CYBER SCAPE AFRICA | Q2
Distributed Control Systems
DCS are used to control industrial processes
such as electric power generation, oil
refineries, water and wastewater treatment,
and chemical, food, and automotive
production. DCS are integrated as a control
architecture containing a supervisory level of
control overseeing multiple, integrated
sub-systems that are responsible for
controlling the details of a localized process.
Product and process control are usually
achieved by deploying feed back or feed
forward control loops whereby key product
and/or process conditions are automatically
maintained around a desired set point. To
accomplish the desired product and/or
process tolerance around a specified set
point, specific PLCs are employed in the field
and proportional, integral, and/or derivative
settings on the PLC are tuned to provide the
desired tolerance as well as the rate of
self-correction during process upsets. DCS are
used extensively in process-based industries.
Programmable Logic Controllers
PLCs are computer-based solid-state devices
that control industrial equipment and
processes. While PLCs are control system
components used throughout SCADA and
DCS systems, they are often the primary
components in smaller control system
configurations used to provide operational
control of discrete processes such as
automobile assembly lines and power plant
soot blower controls. PLCs are used
extensively in almost all industrial processes.
Cyber Security Assessments of ICS
Industrial Control Systems were originally
built as isolated stand-alone systems bearing
little resemblance to traditional information
technology (IT) systems and running
propriety control protocols with specialized
hardware and software. Many ICS
components were in physically secured areas
and were not connected to IT systems or
networks threats and incidents. As ICS are
adopting IT solutions to promote corporate
business systems connectivity and remote
access capabilities,
2019
and are being designed and implemented using
industry standard computers, operating systems
(OS) and network protocols, they are becoming
less isolated from the outside world and are
potentially reachable from the internet by
malicious and skilled adversaries.
Threats to control systems can come from
numerous sources, including adversarial sources
such as hostile governments, terrorist groups,
industrial spies, malicious intruders and even
disgruntled employees. While security solutions
have been designed to deal with these security
issues in typical IT environment, special
precautions must be taken when introducing
these same solutions to ICS environments. In
some cases, new security solutions are needed
that are tailored to the ICS environment. In July
2010, the first ever computer virus was
discovered that targeted industrial control
systems. Referred to as Stuxnet, this virus has
proven to be one of the most advanced viruses of
its kind exploiting particular weaknesses in the
Windows operating system that had not been
previously documented, and possessing the
ability to exploit a specific industrial control
systems platform. The ultimate goal of Stuxnet
was to sabotage that facility by reprogramming
programmable logic controllers (PLCs) to operate
as the attackers intended them to, most likely out
of their specified boundaries. It took nearly five
months from the time Stuxnet was discovered
until the time at which Microsoft had issued
patches which closed the four zero-days that
were exploited by Stuxnet.
Stuxnet virus proved that ICS cyber security risk is
not theoretical. Executives need to understand
and balance the cyber security risk related to the
use of ICS with other business risk factors.
Efficient and sustainable ICS security program
requires a long-term strategy, human resources
plans, business processes, procurement and many
other domains. There is need for a governance
and incident response structure in place in which
accountability and responsibilities for ICS security
are clearly stated and accepted by all responsible
parties.
Lawrence Dinga,
Founder & CEO, Managecom Systems Ltd
31