By Keith Larson, VP Content, Putman Media
Even without the terrorist attacks of September 11 and the U.S. Dept. of Homeland Security’s resultant push to secure the country’s critical infrastructure, an organized effort to protect process automation systems from cyber events was bound to bubble to the top of our priority list. Call it the law of unintended consequences at work. Process automation systems were once isolated as well as proprietary, two natural—and highly effective—ways to protect critical systems from malware and other scourges of the Internet age.
But even as the problem—and awareness—of cyber security issues gathered steam in the outside world, the process automation community unintentionally increased the cyber vulnerability of many of its systems.
Indeed, over the past 15 years, we drove the widespread adoption of the very same commercial, off-the-shelf (COTS) computing platforms that the black hats were targeting.
And simultaneously, in recognition of the need for manufacturing data transparency, we pushed the interconnection and integration of process control with other enterprise systems to unprecedented levels, effectively multiplying our systems’ vulnerabilities.
One need look only as far as the global credit crisis of recent weeks to understand how integration and interconnectivity among systems can amplify and intensify the vulnerabilities of any consituent system.
Security off the Back Burner
As usual, and rightly so, the process automation community has long focused its attention on the performance, functionality and business benefit delivered by its systems. But today, added to these priorities is a growing recognition of the bottom-line impact of the cyber event that doesn’t happen.
Securing industrial control systems isn’t rocket science, but it does involve the considered deployment of firewalls and other protective measures. And it can’t just be left to the folks in IT. Those whose business it is to understand the unique performance requirements of process automation networks must add a working knowledge of security to their kit bags.
Fortunately, help is on the way, both in the form of well-documented methodologies for assessing and addressing system vulnerabilities, and as new network security devices that are increasingly easy to deploy and manage.
One company on the forefront of securing the vast installed base of industrial control systems is MTL, which in conjunction with Byres Security last month introduced a “Modbus TCP Enforcer” module for its Tofino security appliance.
Indeed, the lack of inherent security functionality within Modbus, the world’s most widely installed SCADA network, is indicative of industry’s historical focus on performance and functionality at the expense of security.
Modbus traffic normally can be allowed or blocked by a standard firewall, but fine-grained control was impossible, explains Eric Byres, chief technology officer for Byres Security. “And since the smooth flow of Modbus TCP traffic is critical to the average industrial facility, engineers usually opted to let everything pass and take their chances with security. Modbus Enforcer provides tailored protection that is simple to implement for control engineers.”
In the case of new process automation systems, easier-to-manage, “built-in” security is an increasingly common feature of system components. The latest network switches from Emerson Process Management, for example, are integrated into the company’s system management structure. “Network and security devices become DeltaV devices,” notes Bob Huba, product manager.
The process automation community can’t depend on others to secure our systems. We have to assume responsibility and play a central role in securing our critical infrastructure. To paraphrase Pogo, “we have met our guardian, and he is us.”