āCERN, the European physics lab that was the birthplace of the World Wide Web, tested 59 different PLCs they owned and found that they had huge numbers of failures in those controllers,ā said control system security expert Eric Byres in a presentation to some 150 attendees here in Phoenix at the Honeywell Users Group Americas 2007 Symposium.
āPLCs were not designed for security,ā Byres continued. āNo sane IT department allows unprotected PCs or laptops, so why are PLCs immune?ā
So, when he was the director of the internet security lab at the British Columbia Institute of Technology (BCIT), Byres started a program to design a micro-firewall for what he calls āedge devicesā like PLCs, field controllers, field instruments and final control elements.
āThere needs to be a shift in how we look at security,ā Byres explained. There have been dozens of cyber incidents in every process and manufacturing vertical, and they cost real dollars, lots of them. The average cost of a malware incident is about $68,000, he said, and the average sabotage cost is much higher. āIn the same way the Maginot Line didnāt save France,ā Byres said, a defense-in-depth strategy is what is required rather than a single bastion-like defense.
Honeywell global security architect, Kevin Staggs (see Videocast Interview) added that process safety and cyber security go hand in hand. Security is a key Honeywell initiative, Staggs said, and defense-in-depth is a key strategy for ensuring it.
āSecurity is a journey,ā Staggs commented, ānot a destination.ā Honeywell is partnering with customers and suppliers, taking leadership on standards committees like SP99 and SP100. āWeāve published a Networking and Security Planning Guide to help customers get up to speed on state of the art procedures and practices as they implement their own security policies,ā Staggs said.
āIT is not the enemy,ā Staggs went on to say. āWe need to learn from each other. Most IT practices can be applied directly, and those that canāt must be known, discussed and negotiated into new practices that work in the process environment.ā
Back to the micro-firewall, Byres went on to describe the program from BCIT to the present day. The BCIT study found that just using a commercial, off-the-shelf (COTS) firewall wouldnāt work. They arenāt industrially hardened, they donāt understand the controls environment, they arenāt extensible, they are not at all easy to use, and management of change in a process environment is essentially impossible. Byres has since teamed with MTL, a Honeywell partner, to develop an edge-protection device called Tofino to overcome these challenges.
āWe canāt hide behind the āgreat big firewall,āā Byres concluded. āDefense-in-depth is critical and those best practices are available now. We need to start using them.ā
CLICK HERE to view the Videocast Interview.