Many chemical plants now need to upgrade or replace their aging process control systems. Modernization offers substantial benefits — such as lowering costs, increasing control system effectiveness as well as plant performance and flexibility, generating real-time business intelligence from operational data, and easing regulatory compliance. However, it also raises significant issues, including security and regulatory-compliance ones.
Five major hurdles to achieving and maintaining security and compliance are:
1. Lack of "last mile" coverage and instrumentation for device visibility;
2. Not so automatic "automation;"
3. Data overload;
4. Inability to detect anomalous behavior; and
5. Collection, analysis, and workflow lifecycle integration.
In this article, we’ll look at what you can do to overcome these hurdles.
Plant control systems increasingly are leveraging wireless and business connectivity to expand their reach and effectiveness. Gaining faster access to more granular and real-time data from remote endpoints can produce substantial operational benefits. However, from a security perspective such expansion introduces new risks.
One of the primary security issues is posed by intelligent endpoints such as programmable logic controllers (PLCs) and remote terminal units. Because these lack local or remote logging capabilities, they can’t adequately log relevant security and operational events. However, plants covered by the U.S.’s Chemical Facility Anti-Terrorism Standards (CFATS) must collect data, such as events and configuration details, to adhere to these standards. Furthermore, interactive remote access to these endpoints can be cumbersome, hard to achieve or only available in an insecure manner.
What you can do: To address the lack of visibility into these devices, consider placing network sensors near them in the control system to detect events that normally would appear in event logs. Network intrusion detection systems (NIDSs) and network flow tools are two options that provide potential workarounds for this lack of endpoint visibility. NIDSs effectively monitor network traffic to and from endpoints. NIDS devices can be configured to trigger on events such as when shutdown or reset commands are sent to PLCs or when privileged-user accounts are logging into them. Most NIDSs also enable users to create customized rules to accommodate unique plant requirements. Moreover, they usually allow signatures to be built around the Modbus, ICCP and DNP3 protocols common in industrial process environments.
Additionally, because many of the industrial protocols used in chemical plants today lack solid authentication and security features, consider protocol-aware gateways or firewalls to restrict access and add another layer of security.
NOT SO AUTOMATIC "AUTOMATION"
Plant managers also are facing growing internal and external (regulatory) mandates, such as CFATS, and either already are or soon will be required to produce and report on enormous amounts of data. So, they must find an efficient and secure way to deal with this growing operational and administrative burden. Compounding the problem, sites often have hybrid environments with multiple control systems from different vendors. Each of these systems may provide its own point solution to help address particular aspects of these requirements. This results in a patchwork of systems and functionality with overlaps that make system management difficult and confusing.
Managing multiple point solutions is a suboptimal approach. Instead of simplifying operations, it complicates matters and increases administrative overhead. For these reasons, many plant managers resist fully automating their monitoring and data collection processes, or simply can’t get an automation project started because they lack the resources or expertise to handle the additional overhead.
This inability to fully automate data collection efforts often leads to partial automation efforts. Examples include manually running scripts on each individual host or remotely running scripts that have to be manually initiated. These half-measures are neither thorough nor rigorous and typically yield incomplete results. Moreover, lack of experience in writing scripts potentially may pose risks to the availability of control systems. Reliance on such manual scripts is a common problem that prompts the adoption of unsustainable processes and robs engineers of time better spent on running and optimizing plant operations.
What you can do: Many solutions for automating data collection processes safely, securely and effectively are available on the market. By embracing a fully automated approach to this increasingly strategic activity, plant managers can safely meet their data collection and reporting requirements. Full automation also delivers the benefit of greatly reducing or eliminating tedious time-consuming, expensive and error-prone manual processes.
It’s important to understand that automated data collection isn’t the same as "network scanning." Automated data collection takes advantage of a control system’s built-in administrative capabilities, collecting data in a controlled manner while creating very little overhead on the endpoints. In contrast, network scanning is associated with network-based port scanning, which, if not done carefully, can affect the availability of the control system.
Frequently, raw output from tools used to collect security and compliance data is all encompassing and complete. That’s the good news. The bad news is that this usually creates an overwhelming amount of data that requires specialized knowledge to understand. One common example of the data overload problem is log data that are dutifully collected and carefully stored in a repository but then never looked at nor analyzed. Understanding the data is one thing but finding that proverbial "needle in the haystack" is another. Process engineers may know the systems very well but interpreting the log output from a variety of device types can pose a real challenge. Gaining insight and business value from log files often requires specialized knowledge and experience, especially when it comes to correlating events. If plant staff doesn’t possess the requisite skills, the data collection exercise can wind up an enormous waste of time and money.