Ensuring process cyber security

Paul Boughton

Cyber security is becoming an increasingly important aspect of plant management. Here we look at the strategies and technologies being used by suppliers to ensure that process plants minimise their vulnerability to cyber attacks. Eugene McCarthy reports.

Over the past two years, industrial infrastructure has been identified as a key target for hackers and government-sponsored warfare, attracting some of the most sophisticated cyber attacks on record.

Belden, a global leader in signal transmission solutions for mission-critical applications, in coordination with Tofino Security - part of Belden's Hirschmann brand - has developed a product portfolio and business processes to protect critical infrastructure against these emerging threats.

Legacy industrial communication and networking systems originally designed to work only within facility walls are opening up, as organisations look to work smarter and more efficiently. As a result, the industrial floor has become a hotbed of information activity, with intelligence passing back and forth between industrial settings and outside systems.[Page Break]

"It's vital for companies to employ industrial Ethernet systems enforced with secure industrial cabling, switches, routers and firewalls if they are going to protect critical operations from cyber sabotage," said Eric Byres, cto and vice president of engineering at Tofino Security. "The push for efficiency now requires increased information passing between the industrial and enterprise systems. This significantly elevates the risk and need for top-notch security - starting at the plant floor."

But the level of sophistication shown by Stuxnet, Night Dragon and Flame - and the open aggression between countries - requires more than advanced hardware protection. Company policies and internal security processes across all system components are crucial to the success of any security system in an era of heightened threat. The likely targets of cyber attacks aimed at nation states include energy and water supply.[Page Break]

Complementing the Belden industrial Ethernet product offering, Tofino Security, in partnership with exida, recommends a seven-step process designed to help protect industrial systems from these highly advanced threats:

- Assess existing systems: understand risk and prioritise vulnerabilities.

- Document policies and procedures: determine position regarding industrial control systems (ICS) and develop company-specific policies.

- Train personnel and contractors: develop and institute policy awareness and training programmes.

- Segment the control system network: create distinct network segments and isolate critical parts of the system.

- Control access to the system: provide physical and logistical access controls.

- Harden the components of the system: lock down the functionality of components.

- Monitor and maintain the system: update antivirus signatures, install patches and monitor for suspicious activity.

John Cusimano, director of security at exida, said: "Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations - specifically the water, energy and transportation industries - and it's absolutely vital that companies start now to secure core components through best practice policies and industrially-focused security technologies," said Byres.[Page Break]

Dedicated teams tackle the cyber threat

Meanwhile Honeywell has formed an Industrial IT Solutions group, a global team of experts who can help manufacturers and process industry facilities protect against cyber threats.

Part of Honeywell Process Solutions, the Industrial IT Solutions group specialises in the design, performance assessment and protection of networks used in the process industry, including wireless instrument and Scada platforms. Its offerings will provide a comprehensive range of vendor-neutral technology and services required to assess, remediate, maintain and manage plant automation network performance, vulnerabilities and cyber security measures.

Jon Lippin, vice president and general manager, Honeywell Lifecycle Solutions and Services for Honeywell Process Solutions, said: "As control networks continue to expand and integrate to business systems, the risks and complexity of cyber vulnerabilities must be addressed with the same vigilance as process safety risks assessments."

Honeywell's industrial IT services are based on extensive knowledge in IT systems and a deep understanding of process control environments. The company has completed hundreds of industrial IT projects across the globe.[Page Break]

"Honeywell has invested in building the Industrial IT Solutions practice to help industrial plant, pipeline and asset owners stay ahead of the threats, regardless of control system vendor or location. We provide a scalable approach to managing all aspects of today's industrial control system networks," Lippin added.

Comprised of network and security-certified professionals, the Industrial IT Solutions group focuses on four key activities: assessing a plant's assets against industry standards, regulatory requirements and best practices; remediating issues identified in the assessment phase with a custom-designed programme; managing the plant's industrial IT investment with support, training, and services such as network security administration, anti-virus management, and patch management; and maintaining the plant's solutions through programmes such as performance and security monitoring, change management, monthly status reporting, etc.

For its part, Invensys Operations Management (IOM) addresses compliance and cyber security challenges from analysis through to implementation and management. This begins with expert consulting, followed by the creation of an overall cyber security plan and remediation strategy encompassing processes, procedures, people, products, networks and applications.

IOM says its solution is unique because it provides cyber security compliance for critical infrastructure, and also integrates seamlessly between manufacturing operations and corporate IT networks. Key capabilities here include: compliance with information security, physical security and business continuity; compliance with industry, regulatory, international and internal corporate standards; security experts with a regional and global understanding of current requirements and constraints; government and regulatory understanding and involvement; network design, optimisation and security implementation.

According to IOM, this approach brings a raft of key benefits such as: hardware independence: cyber security compliant solutions works on any vendor's control systems and any type of security technology; regulation knowledge: thorough understanding of all relevant regulations.

Siemens says it is one of the very few companies with an in-house private cyber emergency response team (CERT) that can help process companies achieve North American Electric Reliability Council (NERC) critical infrastructure protection (CIP). Its on-site cyber security and NERC CIP assessments are designed to help users identify any existing security vulnerabilities in control systems, related IT infrastructures and beyond.[Page Break]

Together with its cyber security alliance partners, the company provides comprehensive security audits to assess compliance with NERC CIP-002 through CIP-009.

The process includes evaluating current control systems, and related cyber systems to assess whether they meet the controls relevant CIP-005, 007 and 009 sections. These sections can be addressed separately from the overall assessment.

Following the assessment, Siemens provides a detailed report documenting all the findings. Customised recommendations also will be offered to improve and enhance cyber security in order to meet and maintain NERC CIP compliance.

Many of Siemens power plant automation (SPPA) systems are designed with enhanced security configurations and architecture to meet NERC CIP standards. For example the innovative SPPA-T3000 control system is delivered 'NERC CIP Ready' (Fig. 1).[Page Break]

Security solutions

New from Emerson is a tie-up with NitroSecurity to further enhance the security of its Ovation system while also helping to reduce the costs associated with the evolving North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standards compliance.

This relationship adds security information and event management (SIEM), which provides continuous electronic access monitoring (CIP-005) and security status monitoring (CIP-007). It also adds an intrusion prevention system (IPS) (CIP-005) and log collection, storage, and management (CIP-005). These capabilities add to the Ovation Security Centre (OSC)'s user management, DMZ router/firewall, antivirus defence, vulnerability scan and patch management, malware prevention, security patch validation, virus signature validation, security advisories, security assessment, technical feasibility exception (TFE) support, and ports and services documents.

Rockwell Automation's security taskforce has dealt with two security vulnerabilities uncovered earlier in 2012. The first were discovered in the Allen-Bradley ControlLogix L5561, 1756-ENBT module and MicroLogix 1100 controller and security advisories were immediately released about them.

The company then learned of two previously unknown security vulnerabilities in the RNADiagReceiver.exe service of the FactoryTalk Services Platform (FTSP). An advisory has also been added to the Rockwell Automation Security Advisory Index about this.

"We recognise that with every advisory, new concerns are raised about control system security risks and their susceptibility to both accidental and malicious threats. For this reason, we continue to invest in our products, systems and services to help you protect what is important to you. We also continue to maintain our close working relationships with reputable agencies and the industrial security research community at large. Through these actions and practices, we remain committed to helping you and the automation industry recognise and remediate contemporary security risks," says the company.