What's the present state of process security? Not good. There appear to be numerous looming threats and potential attacks, and not much up-to-date help from U.S. agencies or other governments. Promising standards efforts seem to be lagging or frustratingly unspecific, and many users reportedly don't update passwords, configure firewalls, restrict unfamiliar PCs or data storage media, limit access between IT and plant-floor networks, or take many other basic security precautions. No wonder there seems to be so much worry, fear and panic.
So what are conscientious process control engineers and plant managers supposed to do? Well, there are many longstanding security efforts ongoing in process applications both large and small, but almost all of the experts running actual, plant-floor security programs are unable to talk about them. Of course, this is because most organizations are concerned that describing what they're doing will be seen as a challenge to hackers and invite more unwelcome probes and possibly even destructive attacks.
Still, there are a few brave process control engineers and companies that are willing to describe their experiences and offer some badly needed advice and encouragement to their colleagues in the field.
Security at Ergon
"The problem is that, as we've become a more connected world, the process equipment controlling temperature, pressure, level and flow can convey data outside their usual areas," says Steve Elwart, director of systems engineering at Ergon Refining Inc. (www.ergon.com) in Vicksburg, Miss., which uses about 25,000 barrels per day of naphthenic crude to produce lubricants and process oils (Figure 1). "However, the need to get at control-related data can expose these devices to a lot more risk. When you begin to use Windows in control systems, its easy connectivity can get you into trouble quickly. I know of one situation where an IT department added a controls server to a corporate domain, automatically rebooted the system when it was trying to add some routine patches and almost destroyed a major piece of equipment by compromising its monitoring system."
Elwart adds that controls engineers and corporate managers need to decide what how much connectivity is acceptable by answering two questions: How valuable is the data they need and how much can they safely open their controls to the outside? To help answer these questions, he also serves as a member of the U.S. Department of Homeland Security's (DHS) Energy Sector Control Systems Working Group (ESCSWG), which has been updating its Roadmap to Achieve Energy Delivery Systems Cybersecurity (www.controlsystemsroadmap.net).
"Unfortunately, plant managers have a lot to think about, and process control security previously hasn't been on their radar as much as it should be," says Elwart. "Likewise, when everyone goes to the budget trough, the physical security, financial security and IT security guys say they must be the top priority or someone could go to jail, and so they get funded first. But when the process security guys say they need process security because it's good for availability, they come last and get the short end. This happens because the number one security issue for IT and business is access, then accuracy and, finally, availability. This is upside down for controls, of course, where availability and uptime are most important and where accuracy and access come in second and third. It's these appropriate, but reversed priorities that make process security seem to be less important than the others."
Another problem is that the workforce in many refineries and other process applications is smaller and younger, so online assistance via PC-based systems and connecting to production and control-level information is crucial for them to do their jobs.
Good Security = Good Business
Basically, Ergon looks at its own process security from a business perspective, so it views security as just another way to prevent operating interruptions and reduce downtime. "The first step in security is changing the lexicon," explains Elwart. "For example, we don't call computers PCs. We call them machines because that's what plant people are used to dealing with. PCs are what you play games on, so they aren't taken seriously with that label."