Listed below are the verbatim answers from vendors to questions we posed about control system security. These have been only lightly edited for clarity and to correct errors. Be warned that some of these responses are quite commercial and go far beyond what CONTROL magazine would allow to appear in print. We felt that the pure technical information weaved among the product sales pitches is quite valuable, so we let the promotional material stand. Among the responding companies are process control vendors, software companies, security consultants, I/O manufacturers and Microsoft.
What do you advise your customers to do?
Make the integrity (security, availability, etc.) of your systems a business responsibility and a priority. This does not mean that it becomes THE priority. Unless someone is explicitly responsible for this faction (and empowered to act or establish procedure) it will not get done, except perhaps sporadically. This also allows you are able to budget for and track the team responsible.
Stay current. By far, the greatest number of non-trivial intrusions, interruptions and systems disasters happen in environments where components are forgotten, out-of-date, and unpatched. While zero-day worms and viruses may make the news, and are certainly a threat, control systems are even more susceptible to failing in the face of the much more preventable menace. The hopelessly out-of-date immune deficiency condition. Not to make light of a serious matter, immune deficiencies are deadly serious in the world, to man and beast alike. There is a very strong parallel to better immune disorders and unmaintained networked systems.
From a security perspective, a control system is just another host on the network and thus open to all associated network attacks. Depending on the type of control system, the exposure/risk associated with such attacks could certainly have a catastrophic impact. For this reason, Cryptek recommends customers in the control market look at security products that have successfully obtained government level certifications such as Common Criteria and FIPS. In this way, they can have a high level of assurance and trust that their critical control systems and devices will be protected from network level attacks.
Emerson has been active in participating in security conferences and the development of new security standards for the power generation industry. Along with the utilities in the Emerson Users Group, Emerson has attempted to promote interest in security issues and inform utility customers of the current state-of-the-art with regard to secure configurations and best practices. Also, for several years, Emerson has worked collaboratively with the Users Group Security Committee to help enhance system security.
We recommend a firewall, a NAT router, and anti-virus software.
For our Windows-based systems we provide security configuration guidance. For our TPS systems, weve provided this guidance as part of the TPS system Administration Guide. For the Experion Process Knowledge System (PKS), we provide a Network and Security Planning Guide.
In general, we advise our customers to use anti-virus software, high-security configurations of Windows, hotfix installation, specific network topology configurations, and firewalls between the enterprise network and process control network. We also provide network security services.
We advise customers to view cybersecurity as an essential part of doing business, not unlike the traditional building security. Industrial plant managers who would never leave their plant door wide open so that anyone could walk in may be doing just that with their networks. The challenge is to implement network security both effectively and economically. Accomplishing that requires as much attention to policy and planning as to technology.
One of the biggest reasons process firms are vulnerable, in fact, is that most have NOT established and implemented a formal security policy. As a result, systems are not configured consistently and weaknesses are common. The Carnegie Mellon Institute, in fact, found that 99% of all reported Intrusions resulted from exploitation of known vulnerabilities or of configuration errors for which countermeasures were available.
Figuring out which battles to fight is a big part of cybersecurity. No company can afford to fortify themselves against all possible attacks from all possible sources. You have to determine where you are most vulnerable and what is at stake before implementing any technology. We recommend an approach that covers the following areas:
Assess current security vulnerability from remote and internal threats
Assess your level of acceptable risk
Define security policies and procedures
Implement measures to reduce and/or eliminate risks
Conduct on-going evaluations and implement processes to account for changes and/or advances in technology
Typically there are two discrete, but related phases to the process: a review phase in which needs, policies and plans are established, and a hardening process in which the corrective means are implemented and monitored.
We also tell customers, however, that success in such a plan requires an almost unprecedented degree of cooperation among management, IT and engineering. One of the most critical management functions will be to determine who actually has responsibility and accountability for cybersecurity. Management must guide definition of goals and objectives, training, internal communications, regulatory compliance, vulnerability and risk assessment and development of policies procedures that must be followed.
At Microsoft, we advise our customers to take any security threat seriously. It may seem to some that too much has been made of security, especially if their systems have never been breached. But the threats are real, and they're increasing in their frequency and complexity, so they should be looked at carefully. We recommend that manufacturers take several steps to stay ahead of potential security threats.
First, take an inventory. What applications are you using? What versions? Do you have the latest security patches installed, or are you running software that's several years old? What systems are connected to the network and how is your overall infrastructure segmented? The network and how it's administered is crucial to security. So what are your policies and procedures for managing your computers, your network, and the rest of your infrastructure? Once you have a good understanding of all of this, you need to evaluate the potential vulnerabilities and the risk that they pose.
Once the risk and level of exposure is understood, you are in a good position to mitigate the risk. Maybe you will not have to do anything. Perhaps you will have to upgrade hardware or software, or even change your business processes or administrative procedures.
To get a headstart on these efforts, manufacturers should turn to standards and consortia efforts such as ISA 99, CIDX Cybersecurity Initiative, and MS-MUG. Even though these are works in progress, they provide plenty of worthwhile guidance.
First and foremost you must understand how the subject Ethernet controller and I/O is to be used. I explain to customers that there is physical security and network security. Monitoring and maintaining both of these fronts is absolutely mandatory to ensure total security. It is my recommendation that the local control networks should be 100% separated from the Internet.
This will stop hackers from outside coming in. Then if they have to have the control network connected to the front office network or LAN then there should be a NAT router, firewall, and other network management software that not only requires software passwords and user names but also MAC layer verification. This MAC layer verification means that the network administrator must list the MAC addresses of those and only those PCs that can pass through to the control network. Moreover, a virus program should always be run on the control network. Passwords and usernames must also be updated and changed on a regular basis(Quarterly) to ensure that contractors and disgruntled employees cannot attack the networks.
Undertake a full security risk assessment of all industrial process control and automation systems in the organisation. This needs to cover all the systems and infrastructure forming the system and needs to cover analysis of the possible threats, impacts of cyber attack and vulnerabilities of the systems.
Plant floor security is about managing risk. Investing in plant floor security is like buying insurance, you purchase it in the hopes that you wont have to use it. It is important for customers to first understand the risks before determining the best approach to protecting themselves. A comprehensive approach to addressing security ensures that that the real risks are addressed and the right technology is selected. Starting with a risk assessment, manufactures can determine likely internal and external risks to their environment. Then, a risk mitigation strategy and security program can be designed based on these needs to assure efficient use of the appropriate measures to address potential threats.
Rockwell Automation recognizes the risks to manufacturing should either an employee or outside attacker decide to tamper with a plant floor control system. It is taking a number of steps to help its customers better protect themselves from such attacks by: proactively supporting security standards, particularly ISA SP99 implementing security measures within the products and solutions it offers testing all EtherNet/IP products to minimize vulnerabilities collaborating with IT security specialist companies such as Cisco to leverage off their expertise in this area gathering and publishing network architecture and security best practices.
Siemens recommends that customers keep their automation networks isolated from their corporate IT networks if at all possible. However there are many scenarios, such as remote monitoring and integration into MES / ERP systems, where this is not possible. For customers requiring that their corporate IT network be tied to their automation network, firewalls and routers should be employed that utilize dedicated ports.
Since most of the PCs used for HMIs and engineering workstations use a Microsoft operating system, Siemens recommends that customers develop a strategy for keeping current with the latest Microsoft security patches and virus scanning software as part of a comprehensive lifecycle management plan for their automation systems.
To combat viruses, we recommend installing one of the virus scanners that is approved to be used with SIMATIC PCS 7. These include Trend Micro, Norton, and McAfee. It is also recommended that a dedicated computer be selected within the system to perform all software imports, as well as introducing externally-engineered data. Virus checking software should be installed on this dedicated computer and should be set to run continuously. In the near future, PCS 7 will support installing virus scanning software on time / process critical applications, including HMI. However, this is not permissible today.
To combat the potential tapping of communication on the DCS level, we recommend using optical networks.
Automation system owners should also implement a standard operating procedure for ensuring that only authorized individuals have access to the automation system data. This policy should include user administration procedures based on Windows security (such as password expiration and lockout after number of retries), and controlling access to project data stored on the hard drive.
To further prevent unauthorized access to the automation system, key assets, including controllers, PCs, servers, and engineering Workstations should be physically isolated and protected in a locked room. Additionally each controller has a physical switch that can be enabled to prevent downloading of unwanted configuration changes.
What hardware or software helps?
Cryptek's cSecure package is unmatched in security. It's creates capable, flexible, virtual circuits wherever they are needed for any ip-capable control system or component, regardless of the device's operating system, and without affecting anything on the device.
The key is having firewall type access controls deployed at the control system level. Edge-based only security solutions do not properly protect against internal attacks and/or attacks generated from malicious code accidentally brought into the system. Software solutions that run on top of an operating system are only as secure as the OS on which they reside and thus can be susceptible to OS level attacks. Cryptek partners with Quadros Systems Inc. which produces a proprietary real time operating system. The real-time operating system, RTXC, has an integrated security package which provides IT-level security.
For these reasons, Cryptek recommends device level hardware/firm based solutions which are able to provide access control and intrusion prevention at the physical control system level. Hardware/firmware based bump-in-the-wire appliances, such as Cryptek's cSecure product suite, provide the security required.
Regarding software, a spreadsheet may be you most powerful single tool in the fight against intruders and hackers. Track the state of your systems, report on and make maintenance a business priority, and remember to track all the components, especially the quietly forgotten, soon to be upgraded, overhauled or replaced 'legacy' systems. The forgotten is usually the weakest link.
Emersons product evolution philosophy assures that our Ovation expert control system always incorporates the latest technologies. Examples of enhancements that pertain to providing a more secure control system include:
The addition of third party products such as anti-virus solutions and intrusion detection systems.
Developing easier ways to manage users and their roles in the control system as far as authenticating users and determining what function they are authorized to perform.
Hardening workstations (removing unnecessary software).
Providing security assessments and audits.
White papers describing best practices on various security topics.
Inviting utility customers to participate in open discussions via teleconference on the topics of energy security standards and issues.
Best bets include Cisco switches and firewalls, anti-virus software, and terminal servers. (The Honeywell white paper, Securing Process Control Network External Communications provides additional information on this approach.) Installation of Windows XP SP2, which offers advanced security features, is also helpful.
While adequate protection of a plant control network level will likely require integration of firewall, intrusion detection and prevention technology with communications devices such as routers, bridges and switches, implementing any technology outside the context of a well developed policy and procedural framework could be both costly and ineffective. Just putting a firewall between the process control network and the rest of the network for example, without configuring it to know what data is essential and what is not, could waste time and money, without adding protection.
Even decisions of where to implement firewalls must be policy-driven. Our cybersecurity consultants, for example, typically break out the following security zones: the public Internet, the data center, the plant network, the control network and the field I/O zone, and then deploy a different brand firewalls between each. In addition to working out these configurations, some installations also require protection for sub zones. (See white paper for examples of sub zones)
Determining which of these require protection, however, is a matter than must be addressed by a developed and well-documented policy, so that only the necessary technology is deployed.
Let's look at software. If you are running Microsoft's most recent operating system, Windows XP SP2 or Windows Server 2003, which contain significant security ehancements, you've already taken a huge step toward reducing your security vulnerability. Keeping your operating systems patched via Windows Update is equally important.
But as I said before, up-to-date software is just one aspect of a good security policy. It's important to use a variety of security technologies and to adhere to a well-defined set of policies and procedures. For example, anti-virus software, host-based firewalls, and anti-spyware tools combine to provide multiple layers of protection for a computer. Similar other technologies can be used to provide layers of protection for an enterprise.
Norton and McAfee, in my opinion, are the best supported programs.
There is no silver bullet -- a suite of security measures are required but only around 30% of the solution is technical -- the remainder is procedure, process and management. Firewalls are usually an element of the solution but they don't solve everything. Don't consider that you are safe just because you have installed a firewall.
Security is a continuous process from risk assessment to implementation. Security software and hardware products with data protection capabilities are an important part of this process. Products that authenticate users, determine user access levels and protect routines protect critical data from internal and external threats.
As stated above, Siemens recommends the installation and use of commercially available virus scanning software on stations that are dedicated to performing software imports. The SIMATIC Logon product can be added to an automation system to allow a common security database (login / password) to be used for the windows operating system, the engineering environment, the HMI and for the Batch system. It ensures that only authorized individuals are permitted to download configuration changes to the controller, to make operational changes from the HMI and to initiate Batch execution. It is linked to Windows security to ensure that the standard windows features for access control, such as password expiration and lockout after a maximum number of retries, are enabled. Additionally it can be coupled with configuration management software to create an accurate and secure audit trail.
What have you done to make your products more secure?
Cryptek designs products from conception to meet the highest levels trust and security at the node (i.e. control system) level. Our products are all hardware appliance/firmware based and thus are not susceptible to OS level attacks. Cryptek also brings all of its products through extensive government level security testing through both the NSA Common Criteria security certification process and NIST FIPS process. In fact, Cryptek is the only product to have received Common Criteria Evaluated Assurance Level 4 (EAL-4) in multiple functional areas including Firewall, VPN and Network Management.
We take advantage of Microsoft's DCOM security and have strong passwords.
We are constantly improving the security of our products. Security must be designed into the product infrastructure. It is extremely difficult to secure a system with security add-ons. Most add-ons can be penetrated, giving the bad guys access to the control system.
Because most of our customers are in highly sensitive areas such as energy production, food and pharmaceuticals, security has always been a big concern and we continuously add security enhancing features to the I/A Series control system. The I/A Series, for example, has a sophisticated password user-environment, in which only users with security clearance can gain the access they need to do their job and no more. An operator could, for example, be granted permission to adjust a set point, but would not be given access to the code.
Our ongoing security enhancement programs, in addition to focusing on our own product development, integrate the functionality of the components we integrate into our products, and the capabilities of our technology partners. Following are some recent I/A Series security enhancements:
Routing of connections between inside and outside networks through a security server.
Mesh networking capability, which provides high availability and redundant operations for areas which require real-time communication between process control and other protected zones.
Dynamic Intrusion Response (DIR) functionality, provided by the Enterasys Ethernet switches used in our control networks. DIR detects abnormal behavior on the enterprise network, and then intervenes to quarantine the offending user or deviant device.
Industrial-strength virus protection, implemented in partnership with industry leader McAfee
Collaboration with Microsoft on hardened Window's based software for industrial environments.
And to help customers implement the most cost-effective security solutions, we also offer a fully developed cybersecurity consulting services organization that helps assess, plan, configure and deploy cybersecurity. Our new Site Security Review Service and our System Security Hardening Service, for example, help users develop an effective security plan, identify specific site vulnerabilities, and protect against potentially catastrophic intrusions.
Also, having a clearly defined process for validation, escalation and response to alarms is becoming more and more critical. It does one little good to have alarms going off all over the place if no one knows what to do with them. This is another example of why cybersecurity is as much about management as about technology. We now offer new alarm management services that minimize nuisance alarms and help process control system operators respond more effectively to abnormal situations. These services help analyze, improve and maintain optimal alarm system performance for any brand of distributed control systems (DCS).
The Trustworthy Computing Initiative is a good example of how Microsoft is constantly improving the security or our products. Microsoft has adopted a whole new approach at engineering our products. For example, our SD3+C strategy: secure products by design, default, deployment and communications. Let me explain:
Design: Products are designed with security in mind.
Default: When customers deploy products out of the box, they are in their most secure configuration, by default.
Deployment: Once the product is deployed by customers, Microsoft will constantly follow-up with support and patches.
Communication: Microsoft will communicate regularly to its customers and educate them on how best to use their products to ensure maximum security is deployed.
Microsoft has been at the forefront of designing the most secure products, continuing to improve and support them as security threats change and evolve.
Our Ethernet products were designed to be open and flexible so they can be easily implemented with new and existing legacy control systems. The embedded web server we offer with our product has an optional security feature that once enabled doesn't allow access to any of the channel configurations or viewing or process data.
Security is a comprehensive system. It involves identifying the potential threats, developing a strategy and selecting the best procedures and tools to prevent risks. Although products alone cannot provide complete plant security, they are an important part of the complete process.
Rockwell Automation has added security functionalities to its hardware and software products to give them enhanced protection capabilities. When used as a part of a comprehensive security program, their inherent data protection functionalities can help manufacturers reduce the risk of a security breach. Specifically, Rockwell Automation offers the following security functionalities as part of its product offerings:
Rockwell Software Maintenance Automation Control Center (RMACC) provides security by controlling which users can access an application and what actions they can perform and protects sensitive data by limiting who can retrieve data form a centrally managed archive.
Rockwell Software RSBizWare PlantMetrics, RSBizWare Historian and RSProduction Portal (a member of the RSBizWare suite) require users to authenticate themselves with a password before they are allowed to access an plication. Users are then granted access to specific functions and data based on their user or group configurations.
Rockwell Software RSLogix family of ladder logic programming software is designed to operate on Microsoft Windows operating systems and features inherent capabilities that can be configured for more security. For example, RSLogix source protection gives users the ability to protect control routines, while a lockdown tool can provide control lockdown capabilities.
Rockwell Software RSView Machine Edition(ME), RSView Supervisory Edition(SE) and RSView32 feature a security code-based system that determines each users level of access. Security codes are assigned to graphic displays so that only those with the specified code can open each display. For RSView SE, security codes also can be assigned to applications, preventing unauthorized users from changing applications from RSView Studio or the RSView Administration Console.
Allen-Bradley VersaView industrial computer familys new security enhancements equip computers with Microsoft Windows XP Service Pack 2 (SP2), with enhanced security features to make managing security easier and more efficient.
Siemens has set up a dedicated Security test lab to ensure prompt testing of new security patches and virus scanning software. Additionally the feedback and experiences from the Security lab is used to help improve the PCS 7 product by being fed directly into R&D for future product development.
Can those improvements be retrofitted to older products?
Yes, Cryptek's device-independent distributed technology works with almost any networked system.
While some security improvements can be retrofitted into older products, a significant part of the security solution resides in updates from the computer's operating system vendor (such as Microsoft), third party product vendors (such as Oracle), and networking vendors (such as Cisco). Lack of support for older third-party products (Microsoft NT, for example), or interoperability problems between revisions of products become problematic in securing old products. The most secure solution, and quite often, the most inexpensive solution, is for customers to incorporate new technologies as they become available. As mentioned, Emersons innovative product design philosophy enables our Ovation customers to reap the benefits of the latest hardware and software technologies while retaining their investment in applications, database and graphics.
Much older equipment is not connected anyway, otherwise you must update it.
Yes, but keep in mind that Honeywell was already building additional security into its systems as early as 1996, when we first deployed a Windows-based system (TPS). That system was based on a high-security, least-privilege approach.
Yes. One of the great things about the I/A Series open architecture is that its openness and flexibility provides for integration of the most advanced technologies that will help protect it.
In some cases, older products can be retrofitted. But in some cases, they can't. For example, products that are around 10 years old really can't be improved per se in relation to security. Technology is just advancing too fast. The best thing an enterprise can do is to understand just how secure the products they have are, and then to use them in ways which will not expose them to potential problems. This is where a security audit is so helpful.
Yes -- there are difficulties (e.g. anti virus on older systems, security patches generally).
In some cases yesâ¦ In many cases it requires an upgrade.
What security problems have you actually seen in the field?
While security has always been a priority, organizations of all types utilities included are continuing to dial up security measures. We are not aware of any security situations at any of our utility customers. When discussing cyber-security for utilities, its important to keep in mind that utility control systems are secured as subnets within a utility's network infrastructure, which is then secured from the Internet. As a result, other parts of the utility's infrastructure must be compromised before the control system is vulnerable.
None. By default all our software ships, locked off and closed. Setup requires users to open up the minimum necessary to run. We have spent a lot of time with customers, setting up DCOM, user permissions, passwords etc.
Most often, we see a lack of security awareness in the field resulting in control systems that might be vulnerable. Our network services organization has been utilized to provide security assessments of many sites. Our customers are implementing the recommendations provided by our service team.
Examples of security problems that we have seen or heard of at customer sites include the following:
Internet worms such as CodeRed Nimda, SQL Slammer have attacked web servers
Outsiders have tapped into wireless communications paths
An intruder connects via modem
Maintenance workers accidentally insert a virus via an infected floppy or CD
Unauthorized personnel gained access to unprotected PC in an unlocked lab
A remote users inadvertently introduced a virus into the network
An intruder enters through the Remote Access Services (RAS) link
One of the biggest security issues that our customers have struggled with is product lifecycle. Customers need to know how long a product will be supported, because they want to know how long security patches will made be available, which allows them to better manage their own equipment lifecycle. In response, Microsoft has published very clear lifecycle guidelines, which we've recently extended to a minimum of 10 years.
To date I have not heard of any control network security problems. It is my opinion that if the IT department and the process control network engineers work together and implement a combination of common sense, routers, firewalls, passwords, and virus protection that they can minimize most all security issues.
Hacker attacks, but mostly worm infections (see White Paper).
The increased use of open systems in plant floor environments naturally opens manufacturers up to the possibility of potential security issues like viruses, worms and hackers. In addition, with more employees having access to open systems, internal security breaches have become increasingly common. These events, often an employee accident or mistake, affect the safety and security of people, products, process and productivity.
Many customers are hesitant to share these types of details outside of their company due to confidentiality.
One large user has told us that his company invested multiple man-years updating all of its automation systems to a later Windows NT Service Pack in response to the Slammer Virus in 2002. This was an unplanned expense, since their systems are designed to run continuously 24/7, 365 days a year, until decommissioning.
Other users have talked about the operating system paradox that showed itself when the Sasser Virus was launched in 2004. This virus attacked only the newer Microsoft operating systems, such as Windows 2000 and Windows XP, but left Windows NT alone. This means that users of older, seemingly less secure, operating systems were actually less vulnerable to threats since hackers do not typically target older operating systems.
What did you do to solve the problesm?
Spot cybersecurity solutions are not effective. We addressed problems through a broader program which usually involves either a comprehensive site review a hardening intervention or both.
Implemented a program to understand the risk facing all systems and implement appropriate security improvements. Raise awareness and skills, engage vendors, establish effective response capability and implement appropriate standards and governance.
To minimize internal security threats, Rockwell Automation works with manufacturers to help them take advantage of the benefits of open networking and operating system environments, while protecting themselves from the consequences of intentional or unintentional security breaches.
The best way to keep out the bad guys is to limit access to the factory floor network to those people with a legitimate need and only allow network traffic that is really required. One important step towards limiting access is to create an Inner Defense Perimeter to logically separate the Enterprise network (Intranet) from the factory floor network. This creates an internal barrier that can be used to enforce the security rules around who can get access to the factory network. These factory access security rules can be more restrictive than those that are used between the Internet and the Intranet because the kind of data that is needed (and the users that need it) are usually well defined and limited to a smaller number of protocols and users. In fact, traditional IT security technology (like Firewalls, VPNs, routers, etc) that are used to protect the Enterprise network can be can be employed at this barrier as well to effectively filter out all unnecessary network traffic (from unauthorized users) which can lower the probability of a worm or virus (or bad guy) invading the factory network.
The other point to recognize is that intrusions/disruptions may come from inside or outside the enterprise. In fact, most network disruptions (as high as 70 percent according to an FBI report) come from the inside the enterprise and most of those are accidental, not malicious. Controlling access to the factory network lowers the probably that any unauthorized person (internal or external) will cause a disruption.
Tips and Techniques
A DCS should not be connected directly or indirectly to the internet. This can only be enforced if the end user institutes a "Do not connect" policy and periodically verifies that rogue modems or high speed internet and non-DCS LAN connections do not exist.
Additionally, DCS control devices must not be connected directly or indirectly to an office network without suitable protection, such as a properly maintained firewall and anti-virus protection. All anti-virus software should be certified by the DCS manufacture. The last thing a user wants to do is install anti-virus software only to discover that vital DCS functionality has been lost. Loss of DCS functionality could be just as costly as the virus attack. Users should disable unneeded operating system services (example: File and Printer Sharing) that make âexternal connections more vulnerable. Do not permit computers to boot from floppy or CD-ROM; only the hard drive. This is a simple change to the computer's BIOS setup.
Vendors default passwords within a DCS should be changed immediately upon commissioning. This must be driven home to all the users. To do otherwise is like leaving your spare house key under your doormat. Any determined cyber criminal can locate the vendor's standard product manuals through the internet that contain the default passwords for easy access to an otherwise unsecured system. Do not leave the system vulnerable. Extend your cyber security blanket beyond the DCS. Consider all the devices that are connected to the DCS through the assortment of data-links created to reduce islands of automation. That PLC on the DI water-processing skid that shares information with the DCS may have an unsecured connection to the plant LAN. Chances are it is configured with the factory default passwords. Some innocent looking subsystem may contain an unsecured PLC that could become the entry point into your DCS system.
Be wary of third-party application software packages that are linked to the DCS through and OPC client server relationship. That whiz-bang optimization package that reports production results to accounting may have read, write, and edit capability of specific areas within the DCS; a virtual hacker's playground. Whenever Metso Automation ships a system or add-on workstation we verify that all supplied HMI equipment is free of viruses. Additionally, Metso Automation keeps all supplied equipment up-to-date with operating system security patches that are available from our Life-Cycle Services Team. Customers with long-term support contracts are notified immediately of cyber threats, security patches, and suggested protective measures.
We recognized the potential for cyber threats early on and designed various safeguards into the present maxDNA product. We do not however discuss specific customer security issues with any third party.
Implement plant floor network security processes, policies and procedures. Technology is only 20% of the solution, the other 80% involves people understanding and supporting corporate security polices and procedures. Implement strict plant floor user Authentication and Authorization for secure access to automation devices Implement a business continuity and recovery program so that you can recover as soon as possible from a serious incident.
Implement strict controls on plant floor workstations. Minimize both the loading of unnecessary office tools and the ability to move portable PCs inside and outside the plant floor environment Support automatic program backup, verification and recovery, audit trail, event logs, etc.
Based on our discussions with control system users, here is what Siemens has found customer expectations / requirements to be. Users should make sure their automation vendor is taking steps to support these requirements.
Plant control systems:
Must be able to operate in a connected environment (tying together automation networks and corporate networks).
Require the ability to harvest data from the operational environment in near-real-time mode.
Must at least be tolerant of mainstream information protection, security and management tools. This would include anti-virus, vulnerability assessment, and asset management tools as examples.
Must be current in regards to threats, vulnerabilities and the required responses to thwart them.
Should support the ability to have security agents/tools installed and active during online operation.
Provide recommendations or guidelines on how to use security and information protection tools (such as anti-virus scanners) in conjunction with their automation platform.
Have a well-defined policy for immediate testing of new Microsoft Security patches and Virus scanner profiles and for notification of testing results.
Have a well-defined policy regarding whether new Microsoft Security patches can be installed as soon as they are available, or whether users must wait for compatibility test results by the host vendor.
Operating system patch support must be current (within 6 months of release).
Siemens, like many other vendors, has stations in their system test labs for PCS 7 that are dedicated to testing the latest security patches from Microsoft. They also test the newest signatures for virus scanning software, including McAfee, Norton, and Trend Micro. Testing of new patches begins on the same day that they are released. Siemens notifies customers of the results of the patch testing as soon as completed.
It is also permissible for a customer to install new security patches from Microsoft immediately upon release (if necessary), without prior approval from Siemens. However, it is recommended that customers wait for the formal results of testing by Siemens, and associated approval, prior to installing the security patches. As stated above, Siemens testing of security patches begins on the same day that they are released by Microsoft.