Industrial plants and facilities are exposed to a widening array of security risks, ranging from malware and hacking to accidents, physical intrusions and counterfeit or tampered goods. Prevention and mitigation processes, new industry standards and technologies to improve safety and compliance are filling the gaps.
Accidents happen: While worry about malicious attacks is high, most control system cyber incidents are unintentional, says Joe Weiss, managing partner of Applied Control Solutions (www.realtimeacs.com) and author of the book Protecting Industrial Control Systems from Electronic Threats. The Olympic Pipe Line's gasoline pipeline failure in Bellingham, Washington, is an example. NTSB identified electronic communication problems with the SCADA system as the proximate cause of the failure. The ensuing explosion claimed three lives, caused substantial environmental damage, and led to the company’s bankruptcy.
“If this can happen unintentionally, the consequences can be even worse in an intentional attack,” says Weiss. “The problem is that there are no forensics to raise the alarm when a cyber event is occurring.” To prevent malicious and unintended cyber incidents, he recommends establishing a control system cyber security policy and conducting a risk assessment to determine where best to invest in protection. “This requires senior management buy-in, which means identifying cyber security as a critical risk,” he adds.
Cyber security framework: SCADA, industrial control systems and other critical network infrastructure are increasingly digitally connected and vulnerable to cyber security threats. The Achilles Communications Certification Program developed by Wurldtech Security Technologies (www.wurldtech.com) ensures that applications, devices and systems conform to a formal, comprehensive standard to reduce security risks and increase plant reliability.
[pullquote]The company’s update and support service, AchillesInside, is intended to decrease the frequency and cost of patch and mitigation activities by allowing common IT infrastructure to be updated continuously with specific rule sets and signatures. Its engine is Wurldtech’s proprietary Delphi cyber security vulnerability database for industrial control systems.
Virus protection: When industrial equipment is used in network-isolated environments, it can’t be monitored for viruses from a remote location. “In a closed network, viruses can spread quickly from machine to machine, bringing down or reducing system performance before IT knows there’s a problem,” says Moto Watanabe, U.S. product manager for Hagiwara Sys-Com (www.hsc-us.com).
Manufacturers assume their customers will install security measures. Traditionally, this involved loading antivirus software and updates on each piece of equipment to run scans. Whether and how frequently scans were performed typically depended on equipment criticality. To simplify this process, Hagiwara Sys-Com’s Vaccine USB offers virus scanning on-demand, using software and updates installed on the USB instead of the production machine, and a McAfee-based virus scan engine customized to meet industrial requirements.
When the Vaccine USB is plugged into equipment running Windows OS with auto-run enabled, the scan launches automatically. “An LED indicator turns red when a virus is detected and the details are captured in a scan log inside the USB for the IT technician’s review,” says Watanabe. There are plans to support Linux OS in the future.
Physical security: Regulatory compliance requirements vary by site and are subject to change. The harmonization of CFATS and MTSA rules currently underway is an example. “The cost to meet regulatory standards is a key concern,” says Ryan Loughin, director of Chemical and Energy Solutions at ADT Security Services (www.adt.com). Cost-conscious outsourcing is one option. “ADT’s Select View platform of managed services allows video audits, video guard tours and other services to be performed remotely using the plant’s existing surveillance equipment. Services are tailored to the standards of each site.”
The security of equipment and inventory moving in and around the plant is increased with the use of product verification and tracking systems. Researchers at the University of Arkansas, College of Engineering (www.engr.uark.edu), are developing a cost-effective, field-deployable “fingerprinting” RFID tag technology. The goal of the National Science Foundation-funded research project is to streamline the transfer of ownership as an item moves through the supply chain by re-registering the fingerprint of the RFID tag.
“Passive RFID tags currently have two security-related weaknesses: authentication and transfer of ownership,” says Associate Professor Dale Thompson. “Controlling and manipulating the RFID tag through contactless fingerprinting will increase efficiency and add another layer of security to the supply chain, particularly for high-value, high-volume items.”
Email Contributing Editor Sheila Kennedy, managing director of Additive Communications, at [email protected].