Market competition traditionally has driven the evolution of control systems. Not that long ago, most control systems were autonomous and built upon proprietary vendor technology, with solutions geared towards access to data, speed and functionality (or reliability). Access to data was the most important feature. At first many vendors built their own protocols or languages to allow for the transfer of data.
Soon the automation landscape became very proprietary and independent of other systems and protocols. Parallel to this was the development of Ethernet networks for business data networks. So, vendors started providing Ethernet compliance to enable communication between systems including those outside the plant environment. However, in the rush to market many vendors built ad hoc versions of protocols that worked for the purpose at hand but didnt address security.
Now most plants with control systems must contend with many pressures both to allow access to data and to secure those data. (Distributed control systems and supervisory control and data acquisition systems both face such challenges.) These opposing trends are driven by many forces, including data access to enable business decisions, vendor access for process improvements and advanced control exercises like loop tuning and alarm management, as well as for proving regulatory compliance.
However, this increasing need for access is further diluting the security of many of these systems and is putting many process control environments at risk. While in some plants this is a nuisance, for most a loss of control over a process can pose a serious safety threat. As one noted security professional who works for a major refinery once pointed out: Our industry is one such that a loss of access or control over our systems usually means someone dies.
Regardless of the potential harm, any plant with little or no security in and around its control system will at least lose production for some time. This can translate into rework, overtime, environmental release and other intangibles such as loss of competitive edge, investor confidence and potentially even the ability to stay in business.
The new push for control systems is to try to balance access and security. And the pressure is coming from many angles. Increasing market competition means that most plants are pushing the envelope to run faster, more efficiently and with less downtime. This is leading to more outside tuning and better visibility into production from specialized experts who may not be physically at the site.
An aging workforce is prompting many plants to automate more control of their assets and expect the same staff to manage and optimize more resources, thereby increasing their reliance on computers. More often than not these computers are running a Windows platform, which means all common threats usually targeted at corporate and business machines are now a potential threat to the production environment (see "Hardening plants is hard work").
However, traditional IT best practices cant always be applied to control systems. For example, the use of antivirus and patch management tools often can break the applications theyre designed to protect. In these cases the challenge is to find a way to make process control environments as secure as possible without breaking the control systems along the way.
In addition, plants increasingly must contend with security mandates. For instance, the U.S. Department of Homeland Security (DHS) is implementing the first-ever federal regulations for high risk chemical facilities (see "Get ready to comply with new security mandates"). The standard targets the storage, tracking and transportation of specific ingredients and products, and takes a holistic approach to threat mitigation addressing both physical and cyber-security.
Given these drivers, its worthwhile to explore what a pacesetter security program would involve and how it could affect the day-to-day lives of the people at plants.
The scope of the term security often seems vague and the sheer volume of effort and areas of concern it may represent can be overwhelming. However, this neednt be the case. In looking at a number of security frameworks or standards a common theme emerges that quickly is being adopted as a holistic and effective approach.
It combines efforts and initiatives that go far beyond the purchase and deployment of technology. Initiatives, such as SP99 from ISA, CIP 002-009 from NERC CIPC and 800-82 from NIST, offer different sections, headings and names for each of their areas of concentration but, in the end, all efforts usually center on three foundational areas: people, processes and technology. While well look at each of these areas, its important to emphasize the need for a critical preliminary developing a security philosophy that in turn fosters a security culture. Without such a philosophy and ongoing efforts towards creating and maintaining a strong security culture, momentum will be lost.
A security philosophy will differ for each company, industry and region but will share some common elements. It will state that security is:
- everyones concern; and
- a balancing act.
With such a security philosophy spelled out, a company is poised to effectively address the people, process and technology issues.
Always remember that people pose the biggest risk. So, extensive and ongoing effort is needed to educate, empower and enable all staff to recognize situations and events that can impact cyber-security and to have them respond appropriately. Provide general awareness training for all staff as well as more sophisticated training commensurate with a persons level of access to critical assets.