Safety net

Perhaps the first word that comes to mind when discussing cyber security is a firewall. The problem is that many organisations feel that the mere presence of a firewall is enough to immediately solve their security concerns. Today most industries with control systems are seeking to increase data access to enable business decisions, vendor access for process improvements and advanced control exercises like loop tuning and alarm management.

However, the increasing need for access is diluting the security of many of these systems and putting many process control environments at different degrees of risk and potentially serious threats to safety.

At the very least, a company with insufficient security in and around its control system will lose production for some time. This can translate into re-work overtime, environmental release, and other intangibles such as competitive edge, investor confidence and, potentially, the ability to stay in business.

The new push for control systems, such as DCS and SCADA, is to balance the two opposing trends: Access and Security. However, most industries are 'pushing the envelope' to run faster, more efficiently and with less downtime. This means more outside 'tuning' and higher visibility into production from specialised experts who may not be on-site.

Many industries are, meanwhile, automating more of their assets and expect staff to manage more resources, thereby increasing their reliance on computers. As these computers mostly run a Windows platform, all common threats usually targeted at corporate and business machines are now a potential threat to the production environment.

Traditional IT 'best practices' can't always be applied to control systems without breaking the applications that are running on those systems. For example, the use of antivirus and patch management tools can often break the applications they are designed to protect.

In looking at a number of security frameworks or standards, a common theme emerges that combines efforts and initiatives that go far beyond the purchase and deployment of security technology.

Simply buying and installing the technology does not necessarily increase a company's security profile. Investments must take into account the business model as well as a firm's physical topology and plant or operational requirements.

Before starting any security programme, an organisation must first adopt a security philosophy based on the simple premise that security is important to the organisation. This means that everyone from the owners and operators of the systems to the site staff, consultants and vendors understands that cyber security is in their best interest.

Rank and file team members, in particular, must understand the importance of their role in securing facilities, as they have the greatest opportunity to create a security breach -- intentionally or otherwise.

True security must also be an on-going initiative due to the fact that security concerns are brought about by technology change. For example, DCS-level equipment is increasingly being sold with HTTP services being installed at the control level. This was not the case a few years ago.

And, if on-going security initiatives change the day-to-day business flow for employees, then the company must explain to them why these changes are necessary. Otherwise day-to-day users will quickly find ways around the new systems, thus negating any benefits.

An equally important initiative is the creation and distribution of awareness programmes to make employees aware of the timing and importance of the subject and its subsequent initiatives and projects.

Training and cross-training

Another component of a security programme is the training and cross-training. Too often the security burden or the 'IT' person in the plant is a team of one; with most of the security knowledge buried in their brain and not on paper.

A proper security philosophy will also be a balance between risk and reward, as well as between effort and return. Companies must first decide the levels of risk they are willing to live with, as every security change is going to cost something whether it is time, money, or access to data.

No matter how a company proceeds, there is a very good chance that it will still have some sort of incident at some stage, be it a catastrophic system failure or subtle inappropriate access to data or a control room. The true measure of any security programme, therefore, will be in how well the incident is contained, how quickly the company recovers, and how much the organisation learns and benefits from it.

Rick Kaun is manager of Matrikon's Industrial Security and Compliance group. Many businesses baulk at the sheer magnitude of a corporate-wide disaster recovery (DR) plan due to complexity, costs, and effort required to plan and implement it. However, system-specific or machine-specific DR plans are easier to implement and are much more practical to implement.

An effective backup plan must include regular, periodic images of core systems and data sources. In addition to system builds, with the use of imaging software, and data repositories critical to operations, a robust backup procedure will include backups of system states, multiple versions, restoration points and a logical rotation of storage media that is stored remote from the site. The true measure of security readiness is going to be how well companies handle an incident when it happens. What counts is how much damage is avoided by early and effective detection and mitigation with counter-measures.

Some entities spend a lot of money, time and effort on creating and implementing procedures for protecting and backing up their critical assets. However, not enough of those companies effectively test those processes and they may subsequently be out of date and not longer suitable.

Purchasing a firewall and then opening multiple high-risk applications like SQL/www, or allowing the 'ANY' rule inbound for connections simply renders a firewall towards the realm of an expensive 'bump in the line' and away from a security tool. For the maximum firewall benefit, industries need to create a multi-layered topology in their process control network.

The further removed a process network is from the business LAN and the outside world (for example the internet) the more protected it is. More importantly, companies need to establish what traffic they WILL allow on a frequent basis and ensure that future projects in a facility do not compromise those rules.