Cyber security has received a big boost lately. Unfortunately, it wasn't the type of boost chemical makers were hoping to see.
A 2010 attack by malware dubbed Stuxnet that targeted control systems (see: "Industry Gets Cyber-Security Reality Check,") has thrust the concept of cyber security further into the spotlight of major concerns of manufacturers in the process industries and elsewhere. It has prompted many a chemical maker to ask:
Is my plant vulnerable to attack?
What if my facility is hit with the next version of Stuxnet?
Do we have the appropriate policies in place?
What about Chemical Facility Anti-Terrorism Standards (CFATS)? Are we in compliance?
In short, if a company wasn't already scrambling to research, create and implement an effective cyber-security program, Stuxnet certainly provided the impetus. It underscored that a strong cyber-security program is a necessity for manufacturers today.
Cyber security plays a crucial role in ensuring the reliability and robustness of the networks that a plant's critical applications run on. Implementing a baseline security model across a facility — whatever the industry — increases the likelihood of safe, dependable operations and minimizes potential security incidents. So, cyber security clearly is destined to become as entrenched in the process industries as a "safety culture" has over the last few decades. Like with safety (see: "Make Safety Second Nature"), chemical makers must achieve a cultural change. This requires not just a project but an ongoing program.
The prospect of doing anything — let alone running a cyber-security program — perpetually may seem overwhelming. However, this daunting task is achievable by breaking it into three key steps: inventory, integrate and implement (Figure 1).
The first step in developing any security program — physical, cyber, or both — is assessing a plant's current measures. In terms of cyber security, this means taking inventory of assets.
In industries where cyber-security regulations already are in place, operators must provide a list of their critical cyber assets. Getting started on an inventory immediately can help chemical makers ensure they're not left scrambling. CFATS doesn't explicitly call for such a list today — but may as its cyber component evolves.
A cyber inventory provides plants with the information needed to make informed decisions about cyber-security priorities. In addition, regulatory bodies require such an inventory for judging whether a facility is in compliance or not. Finally, a comprehensive asset inventory eases end-of-life planning, upgrades and long-term management of key safety or legacy process control and other systems. So, developing such an inventory is a great place to start.
Most facilities don't know precisely what's plugged in on the plant floor; it isn't always easy to determine. Managing compliance requires a robust inventory, including:
• IT inventory (operating systems, IP addresses, user permission levels, etc.);
• operational inventory (control systems and software, etc.);