An industrial process control system (PCS) is an integrated hardware and software system specifically engineered to monitor, evaluate, and regulate complex, large-scale processes. They often are embedded and hybrid systems, since computers are integral parts of such systems.
Initially, PCS had little resemblance to traditional information technology (IT) systems in that PCS were isolated systems running proprietary control protocols using specialized hardware and software. Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cyber security vulnerabilities and incidents. As PCS are adopting IT solutions to promote corporate business systems connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems.
This integration supports new IT capabilities, but it provides significantly less isolation for PCS from the outside world than predecessor systems, creating a greater need to secure these systems. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to PCS environments. In some cases, new security solutions are needed that are tailored to the PCS environment.
Examples of PCS include the supervisory control and data acquisition systems (SCADA) that manage the electric power grid and the PCSs that control the timing and volume of processes in the chemical industry. PCS technologies also control the distributed sensor and actuator elements of pipeline systems for gas, oil, and water distribution. They manage supply chains and associated transportation systems, and they increasingly control building security, fire protection, environmental systems, lighting, and communications. Automated manufacturing processes often depend on PCS networks to improve quality control and enable response to crises as well as to reduce costs.
Because attacks interrupting or damaging key PCSs could have rippling impacts across the economy, these systems may increasingly be viewed by adversaries as attractive targets that can be exploited to weaken or incapacitate U.S. industry and infrastructure. Critical infrastructure sectors debate whether or not an exclusively electronic attack on control technologies could indeed have significant impact, given the industries’ backup power systems and investment in “fail safe” or otherwise resilient designs for physical systems. But trends in the application of IT in these sectors point to increasing rather than decreasing levels of vulnerability and exposure in their infrastructures.
In the past, many PCS technologies used proprietary designs. Today, in the interest of reducing cost and improving maintainability, these systems mainly rely on standardized equipment and technologies, including general-purpose computers, mainstream operating systems, and standard Internet protocols, which are more vulnerable to attack. Many organizations view increasing use of the Internet as well as wireless and Web-based control systems as not only cost-effective but inevitable developments. Furthermore, cost-reduction measures are resulting in growing linking of networks that support control systems with internal and external corporate networks that support ordinary business operations, further increasing the exposure of control systems to external attacks.
For example, wireless control systems reduce cabling and installation costs. These systems typically use short-range wireless technologies, but signals still may be susceptible to attack from outside a building’s perimeter if transmission patterns are not designed carefully.
These trends suggest that assaults on computerized control systems will be increasingly within reach of a wide array of attackers. The main uncertainty is the extent to which systems are already at risk due to a combination of direct or indirect Internet connectivity and security vulnerabilities such as inadequately secured wireless access, unpatched software, or insufficient authentication or access control policies and mechanisms.