Stuxnet and Shamoon acted as a wake-up call about the dangers of cyber attacks for many in the chemical industry and beyond. (For details about these two attacks, see “Potentially Serious Threat Targets Control Systems,” and “Recent Security Breach at Saudi Aramco Solidifies the Notion of Preparing for the Worst.") Unfortunately, cyber threats persist and are growing in number.
“The entire critical infrastructure is now under threat,” warns Bob Huba, Emerson Process Management product manager/system security architect marketing/business development, Round Rock, Texas. “Everyone and everything is a target,” adds Jay Abdallah, Schneider Electric’s EMEA cyber security manager, Jebel Ali, Dubai.
For automation vendors such as Emerson Process Management and Schneider Electric and specialist firms like Waterfall Security Solutions, Calgary, Alberta, and PAS, Houston, that offer defenses against cyber threats, the challenge is both to provide chemical companies with the cyber security they need, and to ensure the companies understand what these offerings really can — and can’t — deliver.
“Before Stuxnet, users thought they were not security targets and were secure by being obscure. Security was not a ‘hot topic’ for them. Then came Aramco and Shamoon, and there is now a lot more emphasis on security by our customers. As a result, we’ve added more features and certifications to our products since then,” notes Huba.
THE ROLE OF CERTIFICATIONS
Emerson has been Achilles Communications level 1 certified since DeltaV version 8 in 2006. (The certification comes from Wurldtech, Vancouver, B.C., which offers two security certification programs, Achilles Communications for device robustness with wire and wireless communications protocols, and Achilles Practices for practices used in system development lifecycle processes.) The company currently is working on Achilles Communications level 2, which should be completed in early 2015. In addition, the company has been Achilles Practices certified since 2011 and will complete its third annual certification by the end of 2014.
Users certainly should look for such certifications, says Huba. However, the success of any solution depends on how well a particular user understands cyber security as a whole, he cautions. “Certification doesn’t make you secure; what it does do is assure the user that we have done a certain level of testing and have the expertise and awareness needed for that piece of equipment. It’s very, very different from ATEX certification, for example, which gives a guarantee against a piece of equipment failing. You can’t get an absolute guarantee of security.”
It’s important that users understand what the different certifications actually signify, he notes. Achilles Communications level 1, for example, means equipment can withstand a certain level of attack before it starts to respond inappropriately. ISA Secure (from the Security Compliance Institute of the International Society of Automation, Research Triangle Park, N.C.) adds some nuances to this, but is still focused on devices rather than systems. On the other hand, Achilles Practices certification means that a vendor complies with the cyber security standard of the International Instrument Users Association (WIB), Den Haag, the Netherlands, and thus is capable of providing products and services that make systems more secure.
“I don’t think customers grasp this difference. They have to be intelligent about security in order to make intelligent decisions on what it can really do. While safety certifications ensure products are certified, systems and procedures have also to be put into place for full system security. Right now, however, there is no system certification for cyber security,” Huba stresses.
Cyber threats won’t disappear. So, you’re never done; there are no “plug in and forget” solutions, he adds. Keeping up-to-date with upgrades, updates, patches and the like is essential; constant vigilance is very important.
To spur such vigilance, Emerson is striving to educate customers on the whole security issue. At the heart of this is an effort to ensure people on the operations side get a much better understanding of what people on the information technology (IT) side are doing and vice versa (Figure 1).
“Companies are in different places with this IT/automation understanding, but for progress you have to understand how an automation system is designed, developed and run. Once IT and operations people understand each other and work together, we will get very much better security,” he concludes.
While everything is a potential target, the success of any attack depends on the inherent vulnerabilities, the criticality of the assets and the ability to exploit these weaknesses — whether in the control, supervisory-control-and-data-acquisition (SCADA) or safety systems or in web gateways, databases or email infrastructure, stresses Schneider Electric. So, as the industry moves toward ISA Secure regulations, particularly EDSA (embedded device security assurance), SSA (system security assurance) and IEC 62443 (network and system security for industrial-process measurement and control), all Schneider Electric automation developments now encompass security from concept to delivery.