OpsManage / Systems Integration / Safety Instrumented Systems / Fieldbus / Cybersecurity

Cyber Protection for Safety Systems

NIST Framework Puts Need for Continuous Process in Perspective

By Jim Montague

Invens13 banner

It's logical to think that cyber security is just about preventing attacks. But the same measures that protect against cyber incidents deliver other benefits as well.

"Protective measures taken against cyber attacks also can increase safety, protect intellectual property, reduce down time, help users follow industry or internal policies, and comply with applicable laws," said Michael Martinez, CISA, principal in Invensys' Critical Infrastructure and Security Practice. "And, the primary way to do it is leveraging available product security features -- augmenting them with the latest cyber security knowledge and solutions -- and then regularly repeating this ongoing process."

Martinez and Tim Johnson, CISSP, also a principal in Invensys' Critical Infrastructure and Security Practice, updated attendees of the 2013 Foxboro & Triconex Global Client Conference this week in San Antonio, Texas, on the latest developments in cyber security, and how Invensys is helping its users implement best practices in this arena.

"When we talk about cyber security, we're really talking about evolving systems with different needs," said Martinez. "So, while some may need to pass information up to their enterprises, others want to know how to securely update and provide patches to their Triconex equipment, and some want to leverage existing infrastructures to protect their applications."

Besides follow-ups to security breaches cited in the media, Martinez reported that one of the latest calls for better cyber security has come from the Obama Administration's February 12, 2013, executive order assigning the National Institute of Standards and Technology (NIST) to develop a framework for improving critical-infrastructure cyber security. NIST's draft framework includes a draft compendium of informative references, which reviewed more than 320 national and international standards, guidelines, directives, best practices, models, specifications, policies and regulations.

Naturally, some common themes on cyber security best practices have emerged. "The basic cyber security process involves identifying critical assets, doing security risk assessments for them, deciding how the cyber security framework applies to them, and coming up a mitigation plan and actions to comply with it," explains Martinez.

NIST's preliminary framework has five steps: know, prevent, detect, respond and recover:

  • Know means gaining the institutional understanding to identify what systems need to be protected, assessing their priority in light of the organization's mission, and managing processes to achieve cost effective risk management goals.
  • Prevent consists of categories of management, technical and operational activities, which enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.
  • Detect includes activities that identify, through ongoing monitoring or other means of observation, the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.
  • Respond involves making specific risk-management decisions and enacting activities based on previously implemented cyber security planning, completed at the Prevent stage, relative to estimated impact.
  • Recover includes categories of management, technical and operational activities that restore services, which were previously impaired through an undesirable cyber security risk event.

Fortunately, Invensys' Foxboro process automation systems and Triconex safety systems have many up-to-date cyber security capabilities to help users protect their applications and ensure compliance with regulations, according to Johnson. "There's no magic bullet because all process applications and systems are different," explained Johnson. "Different sites generate different assessments about what kind of security they need, and so they'll usually require a mix of the different cyber security solutions available," said Johnson. "One of the main concerns for our users is how to back-up safety systems, and this leads to seeking and implementing best practices for antivirus protection, software patching and intrusion detection. For example, we're concerned with protecting Triconex workstations and operating systems, which can be a gateway to a user's network and allow access to their safety system. One of the biggest attack vectors is within companies."

To prevent intrusions and potential attacks, Invensys' Foxboro systems offers a wide variety of capabilities and features that can enable cyber security:

  • ePolicy Orchestrator (ePO) is a unifying security management open platform by McAfee. ePO makes risk and compliance management simpler, enabling clients to connect  security solutions to their enterprise infrastructure to increase visibility, gain efficiencies, and strengthen protection.
  • Anti-malware includes virus scans to prevent, detect and remove malware. This includes but isn't limited to system viruses, computer viruses, computer worms, Trojan horses, spyware and adware.
  • Host Intrusion Detection Systems (HIDS) monitor and analyze the internals of a computing system. A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system.
  • Data Loss Prevention (DLP) measures, such as disabling the use of USB data sticks, enable organizations to reduce the corporate risk of the unintentional disclosure of confidential information.
  • Active Directory (A/D) provides a central location for network administration and security. It authenticates and authorizes all users and computers in Windows-domain networks, assigning and enforcing security policies for all computers and installing or updating software.
  • Hardened operating systems (OS) entails factory hardening via a procedure that updates patches and antivirus software, and disables unused ports and services. System hardening is necessary because default operating system installations focus more on ease of use rather than security.
  • Whitelisting is the opposite of blacklisting, and contains only those programs that the user wishes to grant access to—as opposed to programs to which users don't want to grant access. This method can be much less labor intensive because users only have to keep up with applications you know about and approve.
  • Backup Exec System Recovery (BESR) involves centrally managing backup and recovery tasks for multiple desktops across the network. Users can schedule backups to run automatically, and set up event-triggered backups without disrupting overall network usage.
  • Foxboro I/A Series Station Assessment Tool (SAT) is a Windows-based Foxboro I/A Series application that's automatically installed on all Foxboro I/A Series workstations and servers with Windows operating systems on the MESH VLAN network for Foxboro I/A Series systems. It supports full functionality on all stations.

"It helps to become familiar with all these buzzwords and methods, so corporate IT will be less likely to come in with their cyber security tools and shove them down your throat," added Johnson. "This is why the Invensys Cyber Security Team partners with our customers over the whole security compliance lifecycle. We can help with security product selection and specification, security program definition, assessment, remediation, program deployment, audit preparation and audit support."

The team offers a comprehensive list of cyber security solutions to help address any internal needs, regulatory requirements or program mandates. All of these elements are synergistic, providing not only a broad scope of security, but the defense in depth necessary for true cyber security compliance. Some of its most common solutions include A/D workshop, technology roadmap, procedures and SOPs, secure zones, centralized backups, event logging, patch management, network management, remote access relay server and managed secure services.

"Our clients have requirements larger in scope than secure products alone can provide," explained Johnson. "So, we have a comprehensive solution that includes products designed for compliance with industrial security standards; cyber security experts and delivery/support personnel; and enhanced solutions to meet client cyber security program needs. And, we're vigilant, so our cyber security solutions will meet challenging industrial landscapes."

Want more? Download the white paper