The growing use of Ethernet and TCP/IP in industrial devices (replacing dedicated networks) has led to the necessity to reach a higher level of security against common threats on Ethernet cable. These threats can be deliberate (attackers), collateral (viruses and worms) or accidental (misconfigurations). Moreover the introduction of more IT functionalities into process-control devices gives us more reasons to perform security analysis to find any possible weak points.

The collaboration between Siemens and CERN openlab focuses on the robustness of automation devices (e.g. Programmable Logic Controllers) through a deep investigation of these devices' resistance against attacks. More specifically, the major aim of the project is the definition of a test bench and specific procedures, which allow us to perform a security mapping of devices' architecture and to simulate common attacks originating from either the internal or the external network.

Once the security mapping is complete, it is necessary to generate a detailed vulnerability report. It specifies the security breaches that need to be analysed to develop several practical and easy-to-apply solutions to fix those vulnerabilities.

Standards and guidelines can be used to help identify problems and reduce the vulnerabilities in a cyber security system. By knowing the problems and vulnerabilities, standards can be applied to cyber security systems to minimize the risk of intrusion. This is why at the beginning of our activities we compared three cyber security standards: ISA-99 (and part of the ISA-95), NERC-CIP and IEC-62351.

During the analysis of these standards we have noticed lots of congruencies and some discrepancies in the specific approaches that they suggest. At the end of this analysis, ISA-99 seems to be the most relevant standard, the only one able to face up to the wide heterogeneity of control systems (also relevant for CERN experiments).

This also implies that the ISA-99 approach is quite general and can only provide a theoretical (instead of practical) guidance and direction on how to establish and implement procedures (overall in the assessing phase, designing the security plan and defining the security policies). The defense-in-depth model is sustained as customer's security scheme by the ISA-99 standard too, which recognizes that some attacks will inevitably penetrate the boundaries and thus requires further protections within the boundaries.

Programmable Logic Controllers represent the lowest level in the layers architecture of control systems. As such, they are an essential link in any defense-in-depth strategy and must be considered as first-class citizens in the chain of control.

Component testing is finalized to assure that the specific component meets the required security specifications. To do this we have defined some procedures and an entire test bench, which allow us to validate the confidentiality, integrity and availability of every process-control device. In this context, one of the major problems is represented by the definition of the features and key cyber-security aspects (relevant to CERN) that must be tested, and of the minimum level of compliance that would allow us to identify whether a component is safe or not.

Unfortunately, at the moment there are no standards able to provide any criteria or specific procedures that must be followed. For this reason, we have deployed and developed specific techniques and methodologies of attacks to evaluate the robustness of process-control devices.

In the following phase, we are reporting all of the discovered vulnerabilities that need to be fixed to improve the quality and security level of these control devices, which are widely deployed at CERN.

Useful link

CERN openlab:

• This article was published in the CERN openlab newsletter in January 2010.