He points to the safety culture that has emerged in the chemical industry over the last 20 years as a model for how this could happen. "Security needs to follow along the same lines now: it must become a top-to-bottom culture with programs that are both technical and procedural. Nothing works unless this is in place first."
BP, Exxon and Shell in the oil and gas sectors and Dow and DuPont in chemicals exemplify how a safety culture can become a security culture, he says. "The management of these companies really understands the security challenge because they already have sophisticated risk-management cultures. So they have concepts in place that allow them to measure and predict risks far better than other companies."
Byers also cites the findings of a major oil company that recently evaluated the risks and consequences on an offshore oil platform associated with a serious fire versus those of a cyber attack. It determined they were almost identical in terms of cost and loss of life. Yet, the company was spending $50 million/yr on platform fire suppression but only $1million/yr on cyber security. "This spend was instantly increased. This is a level of risk sophistication that is lacking in many other companies."
Such a lack of sophistication was evident at a distributed control system (DCS) vendor's users' conference he attended shortly after Stuxnet appeared last June. While delighted to see operating company managers there treating malware as a serious problem, he was shocked that one proposed solution involved filling USB ports with silicone. "I realized how badly these people were missing the point. Use as much silicone as you like, it won't make any difference. The next attack will come via a pdf or some other source."
Byers' second priority is to firewall-off mission critical systems such as safety ones. "Remember that Stuxnet only had to attack one system because both control and safety were bundled together in the system it infected -- all the eggs were in one basket," he cautions.
Once the low-hanging fruit such as safety systems have been tackled, you must start to work back. "You need what I call multiple prongs: the people and their culture; then mission critical systems; then standards. The new ANSI/ISA-99 and IEC 62443 standards are concerned with dividing plants into different security zones, so that no worm gets a free rein."
STEPS TOWARD SOLUTIONS
Byers emphasizes that the white paper really focuses on problems rather than solutions. However, a number of papers on solutions currently are being developed.
The first concerns OPC and related protocols for open connectivity. With input from Matrikon (now part of Honeywell), Edmonton, AB, the paper will propose solutions to ensure that OPC gets through but a worm cannot, says Byers. It is due to be published this month.
The second paper involves work with an as-yet-unnamed software company to help operating companies better understand network traffic on the plant floor. "Most companies suffer from a lack of visibility about what is going on in their networks. If people had been watching the network that Stuxnet infected they would have seen all sorts of new traffic: pieces of equipment talking to each other that had never done so in the past, for example." This paper is due to appear in the spring.