Industrial plants and facilities are exposed to a widening array of security risks, ranging from malware and hacking to accidents, physical intrusions and counterfeit or tampered goods. Prevention and mitigation processes, new industry standards and technologies to improve safety and compliance are filling the gaps.
Accidents happen: While worry about malicious attacks is high, most control system cyber incidents are unintentional, says Joe Weiss, managing partner of Applied Control Solutions (www.realtimeacs.com) and author of the book Protecting Industrial Control Systems from Electronic Threats. The Olympic Pipe Line's gasoline pipeline failure in Bellingham, Washington, is an example. NTSB identified electronic communication problems with the SCADA system as the proximate cause of the failure. The ensuing explosion claimed three lives, caused substantial environmental damage, and led to the company’s bankruptcy.
“If this can happen unintentionally, the consequences can be even worse in an intentional attack,” says Weiss. “The problem is that there are no forensics to raise the alarm when a cyber event is occurring.” To prevent malicious and unintended cyber incidents, he recommends establishing a control system cyber security policy and conducting a risk assessment to determine where best to invest in protection. “This requires senior management buy-in, which means identifying cyber security as a critical risk,” he adds.
Cyber security framework: SCADA, industrial control systems and other critical network infrastructure are increasingly digitally connected and vulnerable to cyber security threats. The Achilles Communications Certification Program developed by Wurldtech Security Technologies (www.wurldtech.com) ensures that applications, devices and systems conform to a formal, comprehensive standard to reduce security risks and increase plant reliability.
[pullquote]
The company’s update and support service, AchillesInside, is intended to decrease the frequency and cost of patch and mitigation activities by allowing common IT infrastructure to be updated continuously with specific rule sets and signatures. Its engine is Wurldtech’s proprietary Delphi cyber security vulnerability database for industrial control systems.
Virus protection: When industrial equipment is used in network-isolated environments, it can’t be monitored for viruses from a remote location. “In a closed network, viruses can spread quickly from machine to machine, bringing down or reducing system performance before IT knows there’s a problem,” says Moto Watanabe, U.S. product manager for Hagiwara Sys-Com (www.hsc-us.com).
Manufacturers assume their customers will install security measures. Traditionally, this involved loading antivirus software and updates on each piece of equipment to run scans. Whether and how frequently scans were performed typically depended on equipment criticality. To simplify this process, Hagiwara Sys-Com’s Vaccine USB offers virus scanning on-demand, using software and updates installed on the USB instead of the production machine, and a McAfee-based virus scan engine customized to meet industrial requirements.
When the Vaccine USB is plugged into equipment running Windows OS with auto-run enabled, the scan launches automatically. “An LED indicator turns red when a virus is detected and the details are captured in a scan log inside the USB for the IT technician’s review,” says Watanabe. There are plans to support Linux OS in the future.
Physical security: Regulatory compliance requirements vary by site and are subject to change. The harmonization of CFATS and MTSA rules currently underway is an example. “The cost to meet regulatory standards is a key concern,” says Ryan Loughin, director of Chemical and Energy Solutions at ADT Security Services (www.adt.com). Cost-conscious outsourcing is one option. “ADT’s Select View platform of managed services allows video audits, video guard tours and other services to be performed remotely using the plant’s existing surveillance equipment. Services are tailored to the standards of each site.”