Also due out then is a third paper, on managing Modbus traffic. By creating deep-packet-inspection capabilities for firewalls that look inside Modbus messages, Byers says users will get very fine-grained control over exactly what they want a human/machine interface or workstation to be able to do over the network to a DCS, programmable logic controller (PLC) or safety integrated system (SIS). He cites the new Honeywell Modbus read-only firewall for SIS (see www.tofinosecurity.com/article/honeywell-selects-tofino%E2%84%A2-modbus-read-only-firewall-secure-critical-safety-systems) as an example of this.
Meanwhile, Rick Kaun, Matrikon's manager, industrial security and compliance, warns of a future fraught with risk. "Stuxnet proves the concepts of: (1) targeted attacks, on (2) control systems using (3) zero day exploits [those in which there's no time between when the vulnerability is discovered and the attack]. Add to this the recent revelation of Chinese hackers infiltrating oil and gas companies and the release of Stuxnet code to the public and you have a whole heap of potential risk. A perfect storm is coming."
Like Byers, he believes cyber security must be treated as an everyday plant issue -- just like safety. "Security isn't about being bulletproof. It's about operating facilities in a safe and secure way. So security needs to have the same philosophy or culture as safety. Security is about how quickly you can detect, contain, recover and learn lessons from an incident."
The U.S. chemical industry is giving increased attention to security because of the Chemical Facility Anti-Terrorism Standards (CFATS). However, Kaun feels a lack of emphasis on cyber security in CFATS has led to an overly strong focus on managing physical security. "There are notable exceptions, but still many in the sector have focused almost 100% on physical security and have done little or nothing yet with cyber security."
Matrikon's cyber-security philosophy has three aspects: people, process and technology. "You must address all three to be secure -- and people is the toughest one to nail down," says Kaun.
To show how challenging this can be, he cites the example of a security firm that went back to check on how a client was implementing a new and very rigorous cyber-security program. The security firm left a selection of USB sticks containing hidden data mining tools around the client's parking lot, reception area and cafeteria. "Within a day the tools were on the network. It's human nature to pick a USB up and plug it in. So if a customer doesn't really get what it's trying to do -- and enforce it -- then it is dead in the water," he warns.
He also points out that if the authors of Stuxnet hadn't used a USB stick as a key method of distribution, the attack would likely have taken much longer to detect. Siemens' web-based Simatic security update still is advising against use of any USB sticks or other mobile data carriers (Figure 1).
Cyber threats are impacting how Matrikon does business. For example, the internal risk-assessment group at one major industrial client has called in the company to assess the cyber security of specific control systems and networks. Matrikon is doing this through a combination of interviews, document reviews, physical login/inspections and control penetration testing. Using a system of likelihood and impact findings, Matrikon then will be able to provide a priority list for remediation.
This sort of assessment also appears as a new trend within Matrikon's own cyber-security projects. The last three customers all have requested that Matrikon return to assess whether their new security measures have been implemented properly and are being run effectively. "People are much more concerned now to know that everything is working properly. And this is important because, for example, a customer might have left the firewall ports open to conduct a vibration analysis and forgotten how to lock them down again," he says.