A STARTING POINT
Aggressors usually will strive to do the most harm possible — and, for the chemical industry, that means attacking safety and reliability. There are a number of ways to rise to this challenge, according to Byres.
For example, Tofino has worked on a project that involved turbines built by Caterpillar for use by the oil and gas industry in remote locations. The solution chosen here was read-only firewalls. The process can be analyzed remotely but not altered. "You have to be onsite to make such changes. I think that's a reasonable approach; I think there is good justification for separating remote monitoring from remote programing."
Another option is to use a rendezvous site to which both the local user and remote control engineer connect. The link ends when the action in question is complete.
For those many chemical plants that shut down only rarely, Tofino — working alongside Honeywell, Invensys and Schneider — has developed drop-in firewalls. Now one of the company's biggest businesses, these firewalls typically are used in front of safety systems and clusters of controllers.
Then there's the question of patching versus compensating controls. Often older control equipment can't be patched because the vendor has discontinued it and has stopped offering patches.
Time also is a factor. Every change made to base PLC or DCS code has to go through a detailed validation process before patches can be released. Byres notes that one PLC vendor took four months to issue a patch after vulnerabilities in its products were published on the Internet. In contrast, it only took Tofino ten days to build and validate the necessary compensating controls for these vulnerabilities. This is because the compensating control rules are independent of the PLC software and, so, are a lot easier to create and test. "For firewalls, the same validation process is there, but there is less to test — basically: 'Do the rules block the bad messages and allow the good messages?' That is a lot simpler and quicker," he says.
SECURING THE CYBER PERIMETER
Two main factors account for the success of unauthorized, unqualified people in accessing safety-critical networks within chemical companies, says Andrew Ginter, VP industrial security for Waterfall Security Solutions, Calgary, AB.
First, is the tendency for large chemical companies to centralize engineering functions. "So remote access is used to handle engineering issues and Waterfall is particularly concerned that it is being targeted by hackers. Centralized support might be great for saving money, but it's very bad for security," he notes.
Second, is the perennial problem of the difference between how IT and control systems are managed. "There has always been a significant difference, but people are only now just beginning to realize quite how big this really is."
As an example, Ginter contrasts how standard IT network management works versus how the safety instrumented systems (SISs) for a chemical plant are implemented.
While both have some elements of engineering change control in them, standard IT management has a greater focus on ongoing aggressive change for anti-virus signature and patch/security management. IT networks face constant and pervasive threats — every web page and email could be an attack — and threats continually evolve. To an extent, staying ahead of the bad guys requires ongoing change. In contrast, he notes: "The SISs are the devices and controllers whose sole purpose in life is to watch for unsafe conditions and trigger safety shutdowns when those conditions are observed — and their management is inevitably extremely cautious."
In terms of how chemical companies are approaching cyber security, the focus is very much on DCSs and the technologies and processes unique to control systems. Ginter highlights three main ones:
1. Device firewalls. These control which equipment can send commands to devices and, sometimes, what commands can be sent. Thus, compromised hosts can't sabotage device operations simply by sending commands — more sophisticated attacks are needed.
2. Application control (also known as whitelisting). Rules describe software that is recognized and authorized to run, and forbids any unrecognized software to run. This effectively blocks conventional malware and even most zero-day attacks (i.e., ones where defenders don't have prior awareness of a vulnerability). The rules may contain file names, file sizes, modification dates and cryptographic checksums. However, as software changes the rules must be updated, too — a process that modern application control systems use sophisticated software packages to manage. "Maintaining this list of approved software is in a sense an expected and welcome part of the process of reviewing and approving changes in a tightly change controlled environment," says Ginter.
Some vendors now are installing whitelisting systems. For example McAfee has partnered with Siemens Industry Automation Division, Hannover, Germany, to develop its Application Control solution against disruptive software, advanced persistent threats and zero-day malware attacks. Honeywell also promotes whitelisting as one of a number of valuable cyber-security techniques (see: "Better Protect Your Control System," www.ChemicalProcessing.com/articles/2012/better-protect-your-control-system/).
3. Unidirectional security gateways. Waterfall developed its hardware-enforced unidirectional security gateways in Israel in 2004. They now are widely used by process companies in that country. Currently the company's biggest installed base in North America is in power generation, with the chemicals and refining sectors growing quickly in importance.
While traditional firewalls essentially are software, a unidirectional gateway is hardware. In Waterfall's case, it's made up of two boxes, with a laser in the first and a receiver in the second. A short fiber-optic cable links the two boxes. Standard fiber-optic components include a laser and a photocell in each chip, so that a computer using the chip can both send and receive information. Waterfall's chips have only one or the other. As a result, the transmit gateway only can send information and the receive gateway only can receive information. There's no laser in the receive gateway to send any malware, or remote control attack, or anything at all back over the fiber to the transmit gateway.
While such a solution initially appears to rule out any kind of remote support, actually a number of options exist, with the choice depending upon the needs and sophistication of the user, notes Ginter.
Within the hierarchy of plant control, two kinds of network interfaces are proving equally popular locations for unidirectional security gateways. One is the interface between SIS and DCS networks. "This interface is ideal because, as a rule, you want to monitor the safety systems to determine if they are operating correctly, but you do not want to change them much at all. You do not routinely send commands to safety systems — this is where engineering change control kicks in big-time. Ideally, safety systems do their thing continuously and without depending on any other system or commands for correct operation. You want to protect the safety systems absolutely from tampering from outside networks, but you still want to see that they are working correctly," he explains.
The second is the more traditional interface between plant/operations and corporate networks.
Ginter believes the jury is still out on whether the future of control system cyber security includes routinely applying to DCS systems "host hardening" techniques — such as host firewalls, anti-virus, security updates, per-user passwords and device communications encryption — or on having a network full of soft targets such as control systems that are protected by strong physical security and network perimeter security mechanisms. Applying "constant aggressive change" techniques to systems directly or indirectly involved with the safe operation of chemical plants can pose serious risks, he notes.
"Whatever the answer, chemical control systems protections must always lag IT protections to some extent and, so, the cyber perimeter protections will always be disproportionately important in protecting the soft center of control systems," Ginter concludes.
Seán Ottewell is Chemical Processing's Editor at Large. You can e-mail him at firstname.lastname@example.org.