Industries beginning to act on security concerns

Jan. 3, 2005
By Walt Boyes, Editor in Chief


merson Process Management has announced THE appointment of Richard Baril to the post of director of Rosemount Analytical Homeland Security Products. This further underscores the decision of many vendors and some industrial plants and utilities to not wait until the Department of Homeland Security sets specific rules for security of SCADA and automation systems and their associated infrastructure. The problem, as Dale Peterson of Digital Bond reports, is that there is a huge knowledge gap. He posted the following on his blog: “From a Siemens presentation at MS-MUG: ‘It is dangerous for ANY side to manage a manufacturing network: The Plant operators are not IT skilled enough, the IT operators are not plant-floor aware. We are right now in a dangerous situation where these two worlds collide and neither is willing, nor has the time to intensively try to understand the other side’ [that is a] very succinct way of stating the problem."

Peterson continues and talks about the current North American Electric Reliability Council draft cyber security Standard 1300. “I agree that the 1300 document has much less detail than many of the other efforts, such as ISA's SP99, and the document is still rough in many areas. The current draft received over 700 pages of comments.”

Peterson says, “The reason I like this document is it has a very good chance of improving the security posture of the bulk electric systems in the near term. Its simplicity and clear requirements are achievable.” Here are some excerpts Peterson cited in his blog: “Responsible entities must identify the information access limitations related to critical cyber assets based on classification levels.” The wording needs a little work, says Peterson, but defining classification levels and access control is a very positive step.

“This person must authorize any deviation or exception from the requirements of this standard. Any such deviation or exception and its authorization must be documented.” It may not be possible to implement the policy fully, Peterson points out, but this requirement makes it a conscious decision to deviate from the standard. And there will be a periodic review of the exceptions, he says: “Responsible entities shall review access rights to critical cyber assets to confirm they are correct ...” We often see a variety of old accounts in systems and unauthorized access, comments Peterson. “The responsible entity shall perform an assessment of the information security protection program to ensure compliance with the documented processes at least annually.” Peterson calls the requirement for an annual audit “tremendous.”

There are many more simple and powerful requirements in this document, according to Peterson.

One of the common complaints about Standard 1300 is that it should be more detailed on the requirements to prevent organizations from implementing controls that are very weak, yet compliant. “Hopefully we will get to a detailed standard, but this is a much harder task,” Peterson says. “In the banking world the detailed standards efforts were achieved by focusing on smaller components of the system, e.g., a security standard for an ATM transaction, another for the crypto module, another for the wholesale banking transactions, and so forth.”

What impresses Peterson is that the requirements of Standard 1300 ought to be able to be accomplished by most users with a process control network. It would be very hard to be compliant with this document and not improve the security posture, he contends. Finally, he points out, the document requires a member of senior management to lead the effort and sign off on compliance. This goes a long way to solving the business case problem. “It would be a requirement for the covered entities just like G-L-B is for banks and SOX is for public corporations.”