True process security—like true beauty—has to be more than skin deep. So, while a protective metal suit is impressive, it's nothing without the muscles, bones and brain driving it from inside. Likewise, all the pipelines, tanks and process vessels in every process application and facility are useless without their sensors, instruments and controls, so securing them requires internal awareness and protections that go beyond external defenses.
Simplify and Standardize
Luckily, an excellent way to improve internal cyberecurity is to simplify by turning off or removing unneeded software, hardware, services or access points, and then standardizing the remaining software and components, according to Todd Mortensen II, senior network specialist at Public Service of New Mexico's San Jose Generating Station (SJGS), who spoke at Invensys' Foxboro and Triconex Global Client Conference 2013 in September.
PNM is New Mexico's largest electrical utility, and includes SJGS, which has four coal-fired units that produce about 1,800 gross megawatts for more than 2 million customers. Process controls at SJGS use a multi-unit mesh network and off-the-shelf, thin-client devices, which are secured by individual operator accounts, group policy preferences, event monitoring, software patches, whitelisting and anti-malware programs, hardware locks for RJ45 and RJ11 components, and physical access protection.
"We first have to figure out what services are running on which boxes. If a device doesn't need audio, then we remove it. It's especially crucial in cybersecurity to shrink the service area for potential attacks, so we get rid of software and services we don't need," says Mortensen. "You can turn off the ports on many devices, so you don't unintentionally connect to the wrong networks or subnet. We also use natively encrypted USB drives, which don't install or run any software."
Mortensen adds that PNM and SJGS also use RFID tags to document all kinds of equipment, which helps them separate secure devices from unsecured ones. "The tags help us keep track of equipment, which is good because cybersecurity regulations and legislation aren't going away," adds Mortensen.
"It's important to understand that cybersecurity isn't a part-time job, and that it requires time, money and resources, backing from the organization's bottom to top, and even using outside firms. We recommend using contractors as along as you make sure they have the experience to secure your systems, and have experience with the standards and rules you have to follow. You must also remember that you're responsible for your cybersecurity and compliance, and make it clear that you're leading your security project."
To start a cybersecurity project, pretty much everyone agrees that genuine buy-in and long-term support and commitment from management is essential.
"Process security has to start with top-level support, but there are many competing cost pressures, too. So, security must be raised to the level of the bottom-line, even though it's difficult," says Kenneth Jackson, global process control leader of the Performance Polymers and Packaging and Industrial Polymers divisions at DuPont in Wilmington, Del. "At DuPont, we consider cybersecurity to be in the same class as managing process safety. They're both line-organization responsibilities."
Besides its other security efforts, Jackson reports that DuPont's security experts have been developing plans and implementing the U.S. Dept. of Homeland Security's (DHS) Chemical Facility Anti-Terrorism (CFATs) standards and Maritime Transportation Security Act (MTSA) regulations for applications processing "chemicals of interest," which are defined by the government. This effort includes organizing security teams, updating security policies for more than 100 manufacturing sites over the next two or three years, and developing cybersecurity best practices and policies at each site, which can eventually be shared and applied as universal, internal standards. These can include secure log-in procedures, multilayered network architectures with firewalls, physical security for control rooms, enhanced intrusion detection, and using antivirus software combined with whitelisting.
Inside the Barricades
So, just how at-risk are today's process control networks? Well, Leigh Weber, CISSP, senior security engineer at exida Consulting in Sellerville, Pa., says that, "Control systems are more vulnerable today than ever before because they use commercial technologies, they're highly connected, offer remote access, lots of technical information is publicly available on them, and hackers are now targeting control systems."
For example, Weber reports that the S4 Security Conference in January 2012 included a "Project Basecamp" that involved six researchers looking for vulnerabilities in six different embedded industrial process control devices, such as PLCs, RTUs and substation controllers, and they found backdoors, weak credential storage, ability to change ladder logic and firmware, buffer overflows, etc.
"Nessus plugins and Metasploit modules have been publicly released, enabling anyone to find and exploit these vulnerabilities," explains Weber. "Much of the code needed to crash PLCs is free, and some companies are selling SCADA-based attack kits, though they're mostly for IT departments to test their systems."
Weber adds that there are many more pathways into most control systems than users and managers realize. These include unauthorized, unchecked USB devices, infected laptops, incorrectly setup firewalls, old modems, external PLC networks and unprotected fieldbuses, RS-232 links and other devices. "Do you still have any modems in your system? Are you sure?" asks Weber. "A lot of networking hardware isn't removed when updates are done. As a result, these threats are realistic, sophisticated and readily available."
Also Read: Cybersecurity in Your Safety DNA
So, besides maintaining segmenting and firewalls, the traditional defense-in-depth strategy must include network traffic monitoring and malware scans of communications, adds Mike Baldi, chief cybersecurity architect at Honeywell Process Solutions.
"Many of these tools, like Security Information Event Management (SIEM), come from the IT and enterprise side, and so we're working on adapting them for the process control world. The good news is that scanning and benchmarking are easier on the process control side. In fact, we already have many rigid rules about who can talk to whom, and so it will be much simpler for us to detect any abnormal traffic deviations."
Encryption Aids Wireless, Too
Similar to fieldbuses, wireless gives users the nimbleness to take on new monitoring and control tasks more easily. Terrific, but this flexibility and wider reach demands better security, too.
For instance, Martin Midstream Partners LP (MMLP) in Kilgore, Texas, specializes in terminal operations, storage, processing and packaging services for petroleum products and byproducts. However, during construction of a single-product, hydrocarbon tank farm with six 100,000-barrel tanks and four booster pumps at the Port of Corpus Christi in 2011, MMLP decided to enable the facility to handle a second product, which required automated valves to isolate the tanks and prevent cross-contamination.
So, MMLP adopted 16 of Rotork's IQ40 explosion-proof, non-intrusive, electric, valve actuators and its Pakscan P3 digital, wireless, valve actuation monitoring system. Pakscan's 2.4-GHz master station and wireless interface and actuator modules use Modbus via serial or Ethernet connections to establish a secure, wireless mesh network to control actuators and field devices, and gather operating data (Figure 1).
To maintain MMLP's security and prevent unauthorized commands from being sent to the tank farm's devices via its wireless network, all of its control data is encrypted using the Advanced Encryption Standard (AES). Further encryption is incorporated into the system to prevent unauthorized devices from joining the network and to prevent a message replay attack.
"I installed the wireless antennas on each actuator and gave each unit its unique address," says Chris Duke, Rotork's lead service technician. "When this was done, I powered up the master station, and all 16 actuators populated the network within a few minutes."
Staying Awake and Aware
Probably the most psychologically beneficial way to establish the eternally vigilant mindset needed for cybersecurity is to bring it under the better-known process safety umbrella, which also demands continual and longstanding attention. Just as control engineers and operators woke up to the fact that process safety is just another way to run efficiently, many are beginning to appreciate that cybersecurity can also reduce.
DuPont's Jackson adds another thread common to both process safety and cybersecurity is that both begin with performing a thorough risk assessment (RA) to identify vulnerabilities and determine appropriate solutions—though some differences remain.
"Safety RAs look at the likelihood of certain occurrences, while cybersecurity assessments focus more on outcomes and what the effect will be if a system is compromised," explains Jackson. "To protect against advanced persistent threats, we're working on whitelisting to make sure our operating systems are only running executable programs that they know are safe, and we're applying application-specific software patches when they make the most business sense because each site has to run its own systems. Again, business and plant managers at each DuPont facility are responsible for cybersecurity just like they're responsible for other profit and loss items. If they have 42 critical operations tasks to perform, then we have to make cybersecurity just one more job that has to get done."
Compliance on Road to Security
Many rules crop up as demands for cybersecurity flood the process industries, but some like the North American Electric Reliability Corp.'s Critical Infrastructure Protection (NERC-CIP) standards for protecting power plants are criticized for focusing too much on documenting compliance, while falling short on actual protection. But, supporters argue that NERC-CIP compliance can help users progress towards cybersecurity. For instance, PNM's SJGS was designated as a NERC-CIP critical asset in 2009, complies with Version 3, and is preparing for Version 5.
"It's true that you can be in compliance with security standards, but still be susceptible to many security problems. So, compliance isn't true cybersecurity, but it can be a step in the right direction," says Mortensen. "For example, NERC-CIP requires us to have a patch management program, so twice a month we check for updates on every piece of equipment. However, first we put our patches on a robust test bed, do some functional security testing, and find out from operations when we can upload them. After adding the patches, we run software scripts and collect data to make sure everything is running as it's supposed to, and check that there aren't any unauthorized services.
"These tasks are crucial because disruptions, particularly malicious ones, can cause large amounts of damage. But, this also means that cybersecurity can be a good investment, and can show reductions in downtime and fewer job tickets."
One for All for One
Another of the most helpful—but still often overlooked—ways to improve process cybersecurity is to cooperate and form partnerships between IT and control engineers.
"We train the IT and process sides to be aware of all their PCs, switches, networks and security components and other equipment, and then form partnerships," says Chris Tunstall, critical infrastructure IT manager at Marathon Oil Co. in Houston, Tex., who spoke at Honeywell Users Group Americas 2013 this past June.
"This is critically important because IT has more cybersecurity skills, but often doesn't know how to deploy them in control settings. So, we collaborate, develop internal security tools, and deploy them on the control side, where they can run without relying on IT as much. Building trust is important because sometimes IT still can't get it out of their heads that they just want to reboot, and need to be reminded about control priorities. This partnership also helps us carry out our main strategy of developing our own security standards, such as patching most PCs and software immediately, but patching process controls on a later cycle to help manage their schedules and migrations."
Keep On Keeping On
After developing and implementing a thorough cybersecurity plan that focuses both internally as well as externally, the next most important task is to look into the future, and evaluate and update it regularly. No surprisingly, looking into the past for consistent, stalwart behavior can be helpful again here.
Jackson adds, "Safety has been ingrained at DuPont for 210 years, but cybersecurity really only got going in the past five years. So, we're applying Microsoft's patches as soon as possible, and developing our own best practices and standards. We're also aware that DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) collects and publishes vulnerabilities, and sends them to process vendors. It also helps if we can get cybersecurity fixes from controls vendors, but it doesn't help if they're not installed. So, I'd urge Control's readers to lobby all of our vendors to move toward building in more security functions into their products at the lowest possible level—at the control layer. We're adding whitelisting packages on systems ahead of time, securing network connections, and doing more training, too. Cyber security has to be treated in a step-by-step, organized way. It's an ongoing problem, but we feel like we're making good progress.