verybody is trying to scare the beejeezus out of you these days with talk of nasty ol&rsquo hackers and crackers, how assorted bad guys are trying to break into your process control system, and all the risks you take by using Web, Ethernet, wireless, and Microsoft technology in your control system. While we don&rsquot exactly subscribe to the theory that terrorists are plotting to destroy your recipe for making chocolate, we realize that threats do exist from hackers, viruses, and competitors. Maybe even terrorists, too.
To help you bolster your defenses, we've assembled a timely list of tips and techniques you can use to build a fortress to secure your data and protect your control system from intruders. (See Top ten defenses sidebar below.)
What do vendors say about process control security?
Find more Articles, White Papers and Industry Books on control system security listed at the bottom of this article.
Some of these tips and techniques don&rsquot cost a thing. Some are just common sense, some require a change in the way you do things, and some require the purchase of a little hardware.
Justin Lowe, a security analyst at PA Consulting, explains it best: &ldquoThere is no silver bullet,&rdquo he says. &ldquoA suite of security measures are required but only around 30% of the solution is technical. The remainder is procedure, process and management.&rdquo
The Nature of the Threats
We&rsquove heard the classic stories about security problems ad nauseum: the wastewater plant in Australia, the nuclear plant in Ohio, and the SCADA system at an electric power plant in California (which turned out to be a hoax). Ernie Rakaczky, Director of Process Control Network Security at Invensys Process Systems, says they&rsquove seen a few in process control, too:
- Internet worms such as CodeRed Nimda and SQL Slammer have attacked web servers
- Outsiders have tapped into wireless communications paths
- An intruder connected via a modem
- A maintenance worker accidentally inserted a virus via an infected floppy or CD
- Unauthorized personnel gained access to an unprotected PC in an unlocked lab
- A remote user inadvertently introduced a virus into the network
- An intruder entered through a Remote Access Services (RAS) link
Except for a few incidents like these, the process control industry has remained relatively immune from the huge number of problems that plague commercial web sites, banks, and government institutions. Maybe the bad guys haven&rsquot discovered us yet, or maybe we don&rsquot have anything they want. Or maybe companies in our industry just don&rsquot talk about it when they take a hit.
Bad guys are definitely out there. One of our contributors, a control engineer at a large Midwest refinery, is worried. &ldquoWe have been written by name on terrorist lists, so our physical security is very tight,&rdquo he says. He asked to remain anonymous as did other contributors. Nevertheless, there does not appear to be a major, organized attack on process control systems yet.
It certainly appears that the two biggest problems are (1) external random attacks by worms, viruses and similar software that roam cyberspace looking for vulnerabilities, and (2) internal problems caused by disgruntled employees, careless operators, and bad procedures.
In the first case, nobody outside is trying to destroy the chocolate recipe they don&rsquot even know you make chocolate. If they get you, you are probably just the victim of a random Internet crime. In the second case, you do it to yourself because of poor security or poor training. Both situations are preventable.
The tips and techniques that follow will help you create a fortress and tighten up security, but nothing will stop someone who is determined to take your plant down. No firewall is safe from a talented hacker, no anti-virus software gets them all, and dealing with disgruntled employees and actual terrorists is beyond the scope of this article. We can, however, help you make it more difficult for them. So let&rsquos build a fortress.
Get Off the Networks!
End users and vendors alike universally advise disconnecting your process control system from the Internet, corporate networks, business LANs, or any network not needed for actual control. One engineer at a chemical plant said it bluntly, &ldquoWe do not allow any outside connections into our control system. There are no modems and certainly no Ethernet connections to the Web or business system.&rdquo It&rsquos the fortress mentality, but it works.