cycle management processes to a single model.
Other types of systems that ensure information security of industrial enterprises
A plant or manufacturing giant such as AvtoVAZ is not limited to automated control systems in its work. Other production and business process management systems work:
- ERP systems. They ensure the balance of interests of financial management, saving the resources of the enterprise, the manufacturing sector, maintaining a constant level of utilization of production facilities, marketing departments, reducing the volume of backorders. Now there are ERP systems on the market presented by foreign developers SAP R / 3, Baan, Scala, Axapta, Salesforce, and national software products developed by Galaktika, Parus, 1C, Ilada, Cepheus ... The advantages of implementing such solutions are the ability to link the information networks of many legal entities that are part of the holding structures into a single system. ERP does not work with such information objects and flows as design development, routing and operational technologies, quality management, warehouse management, customer and supplier relationship management, business process management, electronic document management, reporting. To implement each of these tasks, independent software products are required;
- CRM systems, sometimes their architecture is inseparable from SFA (Sales Force Automation). As software products and systems that mediate interaction with customers, they turned out to be the most convenient solutions for Russian businesses that sell their own industrial products. The first system on the market was Sales Expert, now there are enough Russian products of approximately the same level of development, open source and sold under license;
- PM (Project Management). For enterprises, they turn out to be the most demanded systems that allow them to manage construction projects, production and launch of new equipment and technologies. Such systems usually work for a group of employees with an equal degree of access, and from the point of view of information security of enterprises, they are vulnerable to destruction, blocking or substitution of information;
- BPMS (Business Process Management Systems). These enterprise management systems structure production cycles in the form of business processes, creating unified optimized chains of actions that save resources. The software analyzes processes and cuts out unnecessary or duplicate steps;
- BPM (Business Performance Management), other software names - Enterprise Performance Management (EPM), Strategic Enterprise Management (SEM) and Corporate Performance Management (CPM). The system implements the tasks of enterprise performance management. The tool implements metrics, processes and methodologies to assess all performance criteria - from cost of production to the quality of working time. The tool allows you to develop and evaluate systems of key performance indicators, it is useful for fine-tuning the work of an enterprise.
All these systems work together with the automated control system, using its data obtained in real time. Their information security is ensured by the general principles of enterprise IP protection, but when purchasing solutions on the market that are not developed or customized specifically for the needs of a particular company, security issues can be implemented at an insufficiently high level. Leaks of confidential information continue to be a problem, as do denial of service and systemic virus infections.
So far in Russia, not a single system of complete management of the enterprise work cycle from one manufacturer has been implemented, which causes redundancy of spent resources in some areas and their lack in others. But the logic of the industry's development should lead to the implementation of such projects.
16.12.2020
