Keep the bad guys out and the good guys accessible. To do this, security begins and ends with awareness. Sandwiched in between are the protective actions, which are taken in response to the initial security evaluation and before the reevaluation about what to do next.
Of course, this is very similar to the sense-decide-act triangle that helps organize most process control applications and facilities. However, knowing this doesn't necessarily make an effective and workable security program any easier to set up and maintain. And, at least initially, these difficulties can be compounded by new rules and standards, such as those from the North American Electric Reliability Corp. (NERC) and its Critical Infrastructure Protection (CIP) program.
To help users set up or improve their security, Invensys Operations Management has launched a comprehensive array of technology and services designed to help clients protect their plant assets from cyber incidents. The company unveiled these security solutions today at its North America Client Conference in Houston. These The services are available on an ongoing basis; the tools will be released in January 2010.
As part of its new I/A Series 8.5 software suite, these cybersecurity solutions include control system enhancements and consulting services that support the compliance requirements of the major new cybersecurity standards, such as those established by NERC. The Federal Energy Regulatory Commission (FERC) is adopting NERC standards CIP-001 through CIP-009, compelling companies to become NERC-compliant by the year 2010. This means having to learn the requirements, design and implement the policies and procedures and, in some cases, install added equipment.
"Technology solutions implemented through the control system, intrusion prevention, firewall and other technology are important, but comprehensive cyber protection also involves changes in policies and practices that have little to do with technology," said Ernie Rakaczky, Invensys' principal security architect. "Emerging standards reflect this. We're pleased that we can offer our clients the technology they need and do so as a consultative partner, first, to help them identify vulnerabilities in their current operations, and then to provide standards-compliant solutions to fill those gaps."
Rakaczky added that Invensys began its cybersecurity project about five years ago when it examined its core solutions and tools, found some places where they could better help users secure their applications, and then sought ways within the I/A Series to facilitate the process. "These core elements included enabling password changes, improving routing access, closing unneeded processes and protecting against malware," he said. "We've added a lot of security functions that no one else is doing."
To develop some of its new security tools and services, he added that Invensys recently partnered with McAfee Security to adapt and implement its ePolicy Orchestration 4.0 software to help protect against infected flash drives or DVDs. Invensys also is using host-based intrusion prevention system (IPS) methods to help maintain firewalls settings and manage data.
"This all comes down to the ones and zeros and how to protect them," said Rakaczky. "Then you have to ask who has the authority to access them and who really needs it. Doing this won't disrupt business flow and should really make it more efficient. Some engineers may look at this as a big chore, but it's also part of life that we all have to get used to doing. And the fact is improving security can help you understand, know and manage your whole network better."
Through a combination of system-centric and consulting solutions, Invensys' cybersecurity solutions are designed to deliver many benefits for their users. The first is a significant reduction in risk associated with cybersecurity threats. This enables a higher level of performance and predictability of client systems and networks, prevents possible business outages, and diminishes the threat of lost revenue due to serious safety, environmental and personnel catastrophes.
I/A Series features that support cybersecurity protection and compliance include its newly enhanced ability to create stronger passwords. This is done by mixing types of characters, controlling length, managing failed password attempts and using password aging. Also, new I/A Series capabilities include the ability to reduce lock-down security vulnerability, and the company has strengthened its workstation hardware to remove unused programs, services and ports. Both of the primary control processors used in I/A Series systems, for example, have received Level 1 Achilles Certification from Wurldtech, a leading provider of cybersecurity testing and certification for critical infrastructure industries.
"A distributed control system retrofit and implementation can increase production performance and provide cybersecurity protection and compliance at the same time. We recently installed a DCS for a power industry client that helped them meet NERC standards well before their deadline and increased their engineering functionality by approximately 50%. This gave them the ability to add new displays, implement logic changes and install new parameter interlocks for better handling and alarm management," explained Matthew DeAthos, Invensys' portfolio marketing manager.
Depending on the client's situation, a typical Invensys cybersecurity consulting offering includes the following services:
- Gap analysis assessment against standards,
- Development of a plan to address shortcomings,
- Development of an overall security architecture,
- Integration with IT and other systems and procedures,
- Validation of cybersecurity policies and procedures, and
- Execution and implementation of security upgrades and procedures.
In fact, Rakaczky cautioned that power companies that don't comply with new standards could face significant fines levied by NERC and FERC auditors beginning in 2010. Fines will be based on the percentage of requirements met and the number of days the plant remains non-compliant. Besides the NERC cybersecurity standards, which apply only to the power industry, other standards are emerging from the U.S. Department of Homeland Security (DHS), the International Society of Automation (ISA) and the National Institute of Standards and Technology (NIST). While these do not yet have compliance deadlines, they provide manufacturers with additional incentive and guidance to protecting their assets.