By Nancy Bartels, Managing Editor
Why an entire issue of Control devoted to security?
It’s not like that’s the only trend out there affecting the process control industries—can you say “wireless” or “programmable automation controller (PAC)”?
Those subjects also could fill an issue, but security issues in the process industries are pervasive, and failures here don’t affect just individual operations. A security failure at a process facility could lead to a massive, region-wide power outage that disrupts life and commerce for days, or to a contaminated public water system, a nuclear reactor meltdown, a poisonous chemical leak, or an explosion with multiple casualties. The failure of a wireless system or PAC adoption program would be serious and expensive, but a security failure at a critical infrastructure facility could be, and has been, fatal.
Security issues also have become far more complicated than they once were. Once, keeping out unwanted intruders was relatively simple. Chain-link fence, some barbed wire, reliable security guards and maybe a couple of big dogs were enough to keep out people who didn’t belong. A firewall, a good anti-virus program and a vigilant IT department kept our enterprise systems safe, and our process control systems were stand-alone and relatively obscure. Even folks who knew such systems existed couldn’t get at them remotely.
But commercial off-the-shelf (COTS) software, PC-based control and plant-floor-to-top-floor integration—all boons to convenience, efficiency and cost-effectiveness—have had the unintended consequence of making process systems much more vulnerable. Now adolescent mischief-makers, disgruntled workers or ex-employees and homegrown or foreign “true believers” with issues and anger can all potentially access our systems and do real damage.
We have to protect our systems and our people, as well as our surrounding communities and comply with multiple layers of regulation that vary from industry vertical to industry vertical. We also have to respect people’s rights. We have to figure out how much security is enough for our individual needs, for surely the local bottling plant doesn’t require the same level of security as a nuclear facility. Or does it? Oh, and by the way, we still have to make the product and stay competitive.
This multivalent complexity is why we have devoted an entire issue to the many facets of security.
Because it is most top-of-mind now, we begin with cybersecurity. “In process plants, in water, wastewater, power, nuclear power, pipelines and in transportation, the trend over the past 20 years has been interconnection—interconnection of devices, of subsystems, of control systems; interconnection to government systems, to business partners, and of control systems to business and enterprise networks,” say Control Editor in Chief Walt Boyes and cybersecurity expert and “Unfettered” blogger Joe Weiss in their article, “Protecting Our Cyber Infrastructure.” They also discuss the reality of cyber threats in the light of this interconnectedness, and provide a basic checklist of actions you can take to get your cybersecurity program up to speed.
In our second article, “Carving Up Security,” Executive Editor Jim Montague gets practical about the new interconnected plant and the knotty business of combining process security and IT security. He talks to multiple users, and describes how some companies are dividing up the responsibility between process control engineers and IT staff to finally make peace between the two departments—and give everyone more peace of mind.
However, security isn’t just about your networks and your automation systems. Contributing Editor Rich Merritt takes on physical security both inside("Defending Your Plant") and outside("Access Control") your plant, and discusses some of the newest techniques for keeping intruders out and for preventing even authorized people from getting to places in your facility where they don’t belong.
Our columnists explore other facets of the security question. Béla Lipták begins a series on security at nuclear plants ("Nuclear Plant Security and Cyber Terrorism"). Senior Technical Editor Dan Hebert discusses the hazards of combining safety and security systems ("Are Integrated Safety/Security Systems Secure?"), and our “Control Talk” guys, Stan Weiner and Greg McMillan, talk to Mark Nixon, Emerson Process Management’s chief DeltaV architect about control system security ("Secure Answers for a Risky"), and also put their own unique spin on “Top 10 Security Issues.”
We hope this multi-faceted look at process-control security issues will give you a solid foundation for building on the security plans already in place at your facilities. Trends come and go, but the question of running safe and secure processes will never go away.
Eric Cosman, engineering solutions IT consultant at the Dow Chemical Co., Midland, Mich., summed up the issue during his interview with Montague: “True security isn’t a one-shot thing that you can fix once and forget about. Like they say, it isn’t a diet, it’s a lifestyle change.”