First Aid for Process Security

By Jim Montague, Executive Editor

What's the present state of process security? Not good. There appear to be numerous looming threats and potential attacks, and not much up-to-date help from U.S. agencies or other governments. Promising standards efforts seem to be lagging or frustratingly unspecific, and many users reportedly don't update passwords, configure firewalls, restrict unfamiliar PCs or data storage media, limit access between IT and plant-floor networks, or take many other basic security precautions. No wonder there seems to be so much worry, fear and panic.

So what are conscientious process control engineers and plant managers supposed to do? Well, there are many longstanding security efforts ongoing in process applications both large and small, but almost all of the experts running actual, plant-floor security programs are unable to talk about them. Of course, this is because most organizations are concerned that describing what they're doing will be seen as a challenge to hackers and invite more unwelcome probes and possibly even destructive attacks.

Still, there are a few brave process control engineers and companies that are willing to describe their experiences and offer some badly needed advice and encouragement to their colleagues in the field.

Security at Ergon

"The problem is that, as we've become a more connected world, the process equipment controlling temperature, pressure, level and flow can convey data outside their usual areas," says Steve Elwart, director of systems engineering at Ergon Refining Inc. (www.ergon.com) in Vicksburg, Miss., which uses about 25,000 barrels per day of naphthenic crude to produce lubricants and process oils (Figure 1). "However, the need to get at control-related data can expose these devices to a lot more risk. When you begin to use Windows in control systems, its easy connectivity can get you into trouble quickly. I know of one situation where an IT department added a controls server to a corporate domain, automatically rebooted the system when it was trying to add some routine patches and almost destroyed a major piece of equipment by compromising its monitoring system."

Reducing risks

Figure 1: Ergon Refining's plant and control room rely on their Systems Engineering department to survey all networked equipment, perform a risk assessment (RA) for each device, evaluate its criticality, prioritize each item and limit external access with non-default passwords, multiple-layer authentication and constantly updated firewalls.

Elwart adds that controls engineers and corporate managers need to decide what how much connectivity is acceptable by answering two questions: How valuable is the data they need and how much can they safely open their controls to the outside? To help answer these questions, he also serves as a member of the U.S. Department of Homeland Security's (DHS) Energy Sector Control Systems Working Group (ESCSWG), which has been updating its Roadmap to Achieve Energy Delivery Systems Cybersecurity (www.controlsystemsroadmap.net).

"Unfortunately, plant managers have a lot to think about, and process control security previously hasn't been on their radar as much as it should be," says Elwart. "Likewise, when everyone goes to the budget trough, the physical security, financial security and IT security guys say they must be the top priority or someone could go to jail, and so they get funded first. But when the process security guys say they need process security because it's good for availability, they come last and get the short end. This happens because the number one security issue for IT and business is access, then accuracy and, finally, availability. This is upside down for controls, of course, where availability and uptime are most important and where accuracy and access come in second and third. It's these appropriate, but reversed priorities that make process security seem to be less important than the others."      

Another problem is that the workforce in many refineries and other process applications is smaller and younger, so online assistance via PC-based systems and connecting to production and control-level information is crucial for them to do their jobs.

Good Security = Good Business

Basically, Ergon looks at its own process security from a business perspective, so it views security as just another way to prevent operating interruptions and reduce downtime. "The first step in security is changing the lexicon," explains Elwart. "For example, we don't call computers PCs. We call them machines because that's what plant people are used to dealing with. PCs are what you play games on, so they aren't taken seriously with that label."

Elwart reports that his Systems Engineering department manages a complex and growing network of about 250 computers, a dozen SCADA servers, as well as other servers and related equipment used by Ergon's refining, fleeting, retail and some corporate departments. "In the past five years, we've designed everything with security in mind. Before that, all we could do was limit the access points into the network, but we also learned that you can't make a 25-year-old process control system inherently secure" says Elwart.

So two years ago, the department also began expanding beyond Ergon's existing Foxboro I/A distributed control system (DCS) installed in 1987 by adding Emerson Process Management's Delta V, so now the plant consists of roughly one half of each system. Over the past 15 to 20 years, Ergon also acquired a variety of PLCs from Allen-Bradley, Triconex and Siemens, so it's also working to integrate them into its expanded DCS and create a better interface into these controls with a combination of Modbus, Ethernet, serial communications and OPC. 

Besides continuing to severely restrict external access, Elwart adds that his department also makes sure not to use administration-level accounts for routine system tasks.  

"I tell people that before asking their managers for money for process security, they need to do an internal survey of all their networked equipment, perform a risk assessment (RA) for each device, evaluate its criticality, prioritize each item and limit its access to the outside world," says Elwart. "We've done it informally over the years, and we're still doing it."