Once a misguided employee, virus or hacker does get past the main business or control-system firewall, the typical control system is an easy target for attack. Poorly patched Windows-based computers abound and anti-virus software is the exception rather than the rule. For example, during a security survey conducted at a major refinery we discovered that only 55% of the Windows 2000/XP machines in control rooms had the patch that prevented Blaster infections and even fewer, 38%, had the patch for the Sasser Worm installed. Yet both of these patches had been available for more than two years and were approved by the control system vendor at the time of the survey. Even the most inexperienced hacker could have taken over this control system in a matter of hours.
A typical plant’s actual control devices such as the programmable logic controller (PLC) or distributed control system (DCS) are even softer targets than the unpatched PCs. In a study by CERN, Europe’s laboratory for high energy physics, 25 industrial control devices (mostly PLCs) were tested using standard IT security tools (such as Nessus and Netwox) that are available to the average attacker. Almost half of the devices failed the tests, usually due to communications breakdowns, system crashes and unprotected services. For experts in the field these results weren’t all that surprising — the vast majority of the PLCs and DCSs currently in use offer no authentication, integrity or confidentiality mechanisms and can be completely controlled by any individual who can “ping” the device. Nor can they be easily updated or have security features added to them.
Defense in depth
Sound strategy, regardless of whether it’s for military, physical or cyber security, relies on “defense in depth.” Effective security is created by layering multiple security solutions, so that if one is bypassed, another will provide the defense. This means not over-relying on any single technology such as a firewall. Firewalls aren’t bad technology — in fact they’re a fantastic tool in the security tool box — but industry has misused them by believing they will solve all security ills.
Defense in depth begins by creating a proper electronic perimeter around the control system and then hardening the devices within. The security perimeter for the control system is defined both by policy and technology. First, policy sets out what truly belongs on the control system network and what’s outside. Next, a primary control-system firewall acts as the choke point for all traffic between the outside world and the control system devices.
Figure 3. Low-cost modules are designed to protect individual control devices. Source: MTL Instruments
Once the electronic perimeter of the control system is secured, it’s necessary to build the secondary layers of defense on the control system itself. Control components like HMIs and data historians that are based on traditional IT operating systems such as Windows and Linux should take advantage of the proven IT strategies of patch and anti-virus management. However, this requires prior testing and care.
For those devices like PLCs and DCS controllers where patching or anti-virus solutions aren’t readily available, I recommend the use of an industrial security appliance. This rapidly evolving security solution deploys low-cost security modules directly in front of each control device (or group of devices) needing protection (Figure 3).
People first, not technology
Despite the razzle-dazzle of these technological solutions, it’s important to consider the human aspects of security such as developing policy, assigning responsibility and training staff. It’s this human part of the equation — not the technology — that’s most critical to the success of any security program.
Three factors are critical for the successful implementation of a security program within a chemical facility:
- security policy, objectives and activities that reflect business goals;
- an approach and framework for implementing, maintaining, monitoring and improving information security that’s consistent with the organizational culture; and
- visible support and commitment from management.
If any of these are missing, then the security program will likely fail.
Finally, IT managers and plant managers face a common enemy attacking related technologies in what has become a highly interconnected environment. This demands developing a coordinated defense. It can be valuable to:
- establish cross-department training programs that focus on values and behaviors expected, to foster a culture of co-operation and communication;
- create cross-functional teams to work on developing policies, standards and projects for process security; and
- encourage informal networks. These are important. When a real problem arises, provide opportunities for people from both the IT and process departments to liaise and work together.
Address the threats
These are just a few of the most important steps that the chemical industry needs to take if it’s going to effectively protect itself from cyber attack. Failure to adapt to these changing threats and vulnerabilities will leave companies exposed to increasing numbers of cyber incidents. The consequences unfortunately could include a marred reputation, environmental releases, production and financial loss, and even human injury or death.
Eric Byres, P.E., is chief technical officer of Byres Security Inc., Lantzville, B.C. E-mail him at firstname.lastname@example.org.