May 09, 2012, 9:12 PM — SAVANNAH, GA. -- Operators of America's vital power, water and manufacturing facilities use industrial control systems (ICS) to manage them, and the security of these systems, increasingly linked with Microsoft Windows and the Internet, is now under intense scrutiny because of growing awareness that they could be attacked and cause massive disruptions.
Industrial facility operators are making efforts to follow security procedures, such as using vulnerability-assessment scanning tools to check for needed patches in Windows. But ICS environments present special problems, say managers who spoke on the topic at a conference organized by the Department of Homeland Security.
"A lot of my ICS systems are running on Windows Server 2003," said Tracy Waller, a manager in the process and controls engineering division at Savannah River Site, the sprawling Department of Energy facility in Aiken, S.C. where nuclear-weapons-related tasks, such as processing tritium and managing waste, is done. Supervisory control and acquisition systems (SCADA) "don't play well with Microsoft patches," he noted. The problem is that it's not always clear ICS will work properly after Microsoft patches are applied. Sometimes vendors want customers to buy new ICS gear to keep up with Windows releases.
Waller said it's not possible to scan the actual working ICS production network because it would likely bring it down, so an exact duplicated ICS network is maintained separately and scanned regularly as a surrogate network to check for and patch holes that involve Windows. Waller said he uses tools such as Hercules, Nessus and Shavlik (now owned by VMware) to monitor the ICS-based networks. Because ICS operates around-the-clock for industrial purposes, machine operators never log out. "Passwords are shared," he said, noting five shifts would use the same password, and who is at the controls is maintained through a written log check-in. "The password is changed once a year."
While ICS and SCADA once seemed safely tucked away in the depths of engineering, they are now subject to security demands from the IT and security departments, and the two groups don't always get along. Eric Cosman, engineering consultant at Dow Chemical said cooperation there is fostered by inviting the IT division into the plants to promote constructive discussion and choices. But at the same time, he said he hoped IT security professionals would abandon the role of "high priest." Infighting between IT and the process engineers makes everyone look like "the kids who can't get things done," he warned.