Taking control: beating the hackers with better security
25 Sep 2016 by Rob Smith
Would-be hackers have a fight on their hands as control system manufacturers beef up the security features on their instruments, writes Robert Smith.
Cyber security concerns are increasing at an alarming rate as everything from rail networks to government bodies have been the target of hacks this year.
Admittedly, some hacks are more damaging than others, but a report published by telecommunications specialist Beaming suggests cyber security breaches cost businesses in the UK more than £34 billion last year.
Process industry instrumentation isn’t immune from such attacks. For instance, distributed control systems (DCS), which typically integrate traditional control capabilities with advanced maintenance software, system alarms and data analysis technology, can be highly vulnerable to attack.
Therefore, DCS manufacturers have made it their mission to beef up security on these vital bits of kit.
In the mid-90s, when use of the internet really started to gather pace, hacking became more of a problem
Jack Gregg, director, Experion product marketing, Honeywell Process Solutions
“Cyber attacks never used to be something plant operators worried about,” says Jack Gregg, director of Experion product marketing at Honeywell Process Solutions.
“Then, in the mid-90s, when use of the internet really started to gather pace, hacking became more of a problem,” he says.
Gregg says DCS can be vulnerable because they run Windows operating systems (OS) which have “gaps” and are therefore prone to attack. However, Honeywell’s own DCS, Experion PKS Orion, which currently runs on Windows 7 Professional, is “hardened” to avoid these attacks, explains Gregg.
“In developing Experion, we look for vulnerabilities and we look for places to lock the system down. Essentially, we are trying to establish a secure system from the inside out,” Gregg explains.
He says manufacturers are also beginning to use data analytics to reinforce their systems.
Preparing for attack
According to Gregg, data taken from a DCS could soon be used to forge major breakthroughs in control system security.
He also says data could help improve plant security. “For instance, if an abnormal event occurs, plant operators can determine the root cause and make changes to prevent it happening again,” Gregg says.
He adds that data analytics could also make plants more productive.
“There is no downside to data analytics other than the fact it is relatively new and we have to figure how best to use it.”
Despite best efforts, though, control systems will still be prone to attack.
For example, a disgruntled employee with access to a DCS could cause loss of production, damage to the process or even a major disaster, says Ray Lock, network technology director at data communications business Westermo.
“Embedded security measures are now a must-have feature on modern DCS,” he says.
Lock also says better security features help protect against the growing risk of cyber terrorism.
“The Americans are driving this school of thought,” Lock says. “If you take a chemical production facility, there is enormous potential for an explosion. For example, if the wrong materials are mixed together, you could create a cloud of poisonous gas.”
Embedded security measures are now a must-have feature on modern DCS
Ray Lock, network technology director at Westermo
Lock says DCS security is about creating as many layers as possible. Firewalls are an obvious, yet major line of defence and they help monitor and control network traffic on the system.
“To allay cyber security fears associated with DCS installation, you would typically look to separate all the processes or all the junctions – between ‘users’ and ‘producers’ – with a firewall.”
Lock cites the comparison of DCS and supervisory control and data acquisition (SCADA) systems as a good example.
“A lot of people consider DCS and SCADA systems to be the same, but they are actually very different conceptually. If you assume the DCS is feeding information towards the SCADA system – in terms of overlooking the power supply around the plant, providing feedback over and above the SCADA system – that [information] could be fed straight back into the system.
“So you have to install a firewall between the two systems to ensure there is either one-way traffic, or the traffic that you are sending between the SCADA system and the DCS is exactly what you want it to be,” Lock says.
He says this strategy ensures nobody can use the client server network on a SCADA system to try and hack their way into the DCS, or vice versa.
Firewalls are also often fully “cloaked” to make it difficult to locate a DCS on the system, he adds.
Meanwhile, plant operators are also being advised to “zone” their facilities to add an extra layer of security to their systems.
“If you consider a fracking tower or a set of pumps, for example, you can deem that a security zone.”
Zone out
He says within a zone, processes are taking place that can communicate with a DCS. “But at the junction where the information is passing to the DCS, your firewall will help limit the effects of an attack on the plant. If the process is attacked, it is limited to that one section because the plant is zoned.”
Emerson Process Management, meanwhile, which manufactures the Delta V DCS, has developed a wide range of security functions that are designed to limit cyber attacks on its control systems.
Like Honeywell, Emerson hardens its system, turning off operational system services within a plant that are not needed for Delta V to function.
Neil Peterson, Delta V product marketing director at Emerson, says to mitigate cyber security risks, the company offers an auditing system that monitors plant workstations.
“An audit is one of the best ways to understand cyber threats. The auditing process is designed so that plant operators can monitor systems themselves.”
There is a sense of paranoia. As soon as something is connected to the internet, people get uncomfortable
Neil Peterson, Delta V product marketing director at Emerson
He says the companies that deploy these types of self-monitoring solutions should consider themselves “leading-edge” in the fight against cyber attacks.
However, he says that in the current climate, customers are not comfortable with third parties monitoring their control systems for events.
“There is a sense of paranoia. As soon as something is connected to the internet, people get uncomfortable. “None of our clients are currently interested in having a third party monitor their systems for cybersecurity purposes, but that may change in the future,” Peterson says.
Yet despite this paranoia, he says cyber security fears are actually increasing the uptake and installation of DCS.
“I think the threat of being hacked is actually encouraging plant operators to install new kit and improve their systems,” Peterson says. “For example, customers want to be on the latest OS in order to have the most secure system,” he adds.
He says Emerson plans to support alternative Windows OS, as these platforms become more secure.
“We are working towards a maintenance release for Delta V and we will be supporting Windows 10 on that release.”
Readers' Comments
There are no comments on this article, leave a comment below to have your say
Have Your Say
The comments have closed for this article