Visit www.controlglobal.com/0811_carvingupsecurity.html to Check Additional Online Security Resources.
By Jim Montague, Executive Editor
“Can we talk?” If you’re a process control engineer trying to converse and coordinate efforts with an IT technician in the same company, or vice versa, the usual response is “not likely.” However, if you’re trying to discuss security problems, solutions and coordination, then the answer is probably “never” because potential lines of communication are even more closed off.
Sure, these two groups have been shoved closer by the emergence of software and networking on the plant floor, driven principally Microsoft Windows and all the non-proprietary and commercial off-the-shelf operating systems and related technologies that followed. However, just telling process control and IT to sit down and talk about security doesn’t mean they will—or even that they’re physically or psychologically equipped to do it.
Still, many end users are seeking ways to help their IT professionals and process control engineers to find common ground and cooperate to provide better security for their applications and organizations. In fact, several of the largest oil and gas firms have already formed combined process control and IT teams, and a few have even merged these into “digital security” departments to handle all security issues.
Poor Communications = Bad Surprises
Until these saviors go mainstream, however, many security efforts will remain hamstrung by miscommunications. For example, to avoid potential accidents and prevent possible intrusions, engineers at Husky Energy’s heavy oil upgrading facility in Lloydminster, Saskatchewan, knew they were going to need continual security improvement and monitoring. However, they lacked the knowledge to do it independently, and so they enlisted outside help from Integralis and Invensys Process Systems (IPS). Lloydminster can produce up to 46,000 barrels of synthetic crude oil per day (Figure 1).
Figure 1. Husky Energy’s heavy-oil upgrader in Lloydminster, Saskatchewan, uses third-party security support from Integralis and Invensys Process Systems.
“Cybersecurity management is an ever-changing field, and so it’s difficult to stay on top of its technologies and still manage our other responsibilities,” says Don Gilmour, of Husky Energy. “I wasn’t surprised by our audit’s results on the control network side, but I was surprised by the unacceptable ease of access from the business network to the control network.”
Process Control and IT Worlds Collide
The barriers to control and IT cooperation on security are formidable because, not only do the two groups have different histories and languages, but their core missions and even their very perception of time are 180° from each other. For example, software patches are pushed to IT departments on a monthly schedule, while much control equipment is expected to run for 10-15 years without much renovation.
“I think the biggest difference between IT security and manufacturing security is that control engineers start with protecting the process, and so they’re deeply rooted in the safety and reliability of their operations. In manufacturing, process availability and physical assets are paramount,” says Eric Cosman, engineering solutions IT consultant at Dow Chemical Co. in Midland, Mich. “However, IT security focuses first on data confidentiality and then on integrity and availability. These are very different perspectives, but the magic for them to work together is simply to learn to understand the other’s point of view, and the key to this is finding their common concerns. For example, engineers see physical devices as their assets, and IT sees data as its asset, but their common goal is protecting those assets.”
Eric Byres, chief technical office of Byres Security Inc. in Lantzvile, B.C., adds that, “Everyone knows that IT security and control security are different, but it’s time to get over it, and do so intelligently. This means getting IT and controls people to put their assumptions and what’s important to them on the table, and then create cross-functional teams so they can work together.
“The good news is that a major oil company I consult with recently gave its IT security standards and practices to its process control guys, and they reported that they could live with about 90% of the security policies that IT already had in place, such as staffing, contractor and training practices, human resource policies and incident-recording procedures. So, traditional IT and process control assumptions about security only affect about 10% of what’s going on in most process applications, but that’s the fraction on which the team really has to focus. This 10% usually includes issues like password management and software patching policies, as well as firewall and network design. In fact, as the cross-functional teams at two other oil and gaa firms developed joint security policies, they also merged from separate control security and IT security departments into one overall digital security department.”