Between 2002 and 2008 Industrial Defender performed more than 100 security assessments on critical infrastructure facilities such as chemical plants, refineries, water treatment units, power stations and pipeline systems — and found more than 38,000 control system vulnerabilities. Assessments over the last two years continued to show widespread problems (see sidebar). With these results in mind, this article highlights various security measures and practices that chemical facilities strongly should consider to meet "RBPS 8," which is the cyber component of the RBPS.
Key Implementation Challenges
The objective of RBPS 8 is to help deter cyber sabotage as well as prevent unauthorized onsite or remote access to critical computerized systems, including those for supervisory control and data acquisition (SCADA) and distributed control. Here are some aspects that deserve particular attention:
Security policy. CFATS compliance begins with an effective security policy. Plans, processes and procedures that address a network's specific sensitivities are the starting point of any successful cyber-security plan. Developing and using a change management process to support necessary cyber-security updates to a network and reduce the chance of human error are important elements of an effective security policy. In addition, designating a particular individual to oversee cyber-security efforts establishes accountability and oversight.
Access control. To boost efficiency business and control networks increasingly allow interconnectivity. Unfortunately, the more interconnected and accessible a network is, the more vulnerable it may be. So, setting up an electronic security perimeter around your critical infrastructure network is crucial. Understanding and identifying connectivity beyond typical access points greatly improves a plan's effectiveness (see "Protect Your Plant.")
Personnel security. Operating companies should review the access that all employees, contractors and vendor staff have to computerized systems and regularly update their access privileges. Create different access levels and only grant the access required for a person's specific role. Establishing personal accounts allows for monitoring individual behavior on a network, tiering of individual user privileges and making changes to each individual account.
Awareness and training. A comprehensive security plan must involve sensitizing personnel to the need for security, types of behavior that could compromise it, and consequences of a security breach. This will give staff insight into what types of vulnerabilities potentially could jeopardize a network's integrity.
Monitoring and incident response. Continual checking of networks for security risks and vulnerabilities must figure in any comprehensive cyber-security solution. Steps such as installing and updating anti-virus software and security patches, and filtering e-mail attachments are simple but important. Installing intrusion detection systems (IDS) to watch network activity for unauthorized and malicious activity is another worthwhile proactive move. Deploying a security event management (SEM) device to monitor intrusion detection systems, electronic security perimeter devices and all remote access activity is an efficient means to gauge the cyber-security posture of a network. A SEM console can provide detection, alerting and automatic response to cyber-security incidents — quickly containing and mitigating threats and vulnerabilities.
Business continuity and disaster recovery. Good cyber-security posture should include planning to ensure continuity of operations and facilitate restoration of all critical cyber assets. Given the stress, uncertainty and potential disruptions that occur after an attack, consider such issues right from the outset.