In 2010, the "Stuxnet" (Stuxnet) incident that shocked the world occurred in Iran. The "Stuxnet" computer virus attacked the Siemens PCS7 control system used by Iran's Natanz uranium enrichment base and Bushehr nuclear power plant, and destroyed a large number of uranium enrichment centrifuges. And the Bushehr nuclear power plant generator set caused Iran's nuclear program to be delayed for at least two years.

1. industrial control system has become an important battlefield of cyberspace security

In 2010, the "Stuxnet" (Stuxnet) incident that shocked the world occurred in Iran. The "Stuxnet" computer virus attacked the Siemens PCS7 control system used by Iran's Natanz uranium enrichment base and Bushehr nuclear power plant, and destroyed a large number of uranium enrichment centrifuges. And the Bushehr nuclear power plant generator set caused Iran's nuclear program to be delayed for at least two years.

The incident shows that the security threats in cyberspace have rapidly extended from the traditional virtual space such as the Internet and computers to the industrial control systems in the physical world. That is, "computer virus" can control the industrial control system without destroying the industrial control system itself, causing production interruption, pipeline leakage, environmental pollution, equipment damage, and even disaster accidents, leading to social unrest, and national security will be greatly threatened. Industrial control system has become an increasingly important new battlefield for cyberspace security. People are different from the traditional virtual space of the virus, the "Stuxnet" as "super cruise missile", "software atomic bomb", and so on.

Since the "Stuxnet" incident, this "software atomic bomb" threat against industrial control system attacks has become more and more close to us, and even the industrial control system that we originally thought was physically isolated has not been spared:

(1) For example, in December 2015, the power monitoring system in the Ivano-Frankivsk region of Ukraine, which is believed to be using a private network, was attacked by "BlackEnergy" malicious code. Ukrainian news outlet TSN reported: "At least three power areas were attacked, causing power outages for several hours"; "The attackers invaded the monitoring management system, and more than half of the area and part of the Ivano-Frankovsk region were without power for several hours." Kyivoblenergo Electric Power Company issued an announcement stating: "The company was invaded, causing 7 110KV substations and 23 35KV substations to fail, causing 80000 users to lose power."

(2) On June 12, 2017, an industrial control cyber-attack weapon Industroyer that carried out a malicious attack on the power substation system was discovered to have launched an attack on the Ukrainian power grid. Unlike BlackEnergy, Industroyer allegedly did not exploit any loopholes, but used the power system's own industrial control protocol to directly control the circuit breaker, causing the substation to lose power.

(3) In December 2017, a malicious software TRITON targeting Schneider Electric's Triconex Safety Instrumented System Controller (SIS,SafetyInstrumentSystem) was discovered. TRITON is said to be able to modify the voting mechanism of the safety instrumented system (SIS), thus disabling the safety protection function.

In addition, because the industrial control system uses the Microsoft operating system in the operator's interface software, viruses (such as blackmail virus WannaCry) that attack the Internet and computer operating systems have more or less affected the industrial control system.

 

2., our country has paid unprecedented attention to the network security of industrial control system

Since the earthquake network incident in 2010, China has paid unprecedented attention to the network security of industrial control system from the central government, departments at all levels to major enterprises:

(1) From the national level, the central government has not only established the Cyber Security and Informatization Committee, but also successively issued the "Notice on Strengthening the Information Security Management of Industrial Control Systems" (Ministry of Industry and Information Technology Association [2011] No. 451) and the "State Council on Vigorously Promoting Information Development and Several Opinions on Effectively Guaranteeing Information Security (Guo Fa [2012] No. 23)" and other documents, the Standing Committee of the National People's Congress also approved the issuance of the Cyber Security Law on November 7, 2016, which will come into effect on June 1, 2017, indicating that cyberspace security, including the network security of industrial control systems, has risen to the height of the party, the state and the law;

(2) from the functions of state organs, national and local functional organs and departments have put industrial control safety in a very important position, not only issued corresponding documents, but also carried out various forms of industrial control safety training, competitions and other popular science activities, as well as level protection evaluation, safety assessment, safety inspection, safety inspection and other substantive work;

(3) From the standard level, the National Information Security Standards Committee TC260, the Industrial Measurement and Control Standards Committee TC124, and the National Power System Management and Information Exchange Standardization Technical Committee TC82 have all carried out a lot of work in the field of industrial control security, and issued A series of national standards and industry standards related to industrial control safety. On May 13, 2019, the network security level protection 2.0 standards including cloud computing, mobile Internet, Internet of Things, industrial control and big data security (hereinafter referred to as the equal protection 2.0 standards) were also officially released under the expectation of everyone, and It will be implemented on December 1, 2019.

(4) From the scientific research organization, the Ministry of Education has also established a new first-level discipline of cyberspace security, and major universities have also established related colleges and majors.

(5) In terms of industrial organization, the National Industrial Information Security Industry Development Alliance, the Industrial Control System Information Security Industry Alliance, the China Information Security Technology Industry Alliance, and the China Industrial Information Security Alliance are also developing rapidly.

(6) at the level of specific implementation, all industrial enterprises, especially key infrastructure enterprises, have set up special information security institutions, which shows the degree of attention.

It can be seen that my country has established an industrial control safety system covering all levels from the national level, laws, functional institutions to scientific research, standards, industries and enterprises, which shows the importance of industrial control safety.

 

The security threat faced by 3. industrial control system is still very serious

At present, with the continuous deepening of the "integration of industrialization and industrialization", my country's power system, petroleum refining and chemical industry, water conservancy, urban and rail transit, oil pipelines, national defense equipment, and other public projects are still widely used in foreign control systems. It is physically isolated from the Internet; the maintenance and repair of industrial control systems are still undertaken by the manufacturers of these industrial control systems, so the security situation is still severe:

(1) remote attacks from the network, such as through the Internet, intranet, wireless network, hackers and attackers can remotely attack the industrial control system;

(2) Attacks brought in through mobile media, such as mobile hard disks, U disks, CDs, mobile terminals, etc;

(3) Latent attack of embedded code, the typical ways are embedded during the implementation of the project, embedded through spare parts, embedded through maintenance.

 

The main threat to the security of 4. industrial control systems is organized professional attacks.

From a technical point of view, the network security threats faced by industrial control systems come from two aspects: one is the traditional network security threats, that is, the use of operating systems and application software vulnerabilities to launch attacks. Such threats are mainly aimed at the vulnerabilities of the computer operating system and application software (such as office software, website software, etc.) used by the computer, obtaining computer operating rights, or stealing privacy or sensitive information.

Another more important security threat comes from organized attacks that are very familiar with industrial control systems and the production devices and production processes they control. From the public information, it can be found that although the "Stuxnet" exploits the vulnerabilities of the operating system, these vulnerabilities are only used for the spread of the "Stuxnet" code. Its core code uses the characteristics of Siemens PCS7 control system and nuclear facilities to initiate malicious manipulation and send fraudulent data to the operator interface software.

It can be seen that the "hackers" attacking the core components of the industrial control system should not only have the general knowledge of computer operating system and software, but also make use of the software and hardware characteristics of the industrial control system itself and the weaknesses of communication protocols, operation instructions and infrastructure production devices, which makes it difficult for ordinary Internet security technicians to find out, that is, it has the characteristics of "high professionalism, high concealment, high complexity, difficult to be discovered, and difficult to be tracked" (ie, the "three high dilemma").

 

5. industrial control system security protection challenge is much larger than the general information system

In the nearly 9 years since the "Stuxnet" incident in 2010, while implementing various tasks of industrial control system network security, my country has also encountered difficulties and challenges that are completely different from Internet security and information system security. It is manifested in the following aspects:

(1) The understanding of industrial control security is more still at the level of Internet security and protocols.

Compared with Internet systems and information systems, industrial control systems are mostly closed-loop systems composed of sensors, control devices, actuators and other links. Their monitoring software is also used by operators to monitor working conditions and operate simply. Industrial control protocols are used to transmit data in the production process. Therefore, the network security of the industrial control system needs to be considered comprehensively from all the above elements and the production device itself.

(2) Limited understanding of the principles and mechanisms of industrial security malicious code attacks

Nowadays, various public reports, microblogs and other social media files, as well as many articles and reports, have more reports on industrial control security incidents and less technical analysis. There are more renderings of some threats to industrial control security network and less analysis of threats within industrial control. There are more introductions to the "vulnerabilities" of the operating system and less analysis of the software and hardware vulnerabilities of the industrial control system itself; there are many introductions on the exploitation of vulnerabilities in operating systems, emails, etc. There are few studies on technical issues such as "what does the industrial control malicious code look like, when it comes, when it is triggered, how it is triggered, and when it is left", which makes it difficult to carry out industrial control safety work in depth.

(3) the effectiveness of the current industrial safety protection measures and products to be tested

At present, whether it is for the safety level protection evaluation, safety assessment, safety detection, safety inspection of industrial control system, or various industrial control safety products, although in various forms, its effectiveness is far from being recognized by users, especially for the safety threats faced by the terminal equipment of industrial control system, the problem of "right and wrong disease, wrong medicine" has not been really solved.

(4) The standard of industrial control safety is difficult to land in the terminal of industrial control system.

At present, there are many standards for industrial control safety, such as the IEC62443 international standard (ISA99 of ISA of the International Association of Automation of the United States), the SP-800.53 issued by NIST of the United States, and China's equal protection 2.0 standard GB/T22239-2019 "Basic Requirements for Information Security Technology Network Security Level Protection" and so on. But in the implementation process, in the face of the running industrial control system (especially the controller of its core components), it will encounter the embarrassment of "untouchable, untouchable.

(5) The implementation of industrial control safety is difficult to get the cooperation of industrial control equipment manufacturers

Industrial control system is different from the Internet system, information system, not only to ensure that the production process according to the process design requirements to run in a predetermined working condition, but also to avoid the occurrence of safety accidents. In other words, manufacturers and integration manufacturers of industrial control systems are not only responsible for the continuity and reliability of the production process, but also for the safety of production. This is difficult for traditional information security vendors and security products.

 

6. industrial control system safety needs to pay attention to avoid several misunderstandings

As mentioned above, the network security of industrial control system needs to be carried out around the safety of the control system itself and the production device. In practice, we should pay attention to avoid the following misunderstandings:

(1) Too much emphasis on security protection based on vulnerability scanning

As mentioned earlier, the industrial control system design and development engineer is concerned with how to make the product more reliable, higher availability, the development of the control algorithm how to make the accused object more stable, more robust to external interference, less attention to network security, so its software, hardware there are loopholes of one kind or another.

However, the vulnerability scanning products currently in circulation in the market can only find the vulnerabilities that cause the overflow and downtime of industrial control systems, while the vulnerabilities that can be exploited like "Stuxnet", Industroyer and TRITON are still difficult to find through traditional means.

(2) Too much emphasis on patch upgrade management

As we all know, due to the close coupling between the software and hardware of the industrial control system, a large number of non-proprietary protocols, technologies and functional modules are used. Once the system is patched or updated without strict testing, it will lead to blue screen in light and these configuration monitoring software will no longer be available in heavy cases. The restart of industrial control system is an extremely complicated process. Once careless, easily lead to production interruption, or due to production equipment process mismatch resulting in device damage.

Therefore, for some important, especially the core infrastructure of industrial control systems, patching, software version updates must be cautious!

(3) Relying too much on the isolation safety of industrial control systems

As mentioned earlier, with the continuous advancement of the "integration of the two", the interconnection of the production system and the management system has become the basic architecture of the industrial control system, and it is almost impossible to completely isolate from the outside world. In addition, mobile devices or mobile computers for maintenance and spare parts may become tools for code introduction. "Stuxnet" is said to be brought in by U disk.

(4) Overestimation of the role of traditional protection products such as industrial firewalls

From the actual point of view of the current industrial control system, industrial control system in addition to it supports the private protocol and public private protocol, all other protocols will be filtered, will not be processed. In other words, the industrial control system generally has the ability of a general firewall. In this sense, the so-called industrial firewalls currently on the market only serve as self-consolation to cope with inspections.

(5) Too much reliance on one-way communication isolation devices

As mentioned above, there are many ways to attack industrial control systems, some are implemented remotely through the network, some are accessed wirelessly, and some are implemented through mobile media, engineering implementation and maintenance embedment, spare parts embedment, etc. One-way communication isolation devices can only play a part.

 

The network security protection of 7. industrial system must cover all aspects such as industrial control system itself, production process and operation process

In terms of specific practice, the network security protection and protection of industrial control systems need to be considered comprehensively from the following levels:

The first layer, the network security protection and protection of the industrial control system, needs to cover all components such as industrial control system software, hardware and network.

The second layer, the network security protection and protection of industrial control system, needs to be carried out in combination with the production process and operation process.

The third layer, for the network security protection and protection of industrial control system, must also cover all aspects of the whole life cycle of industrial control system design, production, debugging, engineering implementation, maintenance, operation and maintenance.

The network security protection and protection of industrial control system is an extremely complex system engineering, which needs to return to the original intention of the control system and the essence of the control system. Only by starting from the software, hardware, network, production process, production equipment and other aspects of the industrial control system at the same time can we effectively protect the security of the national important infrastructure.