Control System Modem Pool Documentation

Select a link on the left to see the document abstract. Use the "Download" button to get the full document (PDF).


Control Systems Cyber Security Defense in Depth Strategies

Research has shown that information infrastructures across many public and private domains share several common attributes in IT deployment and data communications for control systems. A majority of the systems use robust architectures to enhance business and reduce costs by increasing the integration of external, business, and control system networks. However, multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats. This document provides guidance and direction for developing 'defense-in-depth' strategies for organizations that use control system networks while maintaining a multi-tier information architecture that requires:

  • Maintenance of various field devices, telemetry collection, and/or industrial-level process systems
  • Access to facilities via remote data link or modem
  • Public facing services for customer or corporate operations

Creating Cyber Forensics Plans for Control Systems

Cyber forensics has been in the popular mainstream for some time, and has matured into an information-technology capability that is common among modern information security programs. Although scalable to many information technology domains, especially modern corporate architectures, developing a cyber forensics program can be a challenging task when being applied to nontraditional environments, such as control systems. Modern IT networks, through data exchange mechanisms, data storage devices, and general computing components provide a good foundation for creating a landscape used to support effective cyber forensics. However, modern control systems environments are not easily configurable to accommodate forensics programs. Nonstandard protocols, legacy architectures that can be several decades old, and irregular or extinct proprietary technologies can all combine to make the creation and operation of a cyber forensics program anything but a smooth and easy process.

This document takes the traditional concepts of cyber forensics and provides direction regarding augmentation for control systems operational environments. The goal is to provide guidance to the reader with specifics relating to the complexity of cyber forensics for control systems, guidance to allow organizations to create a self-sustaining cyber forensics program for their control systems environments, and guidance to support the maintenance and evolution of such programs.

This document is organized into three major sections:

  • Section 1, Traditional Forensics and Challenges to Control Systems
  • Section 2, Creating a Cyber Forensics Program for Control Systems Environments
  • Section 3, Activating and Sustaining a Cyber Forensics Program.

The document addresses the issues encountered in developing and maintaining a cyber forensics plan for control systems environments. This recommended practice supports forensic practitioners in creating a control systems forensics plan, and assumes evidentiary data collection and preservation using forensic best practices. The goal of this recommended practice is not to reinvent proven methods, but to leverage them in the best possible way. As such, the material in this recommended practice provides users with the appropriate foundation to allow these best practices to be effective in a control systems domain.

Mitigations for Security Vulnerabilities Found in Control System Networks

Industry is aware of the need for Control System (CS) security, but in on-site assessments, Idaho National Laboratory (INL) has observed that security procedures and devices are not consistently and effectively implemented. The Department of Homeland Security (DHS), National Cyber Security Division (NCSD), established the Control Systems Security Center (CSSC) at INL to help industry and government improve the security of the CSs used in the nation’s critical infrastructures. One of the main CSSC objectives is to identify control system vulnerabilities and develop effective mitigations for them. This paper discusses common problems and vulnerabilities seen in on-site CS assessments and suggests mitigation strategies to provide asset owners with the information they need to better protect their systems from common security flaws.

Securing Control System Modems

This recommended practice provides guidance on the analysis of methodologies for evaluating security risks associated with modems and their use in an organization. This document also offers useful methods for creating a defense-in-depth architecture that protects the system components that use modems for connectivity. It is assumed that the reader of this document has a basic understanding of vulnerabilities associated with modem and modem communications, as this information is available from other sources.

Section 2 and 3 of the document discuss methods for assessing modem security, providing recommended resources for information and assessment tools and methods for identifying and analyzing modem connections. Section 4 provides options for implementing modem security according to the types of connections and/or devices being used. It also discusses methods such as authentication, logging, caller-ID filtering, and control system device security. Appendix A includes a list of resources used to create this document.

The methods presented in this document should be evaluated by each user for effectiveness within their operating environment. This analysis should include the capabilities and limitations of any hardware and/or software solution selected to implement these methods. This document does not cover the physical security aspects of modem security. Physical security should be driven by the control system and its components. If the physical security of the control system and its components has been addressed appropriately, then the modems will be a part of this physical security perimeter.

Backdoors and Holes in Network Perimeters: A Case Study for Improving Your Control System Security

The Supervisory Control and Data Acquisition (SCADA) system of a natural gas utility was compromised resulting in a reduction of operation. The breach was discovered when operator interfaces became unresponsive and the system was no longer acquiring data. As a result, the system was disconnected from the network and a combination of manual operation overrides and limited fail-over to a backup server went into effect until the environment could be restored. Technicians troubleshooting the incident identified the deletion of several core application files on the primary control server as the source of the problem.