Solving the Security vs. Access Dilemma

Aug. 21, 2007

Moo! Snort! Ouch! It’s called the “horns of a dilemma” for a reason.

And, while they’re not sprinting in Spain’s running of the bulls this summer, process control managers and their IT-based counterparts have the equally difficult task of securing their networks from intrusions and malicious software, but still making them as open as possible to enterprise level, remote data gathering, and other purposes. Ouch indeed.

James Basset, of CapGemini Energy, says this two-headed problem is caused by the fact that today’s control systems are externally connected to business networks via second Ethernet or other administrative networks. In addition, most of these connections grow out of user convenience, and so most of them aren’t historically monitored or audited.

CapGemini Energy’s James Bassett explained lessons learned during TXU’s ongoing push to standardize and secure the control systems across 22 of its power generation plants.

“Business local areas networks [LANs] are connected to the Internet so often that they’re basically the same, and firewalls still are mostly reactive technologies,” said Basset in a presentation to the Foxboro User Group 2007 gathering today in Boston. “Unfortunately, users often don’t have a security policy, access control or audit mechanisms. Meanwhile, regulations such as those from the National Electric Reliability Council [NERC] are going to become a driving force, even as they face new virus/work headaches, and increasing risk of external and internal hacks.” Basset added that most users and suppliers seek to establish a layered approach to security, and that most firewalls are set up between control and plant networks, but not between plant and business networks, which usually are part of the same corporate system.

Contracted to work at TXU’s Martin Lake power plant, Basset said that the plant ensures security by establishing separate demilitarized zones (DMZs) or Secure Zones by using Foxboro’s INI Isolation Station solution, which can share process data among remote hosts. These data can be in the form of historians, OPC, process displays, or other formats. Isolation Station consists of a workstation or server connected to the DCS, which collects data and pushes it to the Secure Zone. This zone is a server that acts as an offline copy of the actual control system’s data objects.

“TXU decided we needed to secure and standardize the control systems at 22 power plants, which used to all be doing their own thing,” said Bassett. This widespread security project began in December 2006, needs to be finished by December 2009, and ready for an external audit a year later.

Basset added there were two main roadblocks to getting this project started. The first was getting corporate IT, security and management, and then local plant management and control system technicians to agree on how to make the connections. The second was getting all these players to agree on who controls what part of the process. Consequently, TXU’s organizers created a team of experts from all these groups.

TXU’s resulting multi-zone approach allows only one open TCP port. This means that, if one component on the network is compromised and/or a hacker takes control of it, then it can only access that box in the middle, but can’t reach any other areas of the network.

“We also found that, if you extensively use trends, you need to purchase historians for the Isolation Station because it will not have access to the historian in the control network,” said Basset. “You also need to purchase FoxView Licenses for the view-only displays fed to corporate from the Isolation Station, and buy Microsoft Terminal services client licenses to allow access to the server. Also, INI can only support around 20,000 points, so you may need to use more than one. Finally, Isolation Station will only support 30 FoxView displays, so you may need to use more than one.

“We’re also proposing to Foxboro to add mini-mesh switches Units 1, 2, and 3’s Isolation Stations, and by the time we add the third one, we’ll be able to go from 36 to 90 available stations.”