Certain "high risk" chemical facilities present the potential for massive civilian and environmental impact from possible terrorist attacks. Release of chemicals can lead to a major catastrophe, such as the thousands of deaths that followed the leak of methyl isocyanate at a pesticide plant in Bhopal, India, in 1984 (see: "Grasp All the Lessons of Bhopal").
Even sites that use rather than process chemicals can pose substantial hazards. For instance, in 2007 a faulty alarm at a water treatment facility in Spencer, Mass., caused release of excess sodium hydroxide into the water supply, ultimately injuring more than 100 people. Although to date there've been relatively few direct attempts at compromising chemical facilities, many such sites may lack the necessary levels of protection to properly defend themselves against a sophisticated physical or cyber attack.
So, the U.S. Department of Homeland Security (DHS) on April 9, 2007, issued Chemical Facility Anti-Terrorism Standards (CFATS) that aim to ensure effective security at high-risk sites. The mandate of CFATS has been extended to October 2010 and the responsible subcommittee has recommended extending it further to 2015. Every affected facility must conduct a security vulnerability assessment and implement security measures that meet risk-based performance standards (RBPS), which cover such areas as perimeter security, access control, personnel authorization and cyber security. (For a podcast about CFATS, go to www.ChemicalProcessing.com/multimedia/2010/cfats_podcast.html.)
The DHS published a RBPS guidance document in May 2009, to assist high-risk chemical facilities with selecting and implementing appropriate security measures as well as to help DHS personnel with evaluating RBPS compliance.
Many chemical facilities now are in the throes of complying with CFATS. It's crucial that such sites understand practical ways to successfully implement these standards.
Field Surveys Provide Troubling Findings
In the past two years Industrial Defender has assessed more than 40 critical infrastructure facilities, including chemical plants, refineries, power stations and pipeline systems. These evaluations have uncovered some widespread cyber-security issues:
- Almost all sites had machines with missing patches. Almost half had machines missing entire service packs. Viruses, worms and other malware spread quickly through networks of unpatched machines. That said, patching control systems isn't straightforward. Vendors only support some control system products with recent operating system patches. Many sites don't have test beds that can adequately check operating system patches before their deployment. Many also lack sufficient redundancy in their production control systems to be confident that if a patch impairs operation of a system component other not-yet-patched components can pick up the load.
- More than one-quarter of sites have weak firewall rules. Almost all sites had firewalls separating their control systems from their enterprise networks. However, a poorly configured firewall provides much less than expected protection for control system components. For example, configuring the firewall to give the workstation of a trusted administrator complete access to any component of a control system means a worm infecting that workstation has full run of the control system as well.
- More than 10% of sites still use dual-zoned hosts. People pay for security technologies like firewalls and VPN servers because setting up an arbitrary host to securely connect to more than one security zone is very hard to get right. As a rule, every dual-zoned host, whether a historian server or an administrator workstation, represents a serious security vulnerability. Dual-zoned hosts were described in the early days of control system security as a "better than nothing" measure to separate security zones until money could be obtained for a purpose-designed network security component. The time has come to eliminate dual-zoned hosts from control system network designs.
Between 2002 and 2008 Industrial Defender performed more than 100 security assessments on critical infrastructure facilities such as chemical plants, refineries, water treatment units, power stations and pipeline systems — and found more than 38,000 control system vulnerabilities. Assessments over the last two years continued to show widespread problems (see sidebar). With these results in mind, this article highlights various security measures and practices that chemical facilities strongly should consider to meet "RBPS 8," which is the cyber component of the RBPS.
Key Implementation ChallengesThe objective of RBPS 8 is to help deter cyber sabotage as well as prevent unauthorized onsite or remote access to critical computerized systems, including those for supervisory control and data acquisition (SCADA) and distributed control. Here are some aspects that deserve particular attention:
Security policy. CFATS compliance begins with an effective security policy. Plans, processes and procedures that address a network's specific sensitivities are the starting point of any successful cyber-security plan. Developing and using a change management process to support necessary cyber-security updates to a network and reduce the chance of human error are important elements of an effective security policy. In addition, designating a particular individual to oversee cyber-security efforts establishes accountability and oversight.
Access control. To boost efficiency business and control networks increasingly allow interconnectivity. Unfortunately, the more interconnected and accessible a network is, the more vulnerable it may be. So, setting up an electronic security perimeter around your critical infrastructure network is crucial. Understanding and identifying connectivity beyond typical access points greatly improves a plan's effectiveness (see "
Protect Your Plant.")
Personnel security. Operating companies should review the access that all employees, contractors and vendor staff have to computerized systems and regularly update their access privileges. Create different access levels and only grant the access required for a person's specific role. Establishing personal accounts allows for monitoring individual behavior on a network, tiering of individual user privileges and making changes to each individual account.
Awareness and training. A comprehensive security plan must involve sensitizing personnel to the need for security, types of behavior that could compromise it, and consequences of a security breach. This will give staff insight into what types of vulnerabilities potentially could jeopardize a network's integrity.
Monitoring and incident response. Continual checking of networks for security risks and vulnerabilities must figure in any comprehensive cyber-security solution. Steps such as installing and updating anti-virus software and security patches, and filtering e-mail attachments are simple but important. Installing intrusion detection systems (IDS) to watch network activity for unauthorized and malicious activity is another worthwhile proactive move. Deploying a security event management (SEM) device to monitor intrusion detection systems, electronic security perimeter devices and all remote access activity is an efficient means to gauge the cyber-security posture of a network. A SEM console can provide detection, alerting and automatic response to cyber-security incidents — quickly containing and mitigating threats and vulnerabilities.
Business continuity and disaster recovery. Good cyber-security posture should include planning to ensure continuity of operations and facilitate restoration of all critical cyber assets. Given the stress, uncertainty and potential disruptions that occur after an attack, consider such issues right from the outset.
System development and acquisition. Integrate cyber security throughout both new and existing network infrastructure to make certain appropriate budgeting, personnel and security requirements are established early in the process. The September 2009 DHS publication "Specific Cyber-Security Procurement Language for Control Systems" (
www.us-cert.gov/control_systems/pdf/FINAL-Procurement_Language_Rev4_100809.pdf) provides examples of useful security requirements.
Configuration management. An up-to-date inventory of all hardware, software information and services on a network will allow for locating, tracking, diagnosing and maintaining your network more efficiently. Compiling a cohesive set of network architecture diagrams ensures a comprehensive understanding of connectivity and vulnerabilities.
Audits. Continually re-evaluating the security posture of the plant environment is crucial for maintaining sound cyber security. Such audits provide early identification of weaknesses.
Offsite issues. Modern chemical facility infrastructures may have staff and partial or entire networks located in remote locations. As a result, cyber security isn't limited to the physical site. Implement a comprehensive plan to secure all aspects of network connectivity, including onsite and remote networks and access for any people who use the network, including employees, contractors and vendor personnel.
Interconnectivity of critical and non-critical systems. Any access point can serve as a gateway for malicious cyber activity. So, understanding the type and number of access points for all critical and non-critical systems is an important component of an effective cyber-security policy. Protecting the interconnectivity access points between critical and non-critical systems with appropriate technologies, processes and procedures is the most effective means to secure this interconnected environment.
Physical security for cyber assets. It's essential to protect the equipment itself with a physical security perimeter and, if appropriate, by limiting access to its storage. Educating employees about off-limit areas (control rooms, wiring closets, etc.) and restricting access helps improve physical security.
Layered security. No single measure is as effective as multiple integrated ones. Developing a layered defense-in-depth approach is essential for ensuring adequate protection of the plant network and critical cyber assets within the network.
Make the right moves
The most effective approach to meeting the CFATS cyber-security standard includes a comprehensive vulnerability assessment of physical and cyber aspects of a site, and layered defense-in-depth cyber security. Evaluating and addressing cyber-security issues demand deep domain-level expertise in industrial control and SCADA systems. Also, bear in mind CFATS and RBPS guidance will evolve. In particular, the DHS has indicated that it plans to revise RBPS Guidelines periodically to reflect lessons learned and new security approaches. Revisions likely will make them more stringent, so companies should consider preparing now for these stricter mandates.
ANDREW GINTER is chief security officer for Industrial Defender, Foxborough, Mass. E-mail him at [email protected].
