IF YOU are in charge of security at your plant, don’t leave cyber security (protecting your computers) to the folks in the IT Department. They are not good enough to deal with determined hackers. At a recent user’s group meeting, I watched three cyber security researchers from the Idaho National Laboratory break into a “secure” control system. They got through two firewalls, onto a proprietary data highway, spoofed the operator HMIs and turned on a pump in about 15 minutes.
They proved that a determined hacker can get past cyber-security without blinking an eye, and either wreak havoc with your plant or steal your secrets. So don’t rely on your IT department to protect your computers. Bring in some pros to assess your cyber security measures.
Advice from the researchers at INL includes:
- Set up a layered defense using standard tools, such as anti-virus software, firewalls, DMZs (De-Militarized Zone), and IDSs (Intrusion Detection Systems).
- Enforce security procedures, including user names and passwords.
- Use virtual private networks (VPNs) and encryption.
- Hire someone to break into your system and find the vulnerabilities.
- Regard control system security as an ongoing problem, and take it seriously.
If you want to persuade upper management into taking cyber security seriously, hire the researchers from INL to come in and give a little demonstration. It’ll scare the bejeezus out of them.
Where to Get Help:
Federal Emergency Management Agency (FEMA)
The FEMA Web site has several downloadable documents (FEMA 426, 427, 428, 429, 452 and 155) that provide guidelines for improving building security and protecting against terrorist attacks.
Department of Homeland Security
At this site you can find downloadable posters and brochures on preparedness, terrorism and cyber security, and the complete text of National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.
Idaho National Laboratory
The SCADA & Power Systems Security Resources group at INL supports the Department of Homeland Security’s Control Systems Security Center program. These researchers can break into your control system and counsel you on what to do about it.
This site was built by the experts who developed the Top 10 list of lessons learned at the end of this article (See below). The site contains links, documents and descriptions of projects.
Department of Energy’s Lawrence Berkeley National Laboratory
The Building Vulnerability Assessment and Mitigation Program (BVAMP) can be downloaded free at.
The Center for Chemical Safety has information on courses, books and SVA programs.
ISA-99 Manufacturing & Control Systems Security, contains info on protecting electronic control systems, including relevant ISA standards and technical papers and can be purchased in compact disc format from ISA for $229.
Top 10 Lessons Learned
about Plant Security
A team of security experts presented a paper recently at the ISC Expo containing the basis for this list of lessons learned (download the entire paper at www.infrastructure-security.org):
Pick the right people: You need help from a wide range of disciplines, from security to video encoding to Ethernet networks to wireless and so on. Their advice: “If one company comes to you and says they can handle it all, they are mistaken.” You need a team.
Vendors lie: White lies to be sure, but vendors tend to overstate their qualifications. Be sure to check out their specs.
Get involved in the details: Owner involvement is needed. The biggest mistake is companies that don’t commit the necessary resources because they are not involved in the project.
Over-communicate: With many people and companies involved in the project, good communication is vital. “We communicated four times more than we do on a typical project and it was still not enough due to the complexity, diverse team and multiple departments and agencies involved.”
Deal with dissidents: There will likely be dissidents on the team who disagree on a technique. “About half the time they will be right, and listening to them will save you time and money.”
Make a decision timeline: The project is complex. You need to make a decision schedule and stick to it, even if you don’t have all the information you need.
Pick the right project delivery method: Choose between design-bid-build versus design-and-build. Both have advantages and disadvantages. The team believes that design-and-build is the better method.
Power and communication infrastructure is your biggest challenge: The budget is not going to be broken based on camera costs, the team says. Instead, it will be made or broken based on how much it costs to connect everything together.
R&D, testing and a beta site are a must: This should take up about 50% of your total time, the team says. “If you execute correctly here and incorporate lessons back into the design…you will drastically reduce the time it takes to complete the system.”
Do not underestimate problems that can occur because of environmental conditions, interference with existing projects and operations, and politics between departments and agencies.