Build Better Cyber Security

Cyber security has received a big boost lately. Unfortunately, it wasn't the type of boost chemical makers were hoping to see.

A 2010 attack by malware dubbed Stuxnet that targeted control systems (see: "Industry Gets Cyber-Security Reality Check,") has thrust the concept of cyber security further into the spotlight of major concerns of manufacturers in the process industries and elsewhere. It has prompted many a chemical maker to ask:

Is my plant vulnerable to attack?

What if my facility is hit with the next version of Stuxnet?

Do we have the appropriate policies in place?

What about Chemical Facility Anti-Terrorism Standards (CFATS)? Are we in compliance?

In short, if a company wasn't already scrambling to research, create and implement an effective cyber-security program, Stuxnet certainly provided the impetus. It underscored that a strong cyber-security program is a necessity for manufacturers today.

Cyber security plays a crucial role in ensuring the reliability and robustness of the networks that a plant's critical applications run on. Implementing a baseline security model across a facility — whatever the industry — increases the likelihood of safe, dependable operations and minimizes potential security incidents. So, cyber security clearly is destined to become as entrenched in the process industries as a "safety culture" has over the last few decades. Like with safety (see: "Make Safety Second Nature"), chemical makers must achieve a cultural change. This requires not just a project but an ongoing program.

Building Blocks

Figure 1. Three crucial steps underpin effective cyber security.

The prospect of doing anything — let alone running a cyber-security program — perpetually may seem overwhelming. However, this daunting task is achievable by breaking it into three key steps: inventory, integrate and implement (Figure 1).

INVENTORY ASSETS
The first step in developing any security program — physical, cyber, or both — is assessing a plant's current measures. In terms of cyber security, this means taking inventory of assets.

In industries where cyber-security regulations already are in place, operators must provide a list of their critical cyber assets. Getting started on an inventory immediately can help chemical makers ensure they're not left scrambling. CFATS doesn't explicitly call for such a list today — but may as its cyber component evolves.

A cyber inventory provides plants with the information needed to make informed decisions about cyber-security priorities. In addition, regulatory bodies require such an inventory for judging whether a facility is in compliance or not. Finally, a comprehensive asset inventory eases end-of-life planning, upgrades and long-term management of key safety or legacy process control and other systems. So, developing such an inventory is a great place to start.

Most facilities don't know precisely what's plugged in on the plant floor; it isn't always easy to determine. Managing compliance requires a robust inventory, including:

• IT inventory (operating systems, IP addresses, user permission levels, etc.);
• operational inventory (control systems and software, etc.);
• logical inventory (the network locations of assets);
• physical inventory (the real locations of assets); and
• security system inventory (what security solutions are in place, and where they sit).

Performing a physical inventory provides crucial insight into who has access to the asset; it also allows for a visual inspection of the asset, which can lead to important information that isn't available through other means. For example, have some assets on the plant floor been powered down or decommissioned? What about assets that aren't plugged in, or that have open ports, switches and modems that are supposed to be turned off when not in use? Does an asset have multiple network cards for accessing different network segments? Laboratory information management systems and centralized data historians are good examples of assets that often connect to multiple networks. Without a visual inspection it would be easy to miss this information, which is an important consideration for incident response plans and backup and restoration programs.