This isn’t to say that IT security solutions are bad for chemical processing. In fact, studies at major oil companies have shown that 90% of all IT security policies and technologies work well for industrial process control. The answer lies in clearly understanding how chemical processing assumptions and needs differ from those of the IT world and then modifying the IT security technologies and practices to properly use them in our world. This takes close cooperation and teamwork from both IT and process control staffs and not blind dependence on IT security procedures, a topic we’ll explore in more detail later.
The other mistake the chemical company made was to assume that all security problems arise from outside the plant and those that do make it in come through obvious pathways that can be managed by a firewall. This assumption often means that companies base their entire plant-floor security solution on a single firewall between the business network and the control system network, believing that their firewall will be the ultimate security filter and will prevent anything evil from ever getting to the control system. Unfortunately as this chemical company discovered, nothing could be further from the truth.
This firm isn’t unique. Many chemical companies make significant cyber-security mistakes. The sidebar summarizes the 10 most common errors.
Multiple paths for attack
To understand just how many pathways into a control system there can be, it’s helpful to look at the security incidents caused by the Slammer Worm since its creation in 2003. This particular worm has caused more documented process disruptions than any other source, according to records in the Industrial Security Incident Database. A few of its “achievements” include interrupting power-distribution supervisory control and data acquisition systems, infecting the safety parameter display system in a nuclear plant and curtailing oil production operations in the Gulf of Mexico.
The 10 most common plant cyber-security mistakes