Security Prevents Unauthorized Access

"Now, our plant alarms are relayed to the phone of the person on duty, who has a closed VPN connection to the plant's automation network server," says Jari Alvasto, Espoon Vesi's automation engineer. "We're able to quickly get the information on a damaged device and take immediate action if necessary."

Likewise, Schneider Electric reports that its EcoStruxure energy management platform uses open standards and an Ethernet-based backbone to tie together safety, reliability, efficiency and sustainability functions, and this unification enables it to bring an IT-style, defense-in-depth security strategy to the plant floor. "Control engineers are happier because IT realizes that process applications have different requirements, especially for network security," says David Doggett, Schneider's cybersecurity program director. "More companies learn both sides of this story, and understand that network security also is knowing exactly what components they have, how they're configured, and how to limit any changes to them." 

Read Sysmantec Security Response's Network Security To-Do List to find out how you can minimize existing threats and keep ahead of new ones.

Secure Structure, Intelligent intervention
Eastman Chemical's Heard explains that successful mitigation for network security begins with doing site and application inventories, risk assessments and other cybersecurity-related homework before it's due. "Winning without fighting is best in cybersecurity, so planning and preparation are vital because there always will be faults and other items that need to be patched," Heard explains.

"However, cybersecurity is costly, so while you might end up with more resilient code, it can be hard to show that benefit on the bottom line. Fortunately, the operations side can learn from IT's five- to 10-year head start, and adopt many of its methods for patching software, and learning about the real costs of legacy systems. Running equipment until it rusts adds risk to commercial, off-the-shelf technologies."

Though it might be a relief to have new firewalls and a complete network security solution in place, this is when the real monitoring and detection chores begin. For instance, British Columbia Transmission (BCTC) supplies bulk electricity to the province, and it also must comply with North American Electric Reliability's (NERC) Critical Infrastructure Protection (CIP) standards.

"We have hard rules in effect to protect our critical infrastructure from inside and outside threats," says Tony Dodge, BCTC's IT planner and coordinator. "One key aspect of this is promoting a need-to-know management strategy to ensure only those who need to access our critical assets for their work-related duties are permitted to do so. But making sure all of the devices in our network are configured appropriately for the different levels of access can be challenging."

Consequently, BCTC uses Cisco's Intrusion Detection/Prevention System (IDS/IPS). Because it already used some of Cisco's security appliances, the utility was able to add IPS capabilities by installing Cisco's Advanced Inspection and Prevention Security Services Modules (AIPSSMs). Now, besides providing firewall and VPN services, ASA can monitor all network traffic to identify and lock down abnormal activity. To protect other network segments, BCTC uses standalone Cisco IPS sensors that provide the same defense and can be segmented into multiple "virtual" sensors. This enables BCTC to extend IPS protection across logically separated corporate and transmission networks without having to invest in separate hardware. To coordinate and enforce the diverse security policies required by these different networks, BCTC also implemented Cisco Security Manager (CSM) to manage different network policies, configure and tune security devices from one interface, and help BCTC demonstrate compliance with CIP regulations.

"Under CIP requirements, we have to track anyone making changes or updates to any of our firewall or IPS configurations," Dodge says. "We have to ensure that they're logged in properly and that we have a history of all changes made, and CSM can manage all of those policies centrally."

Packet Inspection, Patching at Many Plants
Although handling security in one application or plant might seem challenging enough, some users have to manage security in dozens if not hundreds of facilities.

For example, American Air Liquide operates about 200 plants nationwide, including 130 industrial gas plants. Many of these products have to be pharmaceutical-grade, and comply with the U.S. Food and Drug Administration's production regulations. To protect its PLCs, supervisory control and data acquisition (SCADA) systems and distributed control systems (DCSs), Air Liquide says it recognized early that it had to protect its plants from cyber-threats, and so it implemented sophisticated firewalls and embedded supervision of existing equipment, but an assessment showed it needed more protection of its SCADA and industrial networks.

"We examined a couple of ways to achieve our industrial network security objectives, beginning with simple TCP/UDP port blocking approaches in Layer 3 switches, but the resulting protection wasn't what we envisioned," Harper says. "We then evaluated intrusion prevention solutions (IPSs) from several vendors, and chose Top Layer Networks' IPS 5500." (Top Layer is now Corero Network Security) Layer 3 port blocking was inadequate because it couldn't inspect traffic allowed through its open ports, and its device configuration and management was manual.

“Winning without fighting is best in cybersecurity. However, cybersecurity is costly, so while you might end up with more resilient code, it can be hard to show that benefit on the bottom line.”

In each of its plants, Air Liquide runs a small data center that processes terabytes of data for real-time, SCADA-based command and control of thousands of data feeds from its pipeline controls and production lines. IPS 5500 protects these data centers from outside threats by performing deep packet inspection of incoming information. IPS 5500's bypass mode allowed Air Liquide to plug it into its network and observe security events, including many posing real security risks to the network. In fact, IPS 5500 immediately identified oversized ping packets and nefarious DNS protocol violations. In addition, the bypass mode identified many active attacks originating from multiple sources and unexpected locations. For example, several threats were initiated by compromised computers that hadn't been patched with the latest Microsoft security updates, which caused Air Liquide to revise its patching process. So far, the company has installed this intrusion-detection solution at more than 100 plants across the U.S.