Chemical makers are increasingly focusing on protecting their process control systems from intrusion both from the inside and outside. Many manufacturers have made great strides in building this defense; a small percentage of top-tier enlightened control system suppliers and customers are applying best practices.
To get started addressing the security challenge, companies will benefit by implementing a security feedback loop as depicted in Figure 1. The process involves assessing threats to identify vulnerabilities and then providing appropriate counter-measures to minimize risk to assets. Its goal is to build consistency and confidence in how threats are addressed.
The loop represents an ongoing process. Security awareness and defense continue to evolve to meet the ever-changing threats and new vulnerabilities.
Security depends not only on such a process but also on attitude. You must assume the attacker is at least as intelligent and motivated as the defenders. While the weakest points in the system are the most likely targets, small actions and inactions may incrementally improve or compromise security. One of the most significant vulnerabilities is complacency; security demands ongoing vigilance.
Several aspects of security now are relatively robust, including:
Risk assessment. One of the logical first steps in determining the exposure of a control systems environment, it provides a summary of risk areas and actionable recommendations to either remove or neutralize the risk.
Policies and procedures. Rectifying issues found during the assessment may demand developing or enhancing policies and procedures governing the control system — many requiring that people within the organization have an awareness of security and best practices (i.e., a security mindset).
Segregated process and information technology. Security areas are defined and then segregated using firewall technology, including specialized firewalls for critical process control devices.
Locked down/least privileged approach. Interaction of personal computers with the control system defaults to an access level that avoids risks.
Dealing with "Denial of Service" attacks. This involves recognizing vulnerabilities and developing avoidance policies and procedures for squelching such attacks.
Virus protection. Providing an organized approach for verifying anti-virus software and definitions are up-to-date is essential.
Microsoft patches. Procedures must ensure the patch level is maintained and appropriate for the environment.
Backup/recovery. A company must understand its backup/restore requirements and develop procedures that make sure backups occur at appropriate times and are stored for later availability, and that the process for recovery is well-understood and communicated.
Security audit log monitoring. Capturing and reviewing network history can lead to insights about areas needing attention.
The understanding of these aspects varies among control systems personnel today; some have an in-depth program to address risks and vulnerabilities, while others are unaware of the risk and impact of an intrusion. The idea that control systems aren't vulnerable is eroding because we have recent history, such as the Stuxnet attack, that indicates vulnerabilities do exist (see: "Industry Gets Cyber-Security Reality Check"); the ill intentioned can exploit these vulnerabilities and uninformed internal sources inadvertently can trigger them.