8 / 52
CONTROL SYSTEMS + AUTOMATION
Audit
AU
Accountability and
adherence to P&Ps
Contingency planning
CP
Disaster recovery
Incident response
IR
Forensic data reten-
tion and investigation
Information protection
SC
System and commu-
nication protection
Table 2: NERC CIP section overview.
Section Description
Sample security controls
002-5
Cyber system
categorisation
Inventory of systems and software
Continuous vulnerability assessment and
remediation
003-5
Security
management
controls
Controlled access based on minimum
need to know
Secure configuration of network devices
004-5
Personnel &
training
Security skills assessment and training
005-5
Electronic
security
perimeters
Boundary defence
Account monitoring and control
006-5
Physical
security
Maintenance, monitoring and auditing of
security logs
Access control
007-5
Systems
security
management
Limitation and control of ports, protocols
and services
008-5
Incident
reporting
and response
planning
Data loss prevention
Incident response and management
009-5
Recovery
plans
Disaster recovery and analysis
Local situation
Depending on which report is given credence, South Africa is either
the country with the sixth [3] or the third [4] highest incidence of cyber
crime in the world. Independent corroboration seems to indicate that
the latter is the more likely scenario. Irrespective of what the actual
case is the economy lost in excess of R3,4 billion in 2013 through
reported cyber crime. The lack of consistent reporting means that
this is most likely much higher. We are still awaiting the release of
the 2014 statistics.
South Africa is far behind on establishing official structures for
both the reporting and investigation of cyber crime incidents. The draft
policy for cyber security was published in the government gazette
in 2010 [5]. To date little progress has been made in putting this into
practice with the exception of the establishment of the National Cy-
bersecurity Advisory Council (NCAC) in October 2013 [6]. Looking at
the reports generated by the Cyber Security Incident Response Team
(CSIRT)
(http://www.ssa.gov.za/CSIRT.aspx)investigating threats and
incidents in South Africa it is apparent that emphasis is being placed
on business and general ICT related incidents. ICS systems are not
referenced except where the same type of issues impact it.
The process of establishing the regulatory framework and report-
ing structures falls under the auspices of the State Security Agency
(SSA) and has been classified secret with the result that no updated
information is available. Publication of the draft legislation was ex-
pected in October 2014, but it has been delayed. What can we expect
from the legislation? As stated it is still unclear, but the following is
expected to be addressed:
• Responsibility for securing systems will reside with the owner
with severe penalties in case of non-compliance
• Government and 3
rd
party audits will be required on a periodic
basis
• Securing the forensic evidence chain will be required
• Different levels of security based on the criticality classification
will be applied
While proactive implementation and protection is advised, it is un-
likely to be widely implemented until a catastrophic incident occurs
or it is mandated by national legislation.
Threats
Threats to control systems can generally be classified as follows:
• Internal
o Unintentional
o Intentional misuse of authorised privileges
o Intentional misuse of unauthorised privileges
• External
o Hacktivists
o IP theft
o Intentional plant / equipment damage
Many control systems (project SHINE located at least 600 000) are
fully or partially accessible to outside agents. More concerning is that
some of these systems are responsible for safe operation of plants and
protecting lives and equipment.
Figure 5
is an anonymised diagram
showing some of the open systems in South Africa.
Figure 5: Open control systems in South Africa (Source: SCADACS).
Each indication represents up to 100 systems. The classic vertical
and horizontal Defence in Depth (DiD) strategy does provide a rea-
sonable degree of protection against external threats as shown in
Figure 8
. Insider threats, which form a substantial part of breaches,
are not controlled by this because trusted and authorised people are
using their credentials to perform unauthorised actions. The most
damaging actions are not always intentional, but intention does not
determine the damage.
Electricity+Control
September ‘15
6