Effective processes, of course, are crucial, too. Indeed, a plants standards, guidelines, procedures and best practices offer some of the most obvious indicators of the success or failure of a security effort.
The specific security processes established will most likely have the biggest impact on the day-to-day operations and workflow of the facility. So, lets look at some of the more important and most helpful ones.
Change management. A proper change-management program is the single most often neglected yet potentially the most significant process to establish and maintain a more secure environment. Most chemical facilities have solid, established and well followed change-management programs but they usually only are deployed within the business environment or within certain aspects or systems on the plant floor. A proper industrial-security program will require the implementation of a very solid and closely followed change-management program for all assets in a plant.
Patch management. No program would be complete without a patch management process. The challenge is in creating a program that addresses the inherent limitations to patching within a process control environment.
Incident handling. The true measure of your security readiness is going to be how well you handle an incident when it happens an incident will occur at some point regardless of how well you prepare or how hard you try to prevent it. What counts is how much damage you can avoid by early and effective detection and mitigation with countermeasures. In other words, the sooner you see the wound and the faster you can stop the bleeding, the more effective your policy is. Among the processes that facilitate incident handling are team notification, escalation procedures during an incident, containment procedures (for slowing or stopping the spread of viruses), interim measures for resuming business and post-incident analysis.
Other processes. A proper security program must contain many other elements. To enhance security, consider, for example, processes for:
- disaster recovery;
- back up and restoration;
- fire drills;
- standards deployment;
- annual assessments;
- penetration tests;
- remote access policies;
- file transfer; and
- vendors and visitors.
The role of technology
Perhaps the most obvious and fundamental piece of the security puzzle is the technology aspect. When used correctly, technology is an enabling, tangible part of any security program. However, simply buying and installing technology doesnt necessarily improve a plants security. Technology investments must take into account the business model as well as physical topology and plant or operational requirements. Before deciding upon technology purchases or deployments, its crucial to first assess the potential impact of a new technology on workflow. If a firewall or new network topology interferes with access to data then it may not be best for the organization.
The first word that comes to mind when discussing technology and security is a firewall. This response is both good and bad. On the plus side, the fact that a company is using or intending to use a firewall means that security is a priority and that the potential for locking out unwanted access exists. The problem is that many firms feel that the mere presence of a firewall is enough to immediately solve their security concerns. In a study of 37 firewalls from a number of industries (1), it was found that almost 80% of firewalls allow both the any service on inbound rules and insecure access to the firewalls, these are gross mistakes by any account.
For the maximum firewall benefit, a plant needs to create a multi-layered topology in its process control network. This applies as well to the many other tools and toys that can be considered. The secure and effective deployment of technology depends upon implementation of a multi-layered or defense in depth approach to network topology (see "Properly protect control systems").
This approach has been called many names but regardless of moniker its based on the idea that the further removed a process network is from the business LAN and the outside world (i.e., the Internet) the more protected it is. More importantly, a plant must establish what traffic it will allow on a frequent basis and ensure that future projects dont compromise those rules. Every few months, the plant must revisit the firewall configuration to ensure its working effectively and addressing new security threats. Theres always a second way to move data or to facilitate business decisions without compromising the firewall, which is the first line of defense.
Security is not a Y2K type of issue with a defined shelf life and timeline. Plus, while the DHS regulations now only target high risk chemical facilities, they likely will eventually expand in scope to cover more installations. Likewise, the standard may evolve beyond simple assessments. The facilities that arent going to be overwhelmed by the amount of work required to properly secure their sites are the ones that begin before theyre forced to by government.
The difficulty will be in convincing everyone to start playing along because the single biggest differentiator that sets a pacesetter apart in the world of industrial security is its security culture. Any security initiative is going to live and die by the support it gets outside of the project team implementing it. This means financial support for the time and resources required to implement the project itself. It also means support from executives and decision-makers in allowing and encouraging security efforts in the first place. Most importantly, it means getting the buy-in of the day-to-day owners of the systems being impacted by changes to processes or procedures required to increase security. Always remember that the amount of support shown is the key indicator of the success of any security initiative.
Security traditionally has been seen as an expense without obvious return on investment. However, if security culture and systems are thought of in the same light as safety systems, then the opposition to security programs should begin to fade. Safety programs have provided benefits to organizations security can provide unintended benefits as well once you get started!
Wool, Avishai, A quantitative study of firewall configuration errors, IEEE Computer Magazine, p. 62 (June 2004).
Rick Kaun is manager of industrial security and compliance for Matrikon , Inc., Edmonton, Alberta. E-mail him at firstname.lastname@example.org.