In a recent article featured at ControlGlobal.com, Ralph Lagner and Perry Pederson of the Brookings Institution persuade us that the status quo of our industry's cyber-readiness is a disaster waiting to happen (see Bound to Fail: Why Cybersecurity Risk Cannot Simply Be Managed Away). They argue that evaluating investments in improved security on the basis of risk-reward is fundamentally flawed, largely because the real risk can scarcely be quantified. The pervasive interconnectedness of systems also makes criticality assessments misleading; we really can't predict whether a remote truck-loading station will be secure by way of obscurity, or whether an infection there won't have unforeseen consequences reaching far beyond delaying a few loads of product.
That we aren't already exploiting the modernization cycle to deploy fundamentally more impervious hardware, systems and strategies is hastening the arrival of a cyber-calamity. It won't matter if the micro-weapons originate from the good guys or the bad guys. Once in the wild, they can wreak widespread havoc before inoculations can be applied to our old systems. So if we hide our controls down in field devices, are we any more immune from the infections of the higher-level networks?
The concept of "distributed control" holds that reliability and robustness stem from, well, "distribution." You don't put all your eggs in one basket, and you develop a nose for potential vulnerabilities, such as common mode failures that can affect more than a single loop. We know this is a good formula for success because that's what our control systems consisted of before the advent of the microprocessor—lots of individual, independent controllers.
If your plant is still controlled by single-loop pneumatics or electronic controllers, you may have a blissful view of the dire prophesies of cybersecurity experts. No known viruses, worms or other exploits travel through copper tubing or op-amps. Maybe such plants will be the exceptional ones that run and make product while the rest of us are trying to root out exploits and restore our systems But if there's no power to compress air or energize power supplies, you'd be in essentially the same boat as the rest of us. Lacking line power, those of us with current-generation, field-based controls would be no better off. But does control-in-the-field afford any of the old pneumatic world's robustness in the face of a local breach of security?
Read Also: Tips on Installing a Fieldbus Safety System
Unfortunately, the answer is probably "no." Unlike old-time pneumatics, fieldbus controllers accept messages and setpoints from virtually anywhere in the system. From a single, unified interface, operators can manipulate the mode, setpoints, outputs and alarms of hundreds or thousands of field-based loops. Fieldbus control is distributed, but it is highly networked and designed to integrate with traditional controller- or PLC-based controls. In that respect, an exploit such as Stuxnet could manipulate setpoints of fieldbus PID loops just as if they were PLC- or controller-based, and mask the effects on the HMI.
Stephen Mitschke, director of fieldbus products for the Fieldbus Foundation says, "Because of the similarity between a disconnected PLC programmer and a disconnected DCS, I think it would be hard to make the argument that control in the field gives you "air gap" security. But I would argue that trying to hack a field device to hide code would be more difficult than hiding errant code in a PLC program."
There are a few tricky purists out there who deploy fieldbus control like old pneumatics, with few or no connections back to a central, integrated process control network. But such strategies deprive the user and the enterprise of integrated controls and all its benefits. This powerful integration and visibility throughout the business is one of the core values our profession delivers, and we'd struggle to provide it without Windows boxes and Ethernet. Control in the field may be the ultimate in distributed control, but it can only be a small part of the "defense in depth" that all modern control systems now require.