"The most recent incident at a chemical site that springs to mind is a copy of Conflicker [worm] that made it on to the control system via a USB stick in the hands of a contractor. Our people saw an unusual number of dropped packets on the control system firewall — presumably the worm calling in to its control server. We alerted the customer, who found the worm and found that it had propagated to a number of adjacent control computers as well. The customer shut down the affected systems and cleaned them out."
Host intrusion prevention system (HIPS) products — also called whitelisting or application control — can prevent such infestations. A HIPS checks that software is allowed to run on a computer. If unauthorized software — like the Conflicker malware — installs itself through some vulnerability and then tries to run, the HIPS software refuses to launch it. Some HIPS products come with technology to disable USB mass-storage devices entirely, without disabling other kinds of USB devices.
The cost of installing a HIPS is only a small part of what could be a substantial expense to implement the cyber-security aspects of CFATS.
"The problem with hardening the 'soft interior' of a control system is that hardening involves change," Ginter explains. "And, of course, controlling change is a very big deal in the chemical industry because of the need to keep the chemical process operating safely. Securing a control system component with patches, internal network segmentation, host firewalls, stopping unnecessary services, removing unnecessary software, installing anti-virus [AV], installing HIPS or even updating AV signatures regularly all involve change in the technology that is the heart of the control system. Anything you change has to be reviewed and tested for safety, and the cost of the reviews and testing increase drastically once you start making anything more than extremely small changes. Much of the time anything you do has to be reviewed and blessed by the control system vendor as well, if you want the vendor to continue supporting you."
On the other hand, he points out, an insecure system isn't safe either. "Microsoft stopped supporting Windows 2000 recently — many of our customers' sites are deciding right now whether they are going to spend money to upgrade their systems and retest them, or spend to more thoroughly segment their networks to make it harder for malware to propagate to and from these systems and retest that configuration, or to spend money to install other security like HIPS on those vulnerable systems, and retest that. This is the trade off our customers struggle with every day."
According to Ryan Loughin, director, Petro-Chem & Energy Division, ADT Advanced Integration, Norristown, Pa., and CP's security blogger, the biggest concern he hears day-in and day-out from chemical companies affected by CFATS relates to cost. And the answer is by no means straightforward.
"So many factors go into the cost pot — for example, the geography of a site and its size. We talk about protecting the facility versus protecting the asset. Protecting the facility on a big Tier 1 site might involve monitoring five miles of perimeter fencing, for example. If you can't shrink the perimeter, then this becomes the most expensive scenario typically. On the other hand, at another similar-sized facility, the COI might be in a remote or segregated area within the site — in which case you could implement the perimeter around that asset and work your way out, with the level of security needed decreasing as you move further towards the main facility perimeter."
Relatively speaking, he says, the first scenario could cost $5 million to meet the RBPS, the second potentially $1 million.
Of course, smaller sites usually don't incur such costs. ADT has several clients that store hundreds of gas cylinders in warehouses on a small site. "We could cage up the warehouse and then work outwards as before to the perimeter. This might cost $50,000–$200,000 per site. However, [this adds up] if the client has 40 or 50 sites…," he notes.
Loughin also cautions that CFATS might well involve substantial ongoing costs. "For example, additional security personnel might be required. Additional perimeter lighting measures require additional ongoing power consumption. Also, the DHS is looking for a robust maintenance program and they have high expectations about the quality of these programs. As a company we are challenged with helping a covered facility not only reduce the capital cost but also in designing a system or program that will minimize the ongoing costs as well."
Overall Loughin believes that the DHS is working well with the industry and that having a successful dialogue between the two is vital to making the CFATS process as simple as possible. "DHS is definitely partnering with the industry: it wants common-sense, practical solutions after all."
Seán Ottewell is Chemical Processing's Editor at Large. You can e-mail him at firstname.lastname@example.org.