The means to protect your plant are readily available–and it's up to you to use them.
September 11, 2001 brought the vulnerability of the United States into sharp focus, yet it was not the first terrorist attack on our shores. The World Trade Center itself had been bombed in 1993, and home-grown terrorists had blown up the Murrah Federal Building in 1995. Then in June of 2004 the CBS News program 60 Minutes showed reporters walking unchallenged into faculties storing chlorine, anhydrous ammonia and boron trifluoride. The public began to realize that the casualty count from an attack on one of these could dwarf those of both Oklahoma City and 9/11.
Cyber attacks have also proliferated, many of them against SCADA (supervisory control and data acquisition) systems. In 2004 US-CERT, the United States Computer Emergency Readiness Team, stopped reporting statistics for attacks on SCADA systems, saying that increased use of automated attack tools had made any such counts meaningless; attacks from 1988 to 2003 totaled 319,992, with 137,529 counted in 2003 alone.
The most obvious way to prevent an attack on a control system would seem to be to have no connection between the plant control network and the outside world. An air gap between the two leaves no path for intrusion. But a connection is usually necessary, either for remote monitoring, notifying plant personnel of upsets, or connecting to a remote maintenance or database service. If such a connection isn’t provided intentionally it may appear “by itself,” as plant personnel install local modems or wireless links without the knowledge of the people in charge of plant security.
There are tools available to detect so-called rogue wireless LAN users, and they should be used on a regular basis. Any connection between the corporate network and the control network must be designed with care. At a minimum, there should be a firewall between the two, although a poorly-designed system (Fig 2) may give the illusion of safety without providing it.
Firewalls take a number of forms, both software-based and hardware-based. Software firewalls are available from firms like Symantec and there is a firewall built into Windows XP. Hardware firewalls may be stand-alone units or be included in routers.
As pointed out in the Emerson Process Control white paper Best Practices for DeltaV Cyber-Security, “The firewall should be set up to allow only specific users to access the system and to block access through any ports not specifically needed to support the [control system] connections to the outside LAN. Specifically, port 80 for the Internet and all/any ports that would allow e-mail access must be closed or blocked.”
Firewalls come in several flavors, according to NIST Publication 800-82 - Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security.
Packet filtering, the simplest, checks basic information in each packet against a set of rules.The application-proxy gateway examines packets at the application layer and filters traffic based on specific application rules, such as specified applications. Additional security can be gained by establishing a so-called Demilitarized Zone (DMZ), a separate network segment that connects directly to the firewall. The DMZ can contain things like the data historian, the wireless access point, or remote and third party access systems. One way to do this is to run all connections through a workstation (Fig. 3).
Many security breaches are caused by sheer carelessness. “One of the biggest issues,” says Bob Huba, senior product manager, DeltaV at Emerson Process Control, “is keeping users from bringing in portable media like floppy disks and memory sticks to download MP3s so they can listen to them, or download a game so they can play, and in the mean time infect your system.”
Some facilities allow employees to connect laptops to the corporate LAN, but when disconnected and used elsewhere, such a laptop can become infected with malware, which is then introduced when the user re-connects to the LAN. Since the infected laptop is connected to the LAN only intermittently, it can be difficult to track.
One might think that the security measures used by the company’s IT department would be sufficient, but a control network and a corporate network are used differently, have different priorities and are maintained differently, which means that normal IT security measures may not be applicable to the control network, and actually degrade or disable it. The IT department’s priorities, says Huba, are “confidentiality, availability and integrity — in that order. In our world, it’s the opposite. Availability is most important, integrity is important, and confidentiality tends not to be a big issue.”
Acknowledgements:
Ted Cromwell, senior director of security and operations, American Chemistry Council; Bob Huba, senior product manager, DeltaV, and Henry Malo, SureService business development manager, both at Emerson Process Control; Ric Kucharyson, senior marketing manager for Honeywell Process Solutions’ Migrations and Expansion Solutions group; Marilyn Guhr, senior marketing manager in Honeywell’s Lifecycle Services group; Marty Edwards, industry liaison lead for control system security program at Idaho National Labs; and Ernie Rakaczky, program manager for cyber security and Doug Clifton, senior solutions architect, both of Invensys Process Systems.
| Plants can be targeted by hackers, criminals, terrorists and unfriendly governments. It is the job of everyone in the plant to be aware of the threats and help to protect against them. |
Where are we now?
It is difficult to obtain an accurate count of attcks on industrial facilities. Incidents are reported in the press from time to time, and there are databases listing attacks, but, says Marilyn Guhr, senior marketing manager in Honeywell’s Lifecycle Services group, “we think that only about ten percent or so of the incidents, maybe less than that, ever get reported.” While the threat is real, U.S. companies have made substantial progress in bolstering their defenses. For example all member companies of the American Chemistry Council (ACC) are required, as a condition of membership, to comply with the ACC’s Responsible Care® Security Code of Management Practices, which begins with a thorough vulnerability assessment. The program, says Ted Cromwell, ACC’s senior director of security and operations, was developed with the aid of Sandia Labs and the Center for Chemical Process Safety, and was put together through nationally-accredited programs. But there is a limit to what ACC can do. While its members have 85 percent of the nation’s chemical production capacity, says Cromwell, there are another 15,000 to 20,000 sites outside ACC’s purview that fall under the Department of Homeland Security’s classification as chemical facilities. These could range from a local paint store to a warehouse full of solvents or pesticides. The first step to security is to find out where you are: get an assessment done. Some control system vendors provide services that can be tailored to the individual plant. “Calling a third party organization such as us,” says Henry Malo, SureService Business Development Manager, Emerson Process Control, “that is familiar with the DCS can quickly bring clarity as to where there are potential issues and where there’s best practices.” The service, he continues, “can document that and facilitate the company understanding their baseline of where they are and the things they can do to mitigate risk.”Physical Attacks
The 60 Minutes report showed how easy it would be to walk through an unlocked gate or drive a truck through a fence to cause a large-scale chemical release, but the defenses against that vary. In Texas, says Ted Cromwell, “it may be half a mile from the gate to the actual process equipment,” while in a crowded state like New Jersey there may be process equipment just 15 feet from the perimeter fence. In a lowland area with drainage ditches it might be possible to configure those drainage ditches to block a bomb-laden truck, while in New Jersey a mechanical arrangement or concrete barrier might be needed. Attacks don’t have to come from the outside. Just because someone wears a hard hat and shoes and goes in the contractors’ entrance doesn’t mean he belongs there. Employee screening, badges, and employees trained to step up and question people who don’t seem to be in the right place can go a long way.Cyber Attack
Idaho National Laboratories likens cyber security to an arms race. Over time the attackers change, their techniques and motivations change and their knowledge and understanding change. On the defenders’ (your) side, new vulnerabilities are constantly discovered and the technologies of the defended systems, and the system knowledge, must change as well. Figure 1 is a graphic representation of the range of threats and of necessary responses.| Fig. 1: Cyber attacks and their countermeasures change with time, and defenders must be proactive and work constantly to keep up. (Graphic: Michael Assante, Idaho National Laboratory) (Click here to enlarge.) |
There are tools available to detect so-called rogue wireless LAN users, and they should be used on a regular basis. Any connection between the corporate network and the control network must be designed with care. At a minimum, there should be a firewall between the two, although a poorly-designed system (Fig 2) may give the illusion of safety without providing it.
Firewalls take a number of forms, both software-based and hardware-based. Software firewalls are available from firms like Symantec and there is a firewall built into Windows XP. Hardware firewalls may be stand-alone units or be included in routers.
| Fig 2: An integrated networks like this provides poor security because once past the corporate firewall an attacker can access critical systems via the corporate LAN, the control LAN, or the communications LAN. (Courtesy Idaho National Laboratory) (Click here to enlarge) |
Firewalls come in several flavors, according to NIST Publication 800-82 - Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security.
Packet filtering, the simplest, checks basic information in each packet against a set of rules.The application-proxy gateway examines packets at the application layer and filters traffic based on specific application rules, such as specified applications. Additional security can be gained by establishing a so-called Demilitarized Zone (DMZ), a separate network segment that connects directly to the firewall. The DMZ can contain things like the data historian, the wireless access point, or remote and third party access systems. One way to do this is to run all connections through a workstation (Fig. 3).
| Fig. 3: Using a firewall and also routing network connections through a workstation establishes a DMZ. (Courtesy Emerson Process Control) |
Some facilities allow employees to connect laptops to the corporate LAN, but when disconnected and used elsewhere, such a laptop can become infected with malware, which is then introduced when the user re-connects to the LAN. Since the infected laptop is connected to the LAN only intermittently, it can be difficult to track.
One might think that the security measures used by the company’s IT department would be sufficient, but a control network and a corporate network are used differently, have different priorities and are maintained differently, which means that normal IT security measures may not be applicable to the control network, and actually degrade or disable it. The IT department’s priorities, says Huba, are “confidentiality, availability and integrity — in that order. In our world, it’s the opposite. Availability is most important, integrity is important, and confidentiality tends not to be a big issue.”
Selling It To Management
Some corporate types resist spending anything that doesn’t have an ROI attached. “If I’m a control systems manager,” says Marty Edwards, industry liaison lead for control system security program, Idaho National Labs, “trying to put forward a project that will increase the security of my control systems, how do I put that into a business case or an ROI type of conversation that I can have with my upper management so I can secure budgetary funding?” The answer, suggests Ric Kucharyson, senior marketing manager for Honeywell Process Solutions’ Migrations and Expansion Solutions group, is to ask a simple question: “What if this particular asset got hit at some level of criticality, and what would it cost if that damage did occur?”Helping Hands
Perhaps the first place to look for assistance is the vendor of your plant’s control system. Many control system vendors, including Invensys Process Systems, Emerson Process Control and Honeywell Process Solutions provide security services, beginning with vulnerability assessments and extending to match whatever the plant may need. There are also multiple organizations devoting much or part of their time to plant security. See below for a listing.| Plant Security Sources Along with the industry groups and governmental bodies listed below, many companies, including most process control system vendors, also provide security training and assessment services. |
Acknowledgements:
Ted Cromwell, senior director of security and operations, American Chemistry Council; Bob Huba, senior product manager, DeltaV, and Henry Malo, SureService business development manager, both at Emerson Process Control; Ric Kucharyson, senior marketing manager for Honeywell Process Solutions’ Migrations and Expansion Solutions group; Marilyn Guhr, senior marketing manager in Honeywell’s Lifecycle Services group; Marty Edwards, industry liaison lead for control system security program at Idaho National Labs; and Ernie Rakaczky, program manager for cyber security and Doug Clifton, senior solutions architect, both of Invensys Process Systems.