Security Prevents Unauthorized Access

Some chores never end. Cooking, dishes, laundry, snow shoveling, parenthood, running a business, and global nuclear deterrence are just a few. There's never a point at which you're finished, home free and completely done. Individual tasks might be accomplished, but the overall situation always quickly deteriorates, and must be cleaned up and put right again.

Industrial network security is one of these endless and often thankless chores. You must assess applications and facilities, turn on passwords, and set up firewalls. However, you can't assume you're now safe to frolic behind your many layers of impregnable barriers. Although preliminary security is essential, there are increasing examples of probes, intrusions and hacks, such as Stuxnet in 2010, that do an end-run on most security devices and software, make it appear that nothing's wrong, and cause potentially huge amounts of damage. Yes, Stuxnet was a narrowly targeted attack, but most experts maintain that other viruses and malware that use similar methods almost certainly are coming soon, if they haven't arrived already.

Routine Creates Consistency
The good news is that useful tools to protect and secure industrial networks are multiplying in variety and sophistication. These include more-capable Ethernet switches, better encryption, precisely targeted data transmission and reception, more-thorough network monitoring and data packet inspection, quicker identification of unusual traffic, and faster responses to probes and hacks (Figure 1). However, it remains that two of the most important tricks are to get staff trained and committed to help with network security, and to routinely and consistently update security tools, policies and capabilities.

"It's enlightening when we get to see what's really happening in our network," says Charles Harper, director of National Supply and Pipeline Operations at Air Liquide Large Industries U.S. "Gaining visibility into this world of previously undetected cyber-threats helped reassure our team that we were doing the right thing by adding intrusion prevention technology across our industrial network."

Mark Heard, control system cybersecurity lead at Eastman Chemical, says his company views process security as a routine business activity. "Cybersecurity must be taken as just another task that needs to be done to be a grownup and stay in business," says Heard, who reported on Eastman's efforts at the recent Invensys OpsManage meeting in Nashville. "Cybersecurity is a necessary layer in overall plant security — and safety. In fact, much traditional safety thinking can and should be applied directly to cybersecurity, too. As a result, safety and security are simply good business. This is because undesirable incidents of any sort detract from the value of a business. Safety and security incidents have negative impacts on all stakeholders, including employees, shareholders, customers and the communities in which each plant operates. No one wants to have downtime and deal with cleanup, regardless of whether it was caused by a design problem or a security issue."

The key to cybersecurity is collaboration, adds Ernie Rakaczky, program director for control system cybersecurity at Invensys Operations Management. "It all comes down to controls, IT and everyone else being responsible for mitigating security problems and balancing the risks in individual processes," he argues. "As a result, we're focusing on vulnerability mitigation because there are a lot of opinions on how to do cybersecurity, and some researchers are launching vulnerability programs that are irresponsible and unprofessional. Some are even blindly posting controls information to the outside world."

Protection Part of Every Day
A useful way to make network security more consistent and effective is to shift away from thinking of network security as some exotic add-on to the regular network, and begin to accept security as a truly integral part of that network and how it's applied to its individual application and facility. So, while it's still crucial to secure industrial networks by dividing them into segments separated by firewalls, it's also essential to monitor what happens next and be alert for unusual behavior.

For instance, to maintain its water production, distribution and treatment facilities, and minimize and shorten any plant disruptions, Espoon Vesi water treatment plant in Espoo, Finland, recently implemented network maintenance and remote services. Besides treating about 100,000 m3 of wastewater per day, Espoon Vesi pumps about 70,000 m3 of fresh water per day from the nearby Damman water treatment plant and from Helsinki to its system (Figure 2).

This project updated the plant's automation network with Honeywell's Uniformance PHD data historian with reporting functions, and installed its Service Node hardware server with software configuration in the plant network's demilitarized zone (DMZ) or Level 3 gateway. This server runs and manages the network's antivirus software, patch distribution, and related data gathering and monitoring tasks. Espoon Vesi uses this approach to gain an overall view of its automation system, receive information on damaged devices for immediate action, report on resource deficiencies, and send remote alerts and alarms to onsite personnel.

In addition, Espoon Vesi's automation network was upgraded to comply with Honeywell's cybersecurity standards to enable remote monitoring and reporting. The change was accomplished by transferring Honeywell's PHD and AWR reporting servers and the MySQL server of another supplier to the DMZ area. The distribution of Microsoft Software Update Services (MS SUS) batches and antivirus software batches was made automatic, and the remote connections were based on the virtual private network (VPN) gateway. The remote connection for monitoring is established as a VPN tunnel that allows secure network monitoring, and enables Honeywell's IT staff to monitor, analyze and report back to Espoon Vesi on its network, network devices and servers.