System development and acquisition. Integrate cyber security throughout both new and existing network infrastructure to make certain appropriate budgeting, personnel and security requirements are established early in the process. The September 2009 DHS publication "Specific Cyber-Security Procurement Language for Control Systems" (www.us-cert.gov/control_systems/pdf/FINAL-Procurement_Language_Rev4_100809.pdf) provides examples of useful security requirements.
Configuration management. An up-to-date inventory of all hardware, software information and services on a network will allow for locating, tracking, diagnosing and maintaining your network more efficiently. Compiling a cohesive set of network architecture diagrams ensures a comprehensive understanding of connectivity and vulnerabilities.
Audits. Continually re-evaluating the security posture of the plant environment is crucial for maintaining sound cyber security. Such audits provide early identification of weaknesses.
Offsite issues. Modern chemical facility infrastructures may have staff and partial or entire networks located in remote locations. As a result, cyber security isn't limited to the physical site. Implement a comprehensive plan to secure all aspects of network connectivity, including onsite and remote networks and access for any people who use the network, including employees, contractors and vendor personnel.
Interconnectivity of critical and non-critical systems. Any access point can serve as a gateway for malicious cyber activity. So, understanding the type and number of access points for all critical and non-critical systems is an important component of an effective cyber-security policy. Protecting the interconnectivity access points between critical and non-critical systems with appropriate technologies, processes and procedures is the most effective means to secure this interconnected environment.
Physical security for cyber assets. It's essential to protect the equipment itself with a physical security perimeter and, if appropriate, by limiting access to its storage. Educating employees about off-limit areas (control rooms, wiring closets, etc.) and restricting access helps improve physical security.
Layered security. No single measure is as effective as multiple integrated ones. Developing a layered defense-in-depth approach is essential for ensuring adequate protection of the plant network and critical cyber assets within the network.
Make the right moves
The most effective approach to meeting the CFATS cyber-security standard includes a comprehensive vulnerability assessment of physical and cyber aspects of a site, and layered defense-in-depth cyber security. Evaluating and addressing cyber-security issues demand deep domain-level expertise in industrial control and SCADA systems.
Also, bear in mind CFATS and RBPS guidance will evolve. In particular, the DHS has indicated that it plans to revise RBPS Guidelines periodically to reflect lessons learned and new security approaches. Revisions likely will make them more stringent, so companies should consider preparing now for these stricter mandates.
ANDREW GINTER is chief security officer for Industrial Defender, Foxborough, Mass. E-mail him at firstname.lastname@example.org.