True process security—like true beauty—has to be more than skin deep. So, while a protective metal suit is impressive, it's nothing without the muscles, bones and brain driving it from inside. Likewise, all the pipelines, tanks and process vessels in every process application and facility are useless without their sensors, instruments and controls, so securing them requires internal awareness and protections that go beyond external defenses.
Simplify and Standardize
Luckily, an excellent way to improve internal cyberecurity is to simplify by turning off or removing unneeded software, hardware, services or access points, and then standardizing the remaining software and components, according to Todd Mortensen II, senior network specialist at Public Service of New Mexico's San Jose Generating Station (SJGS), who spoke at Invensys' Foxboro and Triconex Global Client Conference 2013 in September.
PNM is New Mexico's largest electrical utility, and includes SJGS, which has four coal-fired units that produce about 1,800 gross megawatts for more than 2 million customers. Process controls at SJGS use a multi-unit mesh network and off-the-shelf, thin-client devices, which are secured by individual operator accounts, group policy preferences, event monitoring, software patches, whitelisting and anti-malware programs, hardware locks for RJ45 and RJ11 components, and physical access protection.
"We first have to figure out what services are running on which boxes. If a device doesn't need audio, then we remove it. It's especially crucial in cybersecurity to shrink the service area for potential attacks, so we get rid of software and services we don't need," says Mortensen. "You can turn off the ports on many devices, so you don't unintentionally connect to the wrong networks or subnet. We also use natively encrypted USB drives, which don't install or run any software."
Mortensen adds that PNM and SJGS also use RFID tags to document all kinds of equipment, which helps them separate secure devices from unsecured ones. "The tags help us keep track of equipment, which is good because cybersecurity regulations and legislation aren't going away," adds Mortensen.
"It's important to understand that cybersecurity isn't a part-time job, and that it requires time, money and resources, backing from the organization's bottom to top, and even using outside firms. We recommend using contractors as along as you make sure they have the experience to secure your systems, and have experience with the standards and rules you have to follow. You must also remember that you're responsible for your cybersecurity and compliance, and make it clear that you're leading your security project."
To start a cybersecurity project, pretty much everyone agrees that genuine buy-in and long-term support and commitment from management is essential.
"Process security has to start with top-level support, but there are many competing cost pressures, too. So, security must be raised to the level of the bottom-line, even though it's difficult," says Kenneth Jackson, global process control leader of the Performance Polymers and Packaging and Industrial Polymers divisions at DuPont in Wilmington, Del. "At DuPont, we consider cybersecurity to be in the same class as managing process safety. They're both line-organization responsibilities."
Besides its other security efforts, Jackson reports that DuPont's security experts have been developing plans and implementing the U.S. Dept. of Homeland Security's (DHS) Chemical Facility Anti-Terrorism (CFATs) standards and Maritime Transportation Security Act (MTSA) regulations for applications processing "chemicals of interest," which are defined by the government. This effort includes organizing security teams, updating security policies for more than 100 manufacturing sites over the next two or three years, and developing cybersecurity best practices and policies at each site, which can eventually be shared and applied as universal, internal standards. These can include secure log-in procedures, multilayered network architectures with firewalls, physical security for control rooms, enhanced intrusion detection, and using antivirus software combined with whitelisting.
Inside the Barricades
So, just how at-risk are today's process control networks? Well, Leigh Weber, CISSP, senior security engineer at exida Consulting in Sellerville, Pa., says that, "Control systems are more vulnerable today than ever before because they use commercial technologies, they're highly connected, offer remote access, lots of technical information is publicly available on them, and hackers are now targeting control systems."