The automation industry is moving away from proprietary technology to more open and interoperable control systems, a trend illustrated by the adoption of industrial Ethernet and commercially available wireless technologies. This development clearly increases the potential vulnerability of these systems to cyber attacks via the internet and from other external and internal network intrusions.
The implementation of security appliances in these environments is the next logical step. Security devices such as firewalls, intrusion detections systems and intrusion prevention systems require an expert for initial configuration and installation.
However, in order to validate their existence in the long run, these devices require constant updates as well as the diagnosis of their alarms and logs to ensure that attacks, as well as false positives, are identified. Depending on the size of the infrastructure, the number of devices can be quite substantial and require a structured management process to ensure that they are operating effectively and with up-to-date information on current threats.
Due to the specialist nature of the personnel required to review and monitor the alarms and logs of each different device that comprises the security infrastructure, the ability to hire and retain experienced security practitioners is typically outside the role of the normal control system asset owner. If experienced personnel can be hired, the number of individuals that need to be put in place for round the clock coverage is almost always outside of the budget.
One solution is a managed security service that helps the asset owner to make the best use of security investments. An example is IPS’s cyber security portfolio, which includes experienced security practitioners who monitor alarms and logs from customer site(s) for suspicious activity including malware (malicious software code) and take appropriate action. They verify the updates to exploits that are actively installed on external or other appliances to guard against as many ‘zero day’ attacks (attacks that take advantage of computer security holes for which no solution is currently available) and known vulnerabilities as possible.
This novel approach is focused first and foremost on the control automation layer and then up to the corporate IT layer, facilitating a secure integration between the operations and IT networks.
Consider the many benefits to a managed security service:
* 24/7/365 monitoring and management of the network security infrastructure.
* Access to early-warning security intelligence and certified professionals.
* Drastically improved security posture.
* Lower total cost of ownership versus internal staffing and management.
* Use of operational expenditure (opex) for a traditional capital expenditure (capex) function.
* Partnering of critical infrastructure experts and managed security experts.
Such a service integrates strategic business and technical initiatives by providing
value-added implementation and support services that will improve plant performance and operator effectiveness. A professional team offers plant-wide, platform-independent solutions through a project-oriented or ongoing service delivery as well as master plan development and rollout, which means improved plant asset availability and utilisation.
This managed service is typically purchased as a monthly fee that provides the asset owner with 24/7/365 monitoring. This applies both to asset owners who already have their security appliances installed or, if the security devices are not in place, can include the devices with the service enabling the use of opex funds for the acquisition of security appliances.
The net effect of these managed security services is a process control network security capability that is not only more effective (because of its pre-emptive nature) but also more cost effective – delivering enhanced protection at a lower total cost of ownership than is possible with conventional security internally.
Main goals
So the main goals of security management and optimisation are:
* Detailed analysis and response to security alarms and logs.
* Comprehensive, centralised management of all security devices.
* Testing and scanning for new or emerging vulnerabilities to help determine risk.
These goals are achieved through the appropriate selection of service elements. These include, for example, managed site security. Site-wide security management ensures that all security devices are being analysed and updated to both detect attacks and vulnerabilities as well as protecting against the latest threats.
Another element is managed node security. This provides a similar service to managed site security, but the scope is refined to an individual node focusing on managed firewalls, managed intrusion prevention systems and vulnerability management services. Importantly for plant equipment, there is also the capability to control access and ‘lock down’ in response to a specific threat.
By determining a baseline of expected activity then monitoring network activity and access on managed devices, any changes can be identified more easily. This provides the ability to manage issues in real time and respond quickly and effectively.
Then there is incident response. When an attack occurs, or a new vulnerability is detected, asset owners need to know that a security professional is aware and responding accordingly to prevent further attacks.
Finally there is testing. This involves appropriate periodic or one-shot testing and vulnerability scanning to assess the current ability of the security measures to resist attacks.
It is also important to bear in mind that 24/7 global network security monitoring and management is now available through a partnership with Integralis, a leading global provider of managed security services. Global situational awareness from a partner that is actively monitoring world-wide events offers a reduction in security risk.
Fully managed security includes policy creation, enforcement and event correlation to help detect suspicious activity. Under the security partnership, users are offered IT security consulting, audits, risk management, configuration of high-quality third-party products as well as comprehensive support.
This collaboration between a major process control vendor and a major IT services provider demonstrates the growing importance of combining process engineering and IT expertise in warding off security threats to refineries, public utilities, pharmaceutical plants and other process industries.
Integralis extends the IPS portfolio by providing managed security services through a global network of fully redundant Security Operations Centres (SOCs). Integralis provides managed security services around best of breed perimeter security, content security, threat and vulnerability management and secure authentication devices.
After IPS consultants design and implement a programme, the customer can leverage Integralis’ network of global SOCs, staffed 24/7 by security experts with all the tools and information to provide ongoing management and advise them of threats.
That the demand for such services is growing is illustrated by IPS’s contract to deliver cyber security protection services to Husky Energy’s upgrader plant in Lloydminster, Saskatchewan, Canada.
Among the services that IPS will provide are site and vulnerability assessment, policy requirement drafting, security architecture and policy development, modernisation of existing technology and continuous management, review, testing and optimisation. For its part, Integralis will provide managed security services through its global network of SOCs.
This cyber security contract follows on an early contract under which IPS has implemented mesh control network-based I/A Series system technology and intelligent measurement and instrumentation equipment at Husky’s Saskatchewan and Manitoba ethanol plants.
It is clear, therefore, that information and operational security is increasingly becoming a top priority for many companies – and they need holistic solutions that go significantly beyond just configuring a firewall and consider the lifecycle of the plant.l
Karl Williams is a Principal Consultant with Invensys Process Systems (IPS). www.invensys.com
