By Inbavanan R, General Manager Asia Pacific, Lifecycle Solutions & Services, Honeywell Process Solution
“May you live in interesting times”, often referred to as the Chinese curse, seems to be a good fit for where we have found ourselves over the past several years. The importance of server- and network-based IT solutions for automation systems has grown rapidly in recent years. Continually increasing technology capabilities – perhaps growing faster than we are able to adapt effectively – present us with ever increasing challenges.
The Information Technology (IT) organizations within most companies of any size are old hands with this evolutionary process, and their best practices have matured and improved over many years. That’s not to say that IT professionals don’t get surprised – particularly in the areas of network access and the perverse nature of cyber terrorists.
 |
| Inbavanan |
In the control systems environment, we enjoyed a more proprietary, protected environment and considered ourselves immune to security attacks, but the price we paid was in connectivity and information exchange in a timely and controlled manner. As we adopted more open technologies, much as our corporate IT organizations have done, we began to see many of the vulnerabilities associated with the introduction of these technologies. Basically, we have requirements that are quite similar to corporate IT organizations; however, an intrusion in a control system environment carries with it more opportunity for physical harm than is typical in the corporate environment. For this reason, we are now taking the view of an industrial IT approach for control systems.
If we step back and view where we are today with the application of information technology to control systems, we can make several observations:
1. It’s no secret that there are increased accessibility requirements. Open technologies invite accessibility, and individuals and groups within the organization want access – to perform their own functions in a more timely and effective manner.
2. There is a tighter linkage between business and process information – associated here with point 1, above.
3. Many tools are available to address a single issue or group of issues. And, there are standards and best practices that have grown up around specific areas (like security), and for certain industries (like power).
4. Cyber threats come in many flavors – from those creating mischief (irritating) to those targeting specific industries with malicious intent (dangerous).
5. There is an increase in industry and government regulations and/or standards. The intentions of the groups generating these regulations/standards are positive; however, the time required to make significant progress is lengthy.
6. From a business perspective, most control systems are driven to provide increased uptime, availability and reliability.
7. In general, there is a lack of IT know-how in the plant – with a view more to availability than confidentiality. Plus, there is insufficient manpower available in many organizations to manage a security program.
All of these points direct our attention to the realization that we are in an environment of increased risk. We can view the risks by type – internal, external, targeted, and non-targeted.
The most likely risk may be internal, non-targeted – for example, an employee inadvertently brings a virus or worm into the control environment using a USB memory stick – a kind of “sneakernet” intrusion.
Perhaps the worst situation is the external, targeted risk – the most hyped in the media and certainly the most dangerous. A recent example is Stuxnet — designed to attack a specific industrial control system, proving that control systems are not immune to cyber attacks – by highly motivated parties directing the attack.
The Repository of Industrial Security Incidents (RISI), which records cyber security incidents directly affecting supervisory control and data acquisition (SCADA) and process control systems, shows the number of incidents increasing by approximately 20% per year over the last decade.
We have realized that control networks are not built to withstand traditional IT attack or protection methods. We are in a business environment that needs to minimize risk. If we have learned anything from our corporate IT organizations, we are beginning to realize that we need to take an approach that is based on a long-term, sustainable view of our future.
Just as corporate IT organizations have tackled the issues of providing a consistent, proven set of tools across multiple systems, we in the control systems environment need to adopt a similar approach.
Corporate IT organizations have learned that delivering information technology to their users is an ongoing process. And, that’s a key point for us in the control systems environment – we need to understand that an area such as security is an ongoing program, not a project that has a defined completion date.
So, let’s consider security from the perspective of an ongoing program. Where do you start? A phased model of the security lifecycle will help to clarify and give some ideas on where to start and how to continue.
• Assess your assets and vulnerabilities against industry standard and best practices.
• Remediate your network with a custom-designed security program.
• Manage your network security investment with services and training.
• Assure your security program is functioning as designed with compliance management.
• …and continue the cycle!
Assessments help to determine where you are today in securing your critical infrastructure. You need a way to identify overall shortcomings and risk areas compared with a desired status. And, from that point, you would need to formulate and prioritize actionable recommendations focused on better system management. And, of course, you’ll need to know how much it’s going to cost, how long it’s going to take, and how broad a scope you want to tackle initially. You may want to focus on one or more types of assessment, such as:
o Regulatory (NERC CIP, CFATS, etc.),
o Network (security, upgrades, outsourcing, monitoring, etc.),
o Gap analysis (risk and readiness, general best practices),
o Audit (based on a regulatory or corporate checklist).
Remediation is the next phase in the lifecycle – and it is perhaps the most robust in terms of involvement, process definition and implementation. Realizing that the focus of this effort is overall risk management is key. Remediation is broad in its scope, involving people, process, and technology.
From a people perspective, a security awareness program will focus on helping each individual have a respect and basic understanding of the requirements and the potential impact of a security breach. This area includes security training, plus policy and governance development, and design and implementation resources.
Process includes procedural development for critical areas, such as patch management, secure remote access, anti-virus, backup and restore procedures, change management, and perimeter security.
Technology represents the choices for the network architecture, network topology (including diagrams of the process control network design), server and software (selection, deployment, and configuration), system hardening, and virtualization.
Depending upon the extent of the areas in need of adjustment, as determined in the assess phase of the lifecycle, the corresponding remediation phase can be quite involved. Depending on the severity of the assessment findings, the remediation may require immediate attention, while other areas may be managed over time. The prioritization of these adjustments will be very helpful in the remediation phase.
Manage focuses on the ongoing management of systems and technology and support. This phase is where you would see the implementation of workflow processes, attention to anti-virus and patch management, perimeter management, and testing and change management. Support would include regular tuning of security tools and system health and performance monitoring.
Assure focuses on compliance management and program monitoring. Compliance management ideally would provide an asset-based approach, with complete document management capabilities, including workflows to track document review and approval as per NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) requirements, as an example. In addition, the compliance manager would include integration with Microsoft Windows cyber assets to track and document configuration and user information changes, the ability to integrate with other systems that hold compliance-related data (such as HR, Laboratory Information Management Systems or LIMS, Security Information and Event Management or SIEM and log management). And finally, the compliance manager would provide accurate, reliable information readily available for audits and spot checks.
And, back to the assessment phase again – remember, it’s an ongoing program – not a project! It is important to be as vendor neutral as possible in working through the lifecycle, taking advantage of network and security certified personnel.
Industrial IT helps to unite the best practices of traditional IT with the special requirements of process control systems – to protect and preserve security while delivering maximum performance.
