The two main questions in network security are: How closed does your network need to be? And, how open can you afford it to be?
Industrial network security is a delicate balancing act. In this case, the balance is between keeping equipment and processes protected—but typically isolated as they were in the past — and carefully allowing them to touch larger computing realms via Ethernet protocols and the Internet to gain new connections and capabilities — but exposed to potential viruses and attacks.
If you install too much security, little access is available and no productive work can get done, especially when users want to employ new devices and software tools that rely on external links. If you have too little security, your machines, application and plant floor are vulnerable to viruses, malicious software and even outright attacks. Several engineers report the biggest threat is someone inadvertently plugging an infected flash drive into the network.
"Whenever you try to move control system data to the IT network, you're going to need some kind of server, but we see security problems more as a result of conflicts with IT than from viruses trying to come in," says Francis Lauryssens, software specialist at Sun Chemical's pigments plant in Muskegon, Mich. "All the PCs, HMIs and other devices used to have hard-coded IP addresses, and I think a lot of the security problems we have now started when IT wanted to change these back to DHCP, which automatically assigns IP addresses. This allowed IT to change settings that we might not want to change and also means we're no longer sure where many devices we're communicating with are actually located. This is why we need firewalls and segmented networks and why we negotiated and collaborated with IT and agreed that there are some PCs that they can't touch."
Security Through Safety
Eric Cosman, engineering consultant at Dow Chemical and ISA 99's committee co-chair, adds, "We have a small staff group that is responsible for industrial control system cybersecurity, and we follow a multi-year plan that takes into account all the available standards and guidance. When we ask ourselves why we need to implement cybersecurity, we remember that our first concern as manufacturers is to protect people and processes. Whether an unsafe condition is caused by an equipment failure, mistake or cybersecurity incident doesn't matter. We are about safety first, and so we follow a similar approach with cybersecurity because the goal is the same." ISA 99 is the International Society of Automation's Manufacturing and Control Systems Security standard.
Likewise, security and safety both require inventorying related equipment and applications, dividing processes into manageable segments, conducting risk assessments, prioritizing potential hazards, implementing appropriate protections and then reevaluating on a regular schedule. Thinking about network security's similarities to safety could make it easier for many engineers to embrace.
"Though we in the controls and automation community usually know what we're talking about with safety, we still don't know what we're talking about when we talk about security," says Joe Weiss, PE, CISM, of Applied Control Solutions and author of Control's "Unfettered" blog. "Most security discussions still focus on IT issues, and so our controls folks need to get much more involved. We're the only ones who can develop security for our variable-speed drives and field devices. The major controls suppliers and SCADA vendors got religion on the need for security, but they still don't have a vision or plan for accomplishing it, and the many proprietary monitoring and controls systems usually haven't addressed any security issues."
Weiss claims there have been more than 170 cybersecurity incidents since 1998, including two cases in which people were killed, three that caused large-scale electrical outages and others that resulted in large equipment damage and significant spills to the environment. "Many of these were unintentional, some were intentional, and some were the result of unintended consequences such as software worm propagation," adds Weiss. "However, the bottom line is that people still talk about cybersecurity incidents as if they were hypothetical and blow it off. The other problem is that, even though we have some cyber-forensics tools for Windows, there are none for proprietary systems, and so many users wouldn't even know if they did have an incident."
Weiss explains that, while IT staffs believe that cybersecurity vulnerabilities require either a connection to the Internet, running Windows or using IP addresses, many security incidents in control systems have none of these three red flags. "In a test and demonstration of a real-world cyber-attack at Idaho National Laboratories about two years ago, the staff was able to physically destroy the couplings of a large diesel generator, and they did it via a dial-up modem," says Weiss. "Unfortunately, the related industries generally have done nothing on cybersecurity since then."