Interested in linking to "Cyber vulnerabilities in control systems"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
There have been cases where employing IT security strategies have impacted control system performance. Two examples follow:
There is a growing concern that with the requirements of the Final Report of the Northeast Blackout and the proposed NERC 1300 that there will be more unintentional (and unreported) impacts on control systems by personnel untrained in nuances and sensitivities of control systems.
There are on-going discussions within the NERC Control System Security Working Group concerning connectivity from control systems to and from corporate networks. In order for operations to maintain configuration control of control systems, the configuration management process needs to be managed by Operations. Having a control system IT function to oversee security and other changes to the control system network would increase control system reliability by reducing the probability of inadvertently creating control system disturbances. It would also respond to the intent of NERC 1200 and 1300 for establishing a responsible organization for maintaining the cyber security of control systems.
Operations and Maintenance
For operational and maintenance considerations, control systems will continue to require remote access. Consequently, the current and next generation of monitoring and diagnostic devices used in substations and power plants (and other industrial applications) are being developed with remote access capability either by dial-up or directly to the Internet. The technology is being implemented to improve grid reliability (e.g., replacement of electromechanical relays and switches with intelligent electronic devices - IEDS) will also introduce cyber vulnerabilities. These control system devices utilize serial communication protocols such as DNP3 or Modbus. Installing current firewall technology between these devices and the control network can slowdown critical control system communications.
Sarbanes-Oxley and Control Systems
Another area that falls between IT and operations is the issue of Sarbanes-Oxley (SOX) compliance. SOX was originally intended to prevent financial problems and requires all computer systems critical to the financial well-being of the company to be addressed. Traditionally, this has focused on critical IT business systems. However, SCADA and power plant control systems are obviously critical to the bottom-line of all electric utilities. Arguably, the Energy Management System (EMS) handles more financial transactions than any other utility system. Therefore, these critical operational systems should also be included in SOX compliance. Because these systems are not well understood by IT and these systems cannot be fully secured, it is important that operations be involved in validating SOX compliance of control systems.
Control systems are different than traditional IT systems. Securing and maintaining secure control systems will require Operations and IT experience. There is a need to develop accreditation for control system security that will combine both IT and control systems bodies of knowledge. The Department of Homeland Security (DHS) has initiated discussions to address this need.Securing and maintaining the security of these systems will require appropriate expertise from both IT and Operations. Attempting to secure these systems without appropriate knowledge and care is a dangerous undertaking.
ControlGlobal.com is exclusively dedicated to the global process automation market. We report on developing industry trends, illustrate successful industry applications, and update the basic skills and knowledge base that provide the profession's foundation.