Warding Off Digital Attacks: How to Secure Your Process Control Network
Fri, 08/11/2006 - 5:14am
Chemical plants must include both their process control and building automation systems when developing a solution to combat security and safety threats‘Many chemical companies don’t receive consistent information on how to best protect their sites.’ By Marilyn Guhr
4 Major Categories of Real-World Cyber Threats Viruses, Trojan horses, worm attacks Network spoofing and denial-of-service threats Eavesdropping and password cracking Data tampering, impersonation, packet modification
Assessing VulnerabilitiesThe key to strengthening security at any facility is understanding existing weaknesses. An assessment should establish a baseline of a company’s current security processes, procedures and safeguards used to protect the PCN from external threats. That baseline is then the focus of recommendations that outline the procedures and changes that will remove or mitigate identified vulnerabilities. PCN vulnerabilities can be ranked based on their risk potential, and most sites will have some low- and medium-risk areas as well as a few high-risk areas. Some of the higher risk vulnerabilities are associated with poor or non-existent security policies including poor password management, missing or out-of-date anti-virus software and ineffective processes for communicating policies. Unsecured open ports present opportunities for the introduction of viruses. Consider that someone could cause significant disruption simply by inserting an infected USB stick in an unsecured open USB port and, as mentioned above, injecting a virus into an otherwise “clean” system an instance of “sneaker net” meeting cyber space.
Designing Network Security Infrastructure
Deploying Hot Fixes and Service PacksThe efficient and timely qualification and validation of hot fixes and service packs, such as those fixes issued by Microsoft, are key to a successful security strategy. It is incumbent on the process control vendor to validate and qualify these hot fixes and service packs for their platforms, providing up-to-date information to their customer bases. Vendors who make this information readily available are providing great benefit to users of these systems.
Qualifying Antivirus SoftwareProcess control vendors also need to be supportive of their customers with regard to the qualification of anti-virus software. And, since one leading anti-virus offering may be preferred over another, offering a choice of qualified anti-virus software is a plus.
Locking Down Control Network NodesVendors can embrace a locked-down model that facilitates system security, providing customers with pre-configured security settings for files, directories and registry keys to protect against viruses, malicious users and inadvertent actions. Such a model would provide pre-configured groups and group policies that define the desktop behavior within an organization by role. Consider the following scenario. For operators, the policies would be very secure (or locked down), limiting the user to auto-start applications. For supervisors, the policy would be similar, very secure/locked down. Engineers, on the other hand, would be restricted to relevant engineering functions. Administrators might have unlimited access with secure settings such as screensaver with password after 15 minutes of non-activity. Basically, this model type focuses on controlling the desktop by user role, limiting what is seen via the “start” menu and restricting which Windows tools/functions may be invoked. The first step in the security journey is the assessment. Understanding and documenting vulnerabilities provides the best foundation for developing an approach that balances security and functionality. From this assessment, the design that meets site requirements can be developed. Once implemented, the cycle begins again with an assessment, at least on an annual basis, to verify that new vulnerabilities have not been introduced or existing ones have not been ignored. Although focusing on the process control network’s security aspects is very important, chemical companies cannot afford to lose focus on the entire facility. A holistic view of the plant ensures the protection of assets and people. Other vulnerabilities in plants can range from a lack of perimeter security to the challenges of tracking employees, contractors and visitors on-site. Security and safety concerns include the ability to move workers to a safe location within the plant during an emergency (also called mustering) and the ability to coordinate with first responders. In some plants, out-of-date technology hampers the ability to achieve the best results. The best solution a chemical plant can use to combat modern security and safety threats should include both process control and building automation systems. A unified system translates into faster event response, less-expensive implementation and lower maintenance costs. Ultimately, security is your responsibility. It’s best to work with a vendor that has a keen focus on security and an established track record. And, remember, security is a journey, not a destination. Peace of mind is the reward. Marilyn Guhr is manager of global marketing and business development for cyber security and network services at Honeywell Process Solutions, 2500 W. Union Hills, P16, Phoenix, AZ 85027. Her expertise is in migration strategies, open systems infrastructure and services utilized to frame open systems, network and security service offerings. She has Six Sigma Certification. Questions about this article can be addressed to her at 602-313-3362. Additional information is available at www.acs.honeywell.com.