For example, management and other enterprise users often desperately need up-to-date production data, so they can try to make better decisions that will help their companies compete. Also, system integrators and vendors might need to bring land lines into a plant to monitor equipment, while other users might bring in unauthorized or unchecked USB data storage devices or un-patched laptop computers when doing their jobs.
“We live in a capitalist society, and so we can’t prevent the enterprise level and Internet from accessing data,” says David Teumm, consultant and author of Industrial Network Security, published by ISA. “However, people eventually can find a way to defeat even the most careful security measures. Users can install all the security devices they want, but if they don’t address the human side, then they won’t have security. We just have to put in the most practical security we can, and hope for the best.”
Control vs. IT Perspectives
A third reason why control systems can be more vulnerable to external attacks is that they traditionally have 15-20-year lifecycles, while computer and software lifecycles are measured in months. Because of this time lag, all the resulting legacy equipment is more likely to have older, simpler HMIs and a mish-mash of incompatible software that are more vulnerable to external threats.
“We’ve simply had a lot of traditional neglect of security, so now we have a lot of confusion,” says Clark. “Most users and their companies either don’t have security policies and procedures, or their procedures are far out of date.” Clark adds that this situation triggers two more security problems. First, many IT people still believe that technology can solve any problem, so they just want a widget that will solve all their security issues. Second, control engineers and IT administrators still don’t understand or accept each other.
“It still is a big war in most companies over how to deploy control systems, what resources are available, how networks should be connected, and who owns the machines,” says Clark. “This conflict exacerbates network vulnerabilities.”
Eric Cosman, engineering solutions architect at Dow Chemical Co. in Midland, Mich., adds, “It’s going to take a long time for standards bodies to develop their consensus-based standards, so don’t wait for them to rescue you. There’s a lot of useful information available to you now. Talk to your own IT and control people, and if they aren’t talking to each other, force them to do so. They must work together because dialog and partnership is the only way for us to handle rapidly changing environments, especially as they relate to security and safety. We need to reduce the time from when Microsoft releases a software patch to when a control systems vendor certifies it for use, and shorten it from weeks or months to days or hours.”
Back to Basics
Once hyperventilation and hand-wringing lose their novelty (and after the control and IT folks are chained together), users can begin to investigate some common-sense security solutions.
To draft useful network security policies and procedures, users must look at all the data their network is moving, why they’re moving it, and who needs to access it. Then, they must decide how to verify if a perceived threat is real, determine who to contact when an event happens, decide how to respond to each type of possible threat and, finally, determine what equipment to shut off. Next, after policies, procedures, access authorizations, single-point failure and risk analyses, risk mitigation, and a contact tree are in place, the whole infrastructure must be reexamined every quarter, and tested with an actual threat exercise.
“Common-sense security is resisted because it means a big effort,” says Ernie Rakaczky, Invensys’ business development manager for control systems security. “I think plant-floor people know they can’t just do one thing to be secure. They’re realizing that they have to make security a way of life.
“When safety is the issue, everyone watches out for each other, and says, ‘Safety depends on me.’ We have to adopt this same attitude to be successful with cyber security.”
Surprisingly, Ethernet’s recent evolution might help increase network security for Internet and wireless networks. When developers first started implementing Ethernet in industrial networks, many folks were extremely skeptical because it was an office-based technology that wasn’t deterministic, and its hubs could indiscriminately blast data to all nodes on a network. Today, intelligent switches and routers move data via Ethernet only to and from specific locations at pre-determined speeds, while virtual private networks have made it more secure. Intelligent switching, verifying data origins and destinations, and other specifications also can make Internet and wireless communications more secure.
“Security wasn’t as big an issue before because networks were hardwired, proprietary, and even fieldbuses didn’t usually network more than 30-50 devices,” says Larry Komarek, automation product manager, Phoenix Contact. “Now, users can connect hundreds or thousands of devices via Ethernet, so we’re seeing plant-floor networks that are being totally separated from the Internet, or are using commercial IT routers to isolate and analyze network traffic patterns that have the characteristics of someone probing or attempting to attack the network. Protecting a plant in this way requires IT expertise.”
Komarek says some managed switches have added web pages laid out like PLC programs, better graphics, and plain English instructions to show plant-floor users what security they need to use more quickly. He adds that simple, unmanaged switches now have added mechanical locking arrangements, which can block unused ports or lock cable connections. Meanwhile, managed switches have port security that only allows them to talk to assigned addresses, and prevents them from locking onto unassigned connections.