Market competition traditionally has driven the evolution of control systems. Not that long ago, most control systems were autonomous and built upon proprietary vendor technology, with solutions geared towards access to data, speed and functionality (or reliability). Access to data was the most important feature. At first many vendors built their own protocols or languages to allow for the transfer of data.
Soon the automation landscape became very proprietary and independent of other systems and protocols. Parallel to this was the development of Ethernet networks for business data networks. So, vendors started providing Ethernet compliance to enable communication between systems including those outside the plant environment. However, in the rush to market many vendors built ad hoc versions of protocols that worked for the purpose at hand but didnt address security.
Now most plants with control systems must contend with many pressures both to allow access to data and to secure those data. (Distributed control systems and supervisory control and data acquisition systems both face such challenges.) These opposing trends are driven by many forces, including data access to enable business decisions, vendor access for process improvements and advanced control exercises like loop tuning and alarm management, as well as for proving regulatory compliance.
However, this increasing need for access is further diluting the security of many of these systems and is putting many process control environments at risk. While in some plants this is a nuisance, for most a loss of control over a process can pose a serious safety threat. As one noted security professional who works for a major refinery once pointed out: Our industry is one such that a loss of access or control over our systems usually means someone dies.
Regardless of the potential harm, any plant with little or no security in and around its control system will at least lose production for some time. This can translate into rework, overtime, environmental release and other intangibles such as loss of competitive edge, investor confidence and potentially even the ability to stay in business.
The new push for control systems is to try to balance access and security. And the pressure is coming from many angles. Increasing market competition means that most plants are pushing the envelope to run faster, more efficiently and with less downtime. This is leading to more outside tuning and better visibility into production from specialized experts who may not be physically at the site.
An aging workforce is prompting many plants to automate more control of their assets and expect the same staff to manage and optimize more resources, thereby increasing their reliance on computers. More often than not these computers are running a Windows platform, which means all common threats usually targeted at corporate and business machines are now a potential threat to the production environment (see "Hardening plants is hard work").
However, traditional IT best practices cant always be applied to control systems. For example, the use of antivirus and patch management tools often can break the applications theyre designed to protect. In these cases the challenge is to find a way to make process control environments as secure as possible without breaking the control systems along the way.
In addition, plants increasingly must contend with security mandates. For instance, the U.S. Department of Homeland Security (DHS) is implementing the first-ever federal regulations for high risk chemical facilities (see "Get ready to comply with new security mandates"). The standard targets the storage, tracking and transportation of specific ingredients and products, and takes a holistic approach to threat mitigation addressing both physical and cyber-security.
Given these drivers, its worthwhile to explore what a pacesetter security program would involve and how it could affect the day-to-day lives of the people at plants.
The scope of the term security often seems vague and the sheer volume of effort and areas of concern it may represent can be overwhelming. However, this neednt be the case. In looking at a number of security frameworks or standards a common theme emerges that quickly is being adopted as a holistic and effective approach.
It combines efforts and initiatives that go far beyond the purchase and deployment of technology. Initiatives, such as SP99 from ISA, CIP 002-009 from NERC CIPC and 800-82 from NIST, offer different sections, headings and names for each of their areas of concentration but, in the end, all efforts usually center on three foundational areas: people, processes and technology. While well look at each of these areas, its important to emphasize the need for a critical preliminary developing a security philosophy that in turn fosters a security culture. Without such a philosophy and ongoing efforts towards creating and maintaining a strong security culture, momentum will be lost.
A security philosophy will differ for each company, industry and region but will share some common elements. It will state that security is:
- everyones concern; and
- a balancing act.
With such a security philosophy spelled out, a company is poised to effectively address the people, process and technology issues.
Always remember that people pose the biggest risk. So, extensive and ongoing effort is needed to educate, empower and enable all staff to recognize situations and events that can impact cyber-security and to have them respond appropriately. Provide general awareness training for all staff as well as more sophisticated training commensurate with a persons level of access to critical assets.
Effective processes, of course, are crucial, too. Indeed, a plants standards, guidelines, procedures and best practices offer some of the most obvious indicators of the success or failure of a security effort.
The specific security processes established will most likely have the biggest impact on the day-to-day operations and workflow of the facility. So, lets look at some of the more important and most helpful ones.
Change management. A proper change-management program is the single most often neglected yet potentially the most significant process to establish and maintain a more secure environment. Most chemical facilities have solid, established and well followed change-management programs but they usually only are deployed within the business environment or within certain aspects or systems on the plant floor. A proper industrial-security program will require the implementation of a very solid and closely followed change-management program for all assets in a plant.
Patch management. No program would be complete without a patch management process. The challenge is in creating a program that addresses the inherent limitations to patching within a process control environment.
Incident handling. The true measure of your security readiness is going to be how well you handle an incident when it happens an incident will occur at some point regardless of how well you prepare or how hard you try to prevent it. What counts is how much damage you can avoid by early and effective detection and mitigation with countermeasures. In other words, the sooner you see the wound and the faster you can stop the bleeding, the more effective your policy is. Among the processes that facilitate incident handling are team notification, escalation procedures during an incident, containment procedures (for slowing or stopping the spread of viruses), interim measures for resuming business and post-incident analysis.
Other processes. A proper security program must contain many other elements. To enhance security, consider, for example, processes for:
- disaster recovery;
- back up and restoration;
- fire drills;
- standards deployment;
- annual assessments;
- penetration tests;
- remote access policies;
- file transfer; and
- vendors and visitors.
The role of technology
Perhaps the most obvious and fundamental piece of the security puzzle is the technology aspect. When used correctly, technology is an enabling, tangible part of any security program. However, simply buying and installing technology doesnt necessarily improve a plants security. Technology investments must take into account the business model as well as physical topology and plant or operational requirements. Before deciding upon technology purchases or deployments, its crucial to first assess the potential impact of a new technology on workflow. If a firewall or new network topology interferes with access to data then it may not be best for the organization.
The first word that comes to mind when discussing technology and security is a firewall. This response is both good and bad. On the plus side, the fact that a company is using or intending to use a firewall means that security is a priority and that the potential for locking out unwanted access exists. The problem is that many firms feel that the mere presence of a firewall is enough to immediately solve their security concerns. In a study of 37 firewalls from a number of industries (1), it was found that almost 80% of firewalls allow both the any service on inbound rules and insecure access to the firewalls, these are gross mistakes by any account.
For the maximum firewall benefit, a plant needs to create a multi-layered topology in its process control network. This applies as well to the many other tools and toys that can be considered. The secure and effective deployment of technology depends upon implementation of a multi-layered or defense in depth approach to network topology (see "Properly protect control systems").
This approach has been called many names but regardless of moniker its based on the idea that the further removed a process network is from the business LAN and the outside world (i.e., the Internet) the more protected it is. More importantly, a plant must establish what traffic it will allow on a frequent basis and ensure that future projects dont compromise those rules. Every few months, the plant must revisit the firewall configuration to ensure its working effectively and addressing new security threats. Theres always a second way to move data or to facilitate business decisions without compromising the firewall, which is the first line of defense.
Security is not a Y2K type of issue with a defined shelf life and timeline. Plus, while the DHS regulations now only target high risk chemical facilities, they likely will eventually expand in scope to cover more installations. Likewise, the standard may evolve beyond simple assessments. The facilities that arent going to be overwhelmed by the amount of work required to properly secure their sites are the ones that begin before theyre forced to by government.
The difficulty will be in convincing everyone to start playing along because the single biggest differentiator that sets a pacesetter apart in the world of industrial security is its security culture. Any security initiative is going to live and die by the support it gets outside of the project team implementing it. This means financial support for the time and resources required to implement the project itself. It also means support from executives and decision-makers in allowing and encouraging security efforts in the first place. Most importantly, it means getting the buy-in of the day-to-day owners of the systems being impacted by changes to processes or procedures required to increase security. Always remember that the amount of support shown is the key indicator of the success of any security initiative.
Security traditionally has been seen as an expense without obvious return on investment. However, if security culture and systems are thought of in the same light as safety systems, then the opposition to security programs should begin to fade. Safety programs have provided benefits to organizations security can provide unintended benefits as well once you get started!
Wool, Avishai, A quantitative study of firewall configuration errors, IEEE Computer Magazine, p. 62 (June 2004).
Rick Kaun is manager of industrial security and compliance for Matrikon , Inc., Edmonton, Alberta. E-mail him at [email protected].