With emerging high-profile U.S. government involvement in plant security, particularly by the Department of Homeland Security (DHS) under the new, first-ever federal anti-terrorism regulations for “high risk chemical facilities” (see "Get ready to comply with new security mandates"), the chemical industry must ratchet up its efforts. Both physical and cyber-security are getting increasing attention.
Adequately protecting the plant perimeter and assets from physical intrusion, while undoubtedly often difficult, involves items that can be seen and issues that are readily understandable. Achieving robust cyber-security, on the other hand, means addressing communications, computer coding and other such factors that aren’t visible or as easy to grasp. However, cyber-security certainly is getting high visibility today. There’s a surge in interest in cyber-subjects such as security certification, defense-in-depth strategies, risk-based planning and improved policies and procedures.
Testifying to the high interest, cyber-security is a hot topic at many user group meetings and other conferences and forums at which vendors and their customers meet to develop and exchange ideas.
For example, the latest meeting of the Chemical Sector Cyber Security Program (CSCSP) of the Chemical Information Technology Center of the American Chemistry Council, Arlington, Va., attracted a record turnout. A total of 69 attendees representing 24 chemical companies, 11 technology providers, three academic institutions and DHS gathered in May in Miami to hear speakers tackle subjects such as integrating cyber-security with physical security and the supply chain, protection of intellectual property, cyber-security risk and compliance and trends in operational risk management.
Eric Cosman, steering team sponsor for the CSCSP’s manufacturing and control systems team says that all the discussions and good practice developed over recent years are finally giving cyber-security a critical mass.
“Big companies like ours have been working on it for a long time,” says Cosman, who is an engineering solutions architect for Dow Chemical. “However, things really didn’t start to take off until after 9/11 and specifically the summer of 2002 with the launch of the CSCSP strategy. Before this, the level of awareness was very low because security is a very specialized topic. Over the last five years it has moved into the mainstream.”
The increasing number of consulting firms and vendors offering services related to cyber-security certainly bears this out. For instance, at that meeting, Deloitte Consulting, East Brunswick, N.J., outlined how the growth in guidance and regulation had enabled it to develop such a service. Meanwhile, Invensys, London, U.K., for one, driven originally by demand from the U.S., has formed an enterprise network and security team to provide cyber-security consultancy services. It aims to provide packaged solutions, going right from initial site assessment to managed security services and covers any vendor’s technology. The group currently is expanding its operations in Europe, the Middle East and Asia.
Cosman believes that the next hurdle is to turn this improved awareness and practice into usability.
“In my opinion we need security to be designed into other systems and to be operated in the same way as the industrial control system. In that way, it would be configured and used by control systems engineers in the same way as another system.”
One factor that certainly relates to usability is proving that products actually are secure. To meet that challenge, vendors increasingly are going to third-parties such as Wurldtech Labs, Vancouver, B.C., to certify the cyber-security of their offerings.
Wurldtech last year launched Achilles. It’s designed to assess the overall security of industrial controllers and is claimed to provide the most complete, accurate and trustworthy information possible on their security. Products that pass its tests get a security certification. Level 1 certification focuses on Layers 2 to 4 (from supervisory control to the enterprise systems such as business planning and logistics) and the implementation of common protocols such as Ethernet, ARP, IP, ICMP and UPD. So far, six controllers — from Emerson, Invensys, Yokogawa and ICS Triplex (which was just acquired by Rockwell Automation) — have earned Level 1 certification.
Figure 1. This controller was one of the first to successfully pass Achilles tests.
In Emerson’s case, the testing covered its DeltaV controller and firewall. “Controllers with Level 1 certification have demonstrated the robustness to survive network cyber-attacks. One real benefit of passing these rigorous tests is to provide users with the ability to better plan the installation of security updates and new anti-virus signatures. Knowing that the controllers can survive a possible security incident provides an opportunity to schedule these patching tasks around process activities rather than always immediately deploying the updates,” explains Bob Huba, Emerson senior product manager.
Invensys Triconex, Irvine, Calif., which specializes in safety instrumented systems, achieved certification for its Tricon version 10.3 controller. “Triconex systems have established the industry benchmark relative to international functional safety certifications. The achievement of Achilles certification for our Tricon system platform demonstrates our leadership in cyber-security, as well,” boasts Luis Duran, Triconex brand director.