July 2018



Unfortunately, nation states appear to be launching cybersecurity attacks on other nation states.

Goble, W., exida LLC

Unfortunately, nation states appear to be launching cybersecurity attacks on other nation states. In this “arms war,” some attacks have been focused on industrial control systems (ICS).  Three of these ICS cybersecurity attacks are notorious:

  1. Stuxnet (2009): A Siemens system attack to change PLC operating code.
  2. Industroyer/Crash Override (2015): An attack on the Ukrainian power grid that shut down a portion of Kiev.
  3. Triton (2017): A well-targeted attack on a distributed control system (DCS) and a Triconex safety instrumented system (SIS), believed to be an attempt to cause damage to the plant.

The Triton attack appears to be the most ambitious. Experts speculate that the attackers were trying to disable the safety system before causing the process to go out of control via another attack on the process controller. This action could have caused a major incident. It is fortunate that the Triconex Logic Solver initiated a shutdown of the process when it detected an internal anomaly.1

The attack chain

Cyberattacks normally use a chain of incremental attacks to achieve the ultimate goal. Although details of attack methods for some events are not known with certainty, expert forensic cyberengineers have made conclusions. In the case of the Triton cyberattack, those included:

  • Human mistakes: A staff member left a Triconex front panel switch in the PROGRAM position
  • Knowledge of the control system: Reverse engineering of the system and testing using a real system are postulated, given the sophistication of the attack
  • Reconnaissance: The malware scanned target systems looking for specific versions of Triconex software
  • Exploitation of known vulnerabilities: A zero-day vulnerability was used in the attack.

The bad news from these attacks is that reverse-engineered source code has become available on the internet for other attack agents to use. The good news is that the attack patterns have been discovered and documented, allowing defense techniques to be defined in cybersecurity standards. 

ICS cybersecurity standards

Starting in the mid-2000s, the ISA S99 standards were the first ICS cyber security standards issued. Those standards were modified by the International Electrotechnical Commission (IEC) 62443 committee to create a set of cybersecurity standards used by many industries. The IEC 62443 series of standards includes more than 10 documents that describe terminology, cyber procedures, defense techniques and device-level requirements for product development. Major control system manufacturers have selected IEC 62443 techniques when hardening their products and systems. 

Cybersecurity certification

Any certification program is created to provide technically competent, third-party auditing and assessment to attest that the certification target has met the requirements defined in a document called a scheme. The ISA Security Compliance Institute (ISCI) was founded in 2007. They contracted experts to write the first cyber certification scheme based on the ISA S99 standards, called ISASecure. Since the IEC 62443 standards have been released, new schemes have been defined by CBs based on these new standards.

IEC 62443 requirements

At the system level, IEC 62443-3-3 details several categories of cyber security requirements. Sets of requirements are classified into four cyber security levels. A system or a product must meet all requirements of a given level to be certified at that level.

A cyber-hardened product is the objective of IEC 62443-4-1 and IEC 62443-4-2.  IEC 62443-4-1 provides a set of requirements for a product development and test process for cyber hardening. IEC 62443-4-2 describes the IEC 62443-3-3 requirements in terms of product features. For example, to prevent against storage of false programs, systems should validate any input data received. To protect against attack agents obtaining valuable data over the network, the data can be encrypted. To ensure that invalid configurations cannot be downloaded, user and device authentication can be implemented. 

Like IEC 62443-3-3, the product requirements from IEC 62443-4-2 increase with each level. This means that a product certified to Level 2 has met more of the cyber security requirements and will provide higher levels of cyber hardening than Level 1. Level 4 provides the highest number of cyber security hardening features.

To date, several ICS OEMs have achieved Level 1 cybersecurity certification. A few have achieved Level 2. Some will achieve more. However, the bar must keep changing because cyber security attack agents are increasing in numbers and in technical skill. Certification schemes must adjust and change to meet ever-increasing threats. HP

Literature Cited

  1. Kovacs, E., “Triton malware exploited zero-day in Schneider Electric devices,” SecurityWeek, January 18, 2018, online: https://www.securityweek.com/triton-malware-exploited-zero-day-schneider-electric-devices

The Author

Related Articles

From the Archive



{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}