Edge protection a first layer of defense-in-depth security

“CERN, the European physics lab that was the birthplace of the World Wide Web, tested 59 different PLCs they owned and found that they had huge numbers of failures in those controllers,” said control system security expert Eric Byres in a presentation to some 150 attendees here in Phoenix at the Honeywell Users Group Americas 2007 Symposium.

“PLCs were not designed for security,” Byres continued. “No sane IT department allows unprotected PCs or laptops, so why are PLCs immune?”

So, when he was the director of the internet security lab at the British Columbia Institute of Technology (BCIT), Byres started a program to design a micro-firewall for what he calls “edge devices” like PLCs, field controllers, field instruments and final control elements.

“There needs to be a shift in how we look at security,” Byres explained. There have been dozens of cyber incidents in every process and manufacturing vertical, and they cost real dollars, lots of them. The average cost of a malware incident is about $68,000, he said, and the average sabotage cost is much higher. “In the same way the Maginot Line didn’t save France,” Byres said, a defense-in-depth strategy is what is required rather than a single bastion-like defense.

Honeywell global security architect, Kevin Staggs (see Videocast Interview) added that process safety and cyber security go hand in hand. Security is a key Honeywell initiative, Staggs said, and defense-in-depth is a key strategy for ensuring it.

“Security is a journey,” Staggs commented, “not a destination.” Honeywell is partnering with customers and suppliers, taking leadership on standards committees like SP99 and SP100. “We’ve published a Networking and Security Planning Guide to help customers get up to speed on state of the art procedures and practices as they implement their own security policies,” Staggs said.

“IT is not the enemy,” Staggs went on to say. “We need to learn from each other. Most IT practices can be applied directly, and those that can’t must be known, discussed and negotiated into new practices that work in the process environment.”

Back to the micro-firewall, Byres went on to describe the program from BCIT to the present day. The BCIT study found that just using a commercial, off-the-shelf (COTS) firewall wouldn’t work. They aren’t industrially hardened, they don’t understand the controls environment, they aren’t extensible, they are not at all easy to use, and management of change in a process environment is essentially impossible. Byres has since teamed with MTL, a Honeywell partner, to develop an edge-protection device called Tofino to overcome these challenges.

“We can’t hide behind the ‘great big firewall,’” Byres concluded. “Defense-in-depth is critical and those best practices are available now. We need to start using them.”

CLICK HERE to view the Videocast Interview.