1661899341886 Article 170 Byres

Edge protection a first layer of defense-in-depth security

June 13, 2007
Control system security expert Eric Byres presents defense-in-depth strategies for process control systems to some 150 attendees at the Honeywell Users' Group Americas 2007 Symposium in Phoenix.
ā€œCERN, the European physics lab that was the birthplace of the World Wide Web, tested 59 different PLCs they owned and found that they had huge numbers of failures in those controllers,ā€ said control system security expert Eric Byres in a presentation to some 150 attendees here in Phoenix at the Honeywell Users Group Americas 2007 Symposium.

ā€œPLCs were not designed for security,ā€ Byres continued. ā€œNo sane IT department allows unprotected PCs or laptops, so why are PLCs immune?ā€

So, when he was the director of the internet security lab at the British Columbia Institute of Technology (BCIT), Byres started a program to design a micro-firewall for what he calls ā€œedge devicesā€ like PLCs, field controllers, field instruments and final control elements.

ā€œThere needs to be a shift in how we look at security,ā€ Byres explained. There have been dozens of cyber incidents in every process and manufacturing vertical, and they cost real dollars, lots of them. The average cost of a malware incident is about $68,000, he said, and the average sabotage cost is much higher. ā€œIn the same way the Maginot Line didn’t save France,ā€ Byres said, a defense-in-depth strategy is what is required rather than a single bastion-like defense.

Honeywell global security architect, Kevin Staggs (see Videocast Interview) added that process safety and cyber security go hand in hand. Security is a key Honeywell initiative, Staggs said, and defense-in-depth is a key strategy for ensuring it.

ā€œSecurity is a journey,ā€ Staggs commented, ā€œnot a destination.ā€ Honeywell is partnering with customers and suppliers, taking leadership on standards committees like SP99 and SP100. ā€œWe’ve published a Networking and Security Planning Guide to help customers get up to speed on state of the art procedures and practices as they implement their own security policies,ā€ Staggs said.

ā€œIT is not the enemy,ā€ Staggs went on to say. ā€œWe need to learn from each other. Most IT practices can be applied directly, and those that can’t must be known, discussed and negotiated into new practices that work in the process environment.ā€

Back to the micro-firewall, Byres went on to describe the program from BCIT to the present day. The BCIT study found that just using a commercial, off-the-shelf (COTS) firewall wouldn’t work. They aren’t industrially hardened, they don’t understand the controls environment, they aren’t extensible, they are not at all easy to use, and management of change in a process environment is essentially impossible. Byres has since teamed with MTL, a Honeywell partner, to develop an edge-protection device called Tofino to overcome these challenges.

ā€œWe can’t hide behind the ā€˜great big firewall,ā€™ā€ Byres concluded. ā€œDefense-in-depth is critical and those best practices are available now. We need to start using them.ā€

CLICK HERE to view the Videocast Interview.

Sponsored Recommendations

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...
Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...
Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...
Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...