Securing the process industries
Everyone wants a secure plant floor, but process manufacturers have special concerns that require unique strategies
By Nancy Bartels, senior editor -- Manufacturing Business Technology, 10/1/2005 6:00:00 AM
No matter what product is going out the door, basic plant-floor security issues remain the same. To start, these include control of physical and electronic access to the plant and its IT environment, intruder prevention and detection, timely implementation of patches and anti-virus software, and regular audits of systems and training on security procedures and policies.
What differentiates security in the process industries—e.g., those that involve continous-flow or batch manufacturing production processes—isn't this basic list of needs, but rather how it should be addressed. No manufacturer wants to see a production line go down because of a computer glitch or a malicious act, but failure in the process industries may have safety and economic implications well beyond the cost of lost production.
"Process operations usually are continuous," says Dave Woll, analyst with ARC Advisory Group, Dedham, Mass. "When they are driven into an abnormal state of operation, they must be retuned to a safe state, otherwise the consequences can be devastating."
An uncontrolled process in a chemical plant, for example, could release toxic material into the surrounding community or cause an explosion. In a pharmaceutical or food plant, customer health could be at risk if a bad actor simply changes a recipe. Therefore, process-control security is not just a business or manufacturing issue, but one of national security as well.
Recognizing that encryption and firewalls alone may not be good solutions in production environments, experts recommend dual enterprise and production security barriers; rules-based access, including secured and verified rights; separate security zones for I/O network, plant network, data center, corporate network, and Internet zone; use of file-based integrity checkers; and, in some cases, complete isolation of the production environment.
Distributed control (DC) and supervisory control and data acquisition (SCADA) systems, which are at the heart of many process operations, are more vulnerable to malicious attack for several reasons. Critical Infrastructure Protection, a 2004 report from the General Accounting Office, cites the following conditions:
-
Increased use of standardized systems with known vulnerabilities;
-
Increased connectivity of control systems to other networks;
-
Constraints on existing security technologies and practices;
-
Insecure remote connections; and
-
Widely available control-systems information.
Benefits aside, the instant connectivity brought about by the Internet; the rise of standardization and interoperability; and the business demands for real-time data exchange across the enterprise and between widely dispersed divisions and supply chain partners have resulted in increased vulnerability of process-industry systems.
The trouble with control systems
Securing process-control systems is difficult for a number of reasons. Never intended to link to other parts of the enterprise in the first place, process systems have been built for the long haul—20-year-old systems are not uncommon.
These systems often don't support the latest security technologies, said Joseph M. Weiss, executive consultant with the global technical consultancy and testing operation, KEMA, headquartered in Arnhem, the Netherlands, in recent testimony before the U.S. House of Representatives Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census.
Control systems are deterministic: each action in the system depends on a previous one. Deterministic systems have set task priorities, rigid and critical timing requirements, and performance specifications that cannot easily be altered. Because they perform specific tasks, they have limited processing power. These constraints make using security technologies, such as encryption, difficult because they lead to unacceptable performance degradation, added Weiss.
In addition, the industry-standard communication protocols used in most control systems were designed in a safer, simpler time, when security issues did not have the same urgency. Furthermore, most firewalls—the most obvious security device—are designed to filter Internet protocols, not control-system protocols, says Weiss. Adding protective barriers can lead to unacceptable performance delays.
Plant-floor cultural issues further complicate matters. Comfortable in the proprietary software world, many engineers are still tempted to believe that "security by obscurity"—i.e., having a system that most hackers don't know about—is sufficient protection.
Culture clashes between control engineers and IT staff add another layer of difficulty. The two groups don't always understand each other's needs, or speak one another's technical language. Inevitable departmental turf wars can make securing control systems while pursuing larger enterprise business goals more difficult.
Different dimensions
The basic strategies for securing the plant floor—access control, change management, and network hardening and isolation—are the same for all manufacturing, but in a process environment, these defenses take on a different dimension. For example, any network should have strong access controls. Entire parts of a network should be restricted to authorized users only. Controlled physical access to workstations and entire areas of the plant should be part of any security plan.
"In process industries, we don't have as much flexibility," says Bryan Singer, chairman of the Instrumentation, Systems, and Automation Society's (ISA) ISA-SP99 committee on process control security and senior business consultant at Rockwell Automation."You cannot use traditional password-locking schemes and access control in process."
The standard rule, "Three wrong password entries and you're locked out," is not practical when the action that needs to be taken is to access a safety system immediately.
Singer recommends using one set of security applications—firewalls, virtual private networks, antivirus tools—around the entire enterprise, and an internal security barrier consisting of another firewall and additional security tools and procedures focused on plant-floor and control systems. Rules-based access plans add another layer of protection.
"You need to put security access at the data level," says Rashesh Mody, chief architect for open standards, the OPC Foundation, and chief technical officer at industrial automation and information software vendor Wonderware. "Most SCADA systems today only enforce security at the operator-display level. If you can walk up to the HMI [human-machine interface] computer, you can control the process. Say you have a valve that opens and closes. Who is allowed to do that? The system should enforce the fact that only persons A, B, and C—and their supervisor—can open the valve. Then you have a two-layer system of secured rights and verified rights."
A person with secured rights enters his or her name and password once at the beginning of the shift, says Mody. Then they're into the parts of the system where their presence is authorized, and they are free to perform functions there. Under a verified-rights scheme, two people would have to log in to access parts of the system. For example, it might require a verified-rights protocol to change a recipe.
Mody also recommends dividing the plant into five zones and addressing security within each one—and at the connections between them. "You have the I/O network, where signals are coming into the control system, the plant network, the data center, the corporate network, and the Internet zone," he says. "You have to know who has access to each of these, and how they are connected."
Change management is another special concern in process environments. "You don't want people to change your recipes," says Mody. But the problem isn't just potential "evildoers." Well-intentioned insiders can be just as devastating. According to ARC, 80 percent of process-control system breaches come from inside the plant, often from someone who meant no harm.
To counteract unintended consequences, says Singer, "File-based integrity checkers tell you whether a file has been changed and allow you to do something about it."
The last line of defense available for process-control systems—the nuclear option, if you will—is complete isolation, says Singer. A system so vital that unauthorized entry simply cannot be risked should be detached from the rest of the enterprise. The decision to do that has to be a tradeoff between security and the benefits of connectivity.
Help is on the way
The major industrial automation system vendors—ABB, GE Fanuc, Honeywell, Rockwell, and Invensys, to name a few—are building security into their offerings, automating security policy enforcement, and enabling system hardening as much as possible. Network systems providers such as Cisco Systems are making security on the plant floor a priority as well. A plethora of security appliance and software vendors offer everything from anti-spam and virus protection to intrusion detection/prevention systems and video cameras linked to sensors that issue alerts when physical perimeters are breached at remote facilities.
Furthermore, organizations such as ISA—through its ISA-SP99 committee—are developing standards and best practices to guide manufacturers in implementing control-layer security. CERT, the Computer Emergency Response Team at Carnegie Mellon University, Pittsburgh, and the National Institute of Standards and Technology (NIST) both have deep wells of resources in this area.
Not least, over the last decade Microsoft has established an important presence on the plant floor. The Microsoft Manufacturers Users Group (MSMUG) is working with the software vendor to address security issues for manufacturers using Windows-based systems.
With all the developments in progress, the most difficult part of securing a process-control system may be sorting through the available systems and picking the level of security and the strategies appropriate for a particular operation. Furthermore, hardware and software alone won't do the job.
In the end, the price of control-system security is the same as that of liberty—eternal vigilance. Securing operations is a process, not a destination, and vendors and manufacturers are in an arms race with mischief makers. Meanwhile, CFOs relentlessly remind their operations counterparts that security costs money. Any control-system security plan has to be looked at in the context of enterprisewide security—and business plans.
Companies must strike a balance between security and paranoia. "There's a place where the cost to implement a cure exceeds the risk, or when the security controls impede the operation of the shop floor," says Singer. "You have to balance how much you deleteriously affect shop-floor operations with the benefit you get."
Plant-floor security, by the numbers
03/01/2005
Featured Company
Most Recent Resources
- FICO™ Xpress Optimization Suite Schedules Big Profits For Clients
- Strategic Pricing: Three Steps to Higher Profit Margins
- Driving Innovation Through Lean Product Development Practices
- Demand Planning Maturity Model Strategies for Demand-Driven...
- Simulation-Driven Product Development:Will Form Finally Follow...
