1660338437234 Byresday3

Defense-in-Depth Key to Secure Automation

April 11, 2008
How Important Is a Firewall in Today's World?

“The further backward you look, the further forward you can see,” Winston Churchill once said of the lessons to be learned from history. Turns out, the same principle applies to ensuring the security of process control systems.

“The firewall is important, but it’s only one piece,” said Byres Security CTO Eric Byres of the need for process automation professionals to consider a multi-tiered approach to cybersecurity.

Indeed, when it comes to cybersecurity—that is, the protection of process control systems from digital disruption—we, as an industry, tend to rely on techniques that the IT world gave up on 10 years ago, said Eric Byres, CTO of Byres Security, in an address to the Yokogawa Users Conference this week in Houston.

The outdated approach is called the bastion model, and the term refers to the ancient and time-honored strategy of building a wall or digging a moat and assuming you’re protected. In the case of process control, the outdated model manifests itself as an over-reliance on a single firewall between control systems and business systems for cybersecurity protection.

“It simply doesn’t work,” said Byres, referring to the Maginot line, built by the French along its German border after World War I. (In World War II, of course, Germany simply bypassed the line by invading Belgium first.)

In more recent times, in at least three different control system cyber events involving the Slammer virus, there was a well-designed firewall in place. “The firewall is important,” Byres said, “but it’s only one piece.”

Even more disturbing, Byres recounted a recent survey of 37 “professionally” installed IT firewalls. The survey indicated that 80% were improperly configured to ensure adequate network security. And these were configured by networking professionals! “The commands are simply too complex,” Byres said. “If we don’t make security more understandable, we’re doomed.”

To begin to overcome this outdated mentality, Byres recommends that process automation professionals consider a defense-in-depth strategy employing multiple layers of security. Industrial-strength firewalls at the network boundaries are step number one, but internal subsystems should also be segregated by firewalls to ensure that an intrusion doesn’t propagate unimpeded through a plant—or a company’s—entire infrastructure. Further, protection of edge devices such as PLCs—which are notoriously vulnerable to even simple cyber attacks—with simple-to-deploy security appliances also is necessary.

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.