Greg McMillan and Stan Weiner bring their wits and more than 66 years of process control experience to bear on your questions, comments, and problems. Write to them at firstname.lastname@example.org.
Greg: The topic this month is cybersecurity. Since Stan and I are insecure by nature, we have asked Mark Nixon, the chief architect of the original DeltaV development, editor for the WirelessHART network management specification and the manager for the DeltaV future architecture team, to provide secure answers that get to the heart and HART of the matter.
Stan: Why is there such an increased focus on security?
Mark: Over the past several years, the drive for increased efficiency has led companies toward supporting larger networks that support a wider range of applications. Control applications that traditionally were isolated and self-contained are now incorporating scheduling, product materials information and lab samples. For example, SAP-based lab data may be pulled back into the control system and used in multivariable control strategies. It is no longer viable to view the security of control systems in terms of isolation (separation of control systems from other corporate computing networks).
Greg: What does this mean for control system suppliers?
Mark: Process control and SCADA systems, with their reliance on proprietary networks and hardware have long been considered immune to the network attacks that have caused IT departments so much grief. The move to standard platforms, such as Windows and Linux, and use of open standards such as Ethernet, TCP/IP and Web technologies have opened the door, for a much wider ranger set of vulnerabilities.
Stan: What kind of vulnerabilities are we talking about? Are we just talking about hackers and terrorist? Can we just verify their age? Retirees can hardly get into a system even when permitted.
Mark: Although newspapers tend to focus on hackers and terrorists, we are talking about much more than that. Because of the open platforms, open standards and the role of control systems in plant operations, we need to take a much wider view. Vulnerabilities include natural disasters, the unintended consequences of operator actions, management practices, regulatory policy, inadequate technology and system designs, and, yes, hackers and terrorists.
Greg: You can add my lunch to that list. I wish I could figure out a way to have people stop stealing my lunch from the refrigerator. Tell me, what kinds of things are we talking about?
Mark: As I said, control networks that used to be limited to a single facility or organization now increasingly are connected to business systems. Some of the business systems transport information on electric power demandandoil and gas transport, and coordinate transport and logistics. A shipping company can now coordinate shipping and delivery operations directly with its customers, linking systems and creating a web of functionality and interdependence.
Stan: This is a pretty broad topic. How do you break the problem down?
Mark: Segmentation is the key to the problem. The folks at ISA have been busy working on a standard to help. In the tried-and-true way of engineering, they have broken the problem down into pieces. They refer to these pieces as security zones. These security zones can be physical or logical zones. In the case of physical zones, equipment such as a firewall can limit traffic between zones. In the case of logical zones, profiles and roles can limit a specific user or application. Most companies today provide some form of physical security. With physical security, networks are segmented into zones. A zone may be an isolated stand-alone network segment or a network segment separated from the organizations network by some sort of a network barrier device. These barrier devices, often referred to as demilitarized zone devices (DMZ), provide isolation by filtering and remove nonessential communication traffic. DMZ devices should be designed to complement other cybersecurity measures.
Greg: What are these other security measures?
Mark: Todays control systems are connected to and integrated with business systems both within companies and between partner companies. Exposing control systems to all of this traffic increases the likelihood of security incidents. In keeping with the principles of least privilege and need-to-know, the control systems themselves should be architected so that applications and functionality are also compartmentalized. For example, this means that operators would be restricted to areas of the plant that they are authorized to operate in and applications that they have been certified to operate. Compartmentalizing applications and functions into zones does not necessarily mean isolating them. Conduits connect the security zones and facilitate the transport of necessary communications between the segmented security zones.
Stan: There has been a lot of talk about wireless. Can we use wireless for monitoring and control applications?
Mark: A lot has been printed on the issues surrounding securing wireless networks. We can get a view for how wireless is being addressed by looking at the SP100.11a and the WirelessHART standards. In both cases, security is designed into the standards. In the case of WirelessHART security is inherent. In the case of SP100, users need to be careful to configure their systems to disable distributing security keys in clear text.