Protect your plant

Avoid the basic errors in cyber security strategies that many chemical companies are making

By Eric Byres, Byres Security Inc.

2 of 4 1 | 2 | 3 | 4 View on one page

This isn’t to say that IT security solutions are bad for chemical processing. In fact, studies at major oil companies have shown that 90% of all IT security policies and technologies work well for industrial process control. The answer lies in clearly understanding how chemical processing assumptions and needs differ from those of the IT world and then modifying the IT security technologies and practices to properly use them in our world. This takes close cooperation and teamwork from both IT and process control staffs and not blind dependence on IT security procedures, a topic we’ll explore in more detail later.

The other mistake the chemical company made was to assume that all security problems arise from outside the plant and those that do make it in come through obvious pathways that can be managed by a firewall. This assumption often means that companies base their entire plant-floor security solution on a single firewall between the business network and the control system network, believing that their firewall will be the ultimate security filter and will prevent anything evil from ever getting to the control system. Unfortunately as this chemical company discovered, nothing could be further from the truth.

This firm isn’t unique. Many chemical companies make significant cyber-security mistakes. The sidebar summarizes the 10 most common errors.

Multiple paths for attack

To understand just how many pathways into a control system there can be, it’s helpful to look at the security incidents caused by the Slammer Worm since its creation in 2003. This particular worm has caused more documented process disruptions than any other source, according to records in the Industrial Security Incident Database. A few of its “achievements” include interrupting power-distribution supervisory control and data acquisition systems, infecting the safety parameter display system in a nuclear plant and curtailing oil production operations in the Gulf of Mexico.


The 10 most common plant cyber-security mistakes

  1. Assuming that someone else (like the IT department) is looking after the security of control systems. It often turns out that everyone thinks it’s someone else’s job. (Upper management is especially prone to the mistake.)
  2. No risk analysis for cyber incidents. Without a proper risk analysis that looks at vulnerabilities and consequences of cyber events, companies can’t be sure they are spending their security dollars effectively.
  3. A lack of policies and procedures to govern control system security. Security needs to be motivated from the top down by good corporate policies that are supported by upper management.
  4. Assuming that IT security solutions will work on the plant floor. Security solutions need to fit the environment that they’re to be used in or they either will get ignored or bypassed. Many IT solution work well but some don’t; it’s important to recognize those that don’t work and come up with alternatives.
  5. Addressing security on a piecemeal basis. For security to be effective, it has to be deployed in a coordinated fashion across the whole plant or organization.
  6. Forgetting the human aspects of security. Good security starts with ensuring that staff, management and contractors understand and follow appropriate practices.
  7. Designing control system networks without sufficient defense-in-depth architectures. Depending on a single firewall between business and control systems is asking for trouble — security needs to be layered to be effective.
  8. Poor patch management for applications on the plant floor. Many companies have good patching systems for the operating system but then forget to patch the software applications (like HMIs), which typically are far more vulnerable to software bugs.
  9. Either no tools to detect inappropriate activity on the control system or no procedure to ensure that the tools are used regularly. I see many firewalls in plants whose logs never have been checked. This is like installing a burglar alarm but not turning it on.
  10. Allowing remote access to the control system without creating and enforcing an appropriate access control system. Need I say more?


2 of 4 1 | 2 | 3 | 4 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments