"Comprehensive cyber protection also involves changes in policies and practices that have little to do with technology." Invensys' Ernie Rakaczky discussed new tools built into the company's I/A Series platform designed to assist users in securing their automation systems.To develop some of its new security tools and services, he added that Invensys recently partnered with McAfee Security to adapt and implement its ePolicy Orchestration 4.0 software to help protect against infected flash drives or DVDs. Invensys also is using host-based intrusion prevention system (IPS) methods to help maintain firewalls settings and manage data.
"This all comes down to the ones and zeros and how to protect them," said Rakaczky. "Then you have to ask who has the authority to access them and who really needs it. Doing this won't disrupt business flow and should really make it more efficient. Some engineers may look at this as a big chore, but it's also part of life that we all have to get used to doing. And the fact is improving security can help you understand, know and manage your whole network better."
Through a combination of system-centric and consulting solutions, Invensys' cybersecurity solutions are designed to deliver many benefits for their users. The first is a significant reduction in risk associated with cybersecurity threats. This enables a higher level of performance and predictability of client systems and networks, prevents possible business outages, and diminishes the threat of lost revenue due to serious safety, environmental and personnel catastrophes.
I/A Series features that support cybersecurity protection and compliance include its newly enhanced ability to create stronger passwords. This is done by mixing types of characters, controlling length, managing failed password attempts and using password aging. Also, new I/A Series capabilities include the ability to reduce lock-down security vulnerability, and the company has strengthened its workstation hardware to remove unused programs, services and ports. Both of the primary control processors used in I/A Series systems, for example, have received Level 1 Achilles Certification from Wurldtech, a leading provider of cybersecurity testing and certification for critical infrastructure industries.
"A distributed control system retrofit and implementation can increase production performance and provide cybersecurity protection and compliance at the same time. We recently installed a DCS for a power industry client that helped them meet NERC standards well before their deadline and increased their engineering functionality by approximately 50%. This gave them the ability to add new displays, implement logic changes and install new parameter interlocks for better handling and alarm management," explained Matthew DeAthos, Invensys' portfolio marketing manager.
Depending on the client's situation, a typical Invensys cybersecurity consulting offering includes the following services:
- Gap analysis assessment against standards,
- Development of a plan to address shortcomings,
- Development of an overall security architecture,
- Integration with IT and other systems and procedures,
- Validation of cybersecurity policies and procedures, and
- Execution and implementation of security upgrades and procedures.
In fact, Rakaczky cautioned that power companies that don't comply with new standards could face significant fines levied by NERC and FERC auditors beginning in 2010. Fines will be based on the percentage of requirements met and the number of days the plant remains non-compliant. Besides the NERC cybersecurity standards, which apply only to the power industry, other standards are emerging from the U.S. Department of Homeland Security (DHS), the International Society of Automation (ISA) and the National Institute of Standards and Technology (NIST). While these do not yet have compliance deadlines, they provide manufacturers with additional incentive and guidance to protecting their assets.