A view of Facility Industrial Control System Security

A 2019 US Department of Energy Inspector General Report found that physical and logical access security controls did not always provide sufficient restrictions over information technology (IT) resources. (Energy OIG 2019 p 2) This statement is an illustration of the environment facing critical infrastructure protection (CIP).

Technology is advancing in the system-use and connectivity within buildings, facilities, and complexes. The Edith Cowan University research team in their 2017 building automation and control (BAC) system (BACS) report found that BAC is “… embedded into the contemporary building environment…” (BACS 2017 p i). The proliferation of interconnected systems brought about by the internet-of things (IoT) will enhance the facility’s ability to become “system-smart.” A system-smart facility from an infrastructure perspective is dependent of other systems within its architecture.  This architecture will access and use local and external systems. To acquire the secure access to external system facility owners must have agreements to assure the security of the external system’s access and connectivity.
The BAC Report found the building’s environment must be flexible, adaptable, and sustainable. The building’s vulnerability from threats and interconnectivity security issues. Secure local and remote access to devices, networks, and software applications is paramount (BAC2017 p i).  The BAC Report recommends
• The facility owners promote awareness of threats and risks
• Improve organizational cross-department liaison
• Build partnerships among BACS experts, in-house, and external third-parties
• Provide a guideline to aid the stakeholders to achieve the security of the BACS
The BACS Guideline is a governance tool to promulgate a common language among the facility’s stakeholders (BAC 2017 p iii).
The BAC Report is definitive in its research findings and recommendations. The implementation of key parts of the report will take time.  The international implications of BACS is a CIP imperative.  Systems and devises can be accessed from any where there is connectivity.  In the United States the US Department of Homeland Security (DHS) provided guidance to the CIP community in the form of the National Infrastructure Protection Plan (NIPP).  The NIPP provide guidance to the 16 industry categories or sectors. “Our national well-being relies upon secure and resilient critical infrastructure—those assets, systems, and networks that underpin American society. To achieve this security and resilience, critical infrastructure partners must collectively identify priorities, articulate clear goals, mitigate risk, measure progress, and adapt based on feedback and the changing environment.” (NIPP 2013 p 1) From this governance each industry sector interprets the NIPP guidance to develop specific sector guidance in the form of sector specific plans. The Commercial Facilities sector-plan (CFSP). The Sector plan provide general guidance to the industry that is based on the guidance provided by the NIPP. “…this plan represents a collaborative effort among the private sector; Federal, State, local, tribal, and territorial governments; and nongovernmental organizations to reduce critical infrastructure risk…” (CFSP 2015 p iii). To serve the sector’s need to provide cybersecurity guidance to the industry, DHS released the Commercial facilities sector cybersecurity framework (CFCSF) implementation guidance of 2015.  This document “…recommends an approach that enables organizations to prioritize their cybersecurity decisions based on individual business needs without additional regulatory requirements…” (CFCSF 2015 p 1). The CFS cybersecurity release in 2015, provided provides an approach that will enable sector stakeholders to frame and prioritize their cyber security decisions (CFS-Cyber 2015 p 1). This cybersecurity guidance was based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, which was issued in February 2014.   The current version is Version 1.1 of 2018.  “… Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1…” (Framework 1.1 (2018) p ii).  The CFS Cyber release of 2015 is a use-case implementation of the NIST Cybersecurity Framework.
Given this guidance at the national level there remain an implementation void.  Throughout the BACS Report instances were cited that highlight these voids.  Before the release of the BACS Report in 2017, the US Government’s Government Accountability Office (GAO) released a report citing that the United States need to address the cybersecurity risk to BACS (GAO-15-6 2015).  To graphically show a portion of the facility situation figure 1 is from the GAO report.  It lists some of the BACS in a building.
As shown in figure 1, some types of building and access control systems in federal facilities include:” • closed circuit camera systems include cameras, televisions or monitors, and recording equipment, and provide video surveillance capabilities; • access control systems include card readers, control panels, access control servers, and infrastructure such as door actuators and communications lines, which restrict access to authorized persons only; • fire annunciation and suppression systems include fire alarms, emergency communication equipment, and water-based or non-water-based suppression systems, designed to prevent, extinguish, or control a fire or other life safety event; • heating, ventilation, and air conditioning (HVAC) systems include equipment for heating, cooling, moisture control, ventilation or air handling, and measurement and control, often managed through a building automation system13 • power and lighting control systems include lighting devices and their controls, advanced-metering controls, power distribution systems, and emergency power or lighting systems, which are also often managed through a building automation system; and ; • elevator control systems include operating machinery, safety systems, and a control system or panel.” (GAO 15-6 pps 9-10)
As mention previously, the BACS are reliant on the on the interdependence of the facility’s cyber architecture.  GAO report 15-6 also, provide an example of the connectivity of a HVAC System.  Figure 2 is an example of the connectivity of a HVAC System connect to the internet.  This graphic represents the evolution of BACS.  This implementation increases the efficiency of the HVAC throughout the building.  Placing these systems with the information technology enterprise present many cybersecurity challenges. Cyber intrusions and insider threats through the HVAC system is a reality that can cause an improperly installed and maintained system to traditional cyber threats.
In another GAO report threats, vulnerabilities and impacts are outlined.  The report focuses on the US Electric grid. The vulnerability to a BACS is relevant to the identification of an attack profile.  Figure 3 from this report is a graphical depiction of potential ways an attacker could compromise an industrial control system on a corporate network. (GAO-19-332)
Here the intruder gains access to the corporate network via the internet. From there the attacker moves to access the control system network and devices.
To illustrate an actual attack on a BACS, the Target stores is one such intrusion. on November 15, 2013, hackers broke into a contractor system to gain access to Target’s HVAC system (INL/CON-18-44411 p 12).  The attackers First stole the login credential of a third-party HVAC contractor with a phishing attack.  They then uploaded malicious credit card-stealing software to cash registers throughout Target’s chain of stores. 70 Million customers were affected. Target had $309 Million in lawsuits and the financial institution incurred an additional $200 million.
Dr. Ron Martin, CPP, CPOI is a Professor of Practice at Capitol Technology University