Some chores never end. Cooking, dishes, laundry, snow shoveling, parenthood, running a business, and global nuclear deterrence are just a few. There's never a point at which you're finished, home free and completely done. Individual tasks might be accomplished, but the overall situation always quickly deteriorates, and must be cleaned up and put right again.
Industrial network security is one of these endless and often thankless chores. You must assess applications and facilities, turn on passwords, and set up firewalls. However, you can't assume you're now safe to frolic behind your many layers of impregnable barriers. Although preliminary security is essential, there are increasing examples of probes, intrusions and hacks, such as Stuxnet in 2010, that do an end-run on most security devices and software, make it appear that nothing's wrong, and cause potentially huge amounts of damage. Yes, Stuxnet was a narrowly targeted attack, but most experts maintain that other viruses and malware that use similar methods almost certainly are coming soon, if they haven't arrived already.
Routine Creates Consistency
The good news is that useful tools to protect and secure industrial networks are multiplying in variety and sophistication. These include more-capable Ethernet switches, better encryption, precisely targeted data transmission and reception, more-thorough network monitoring and data packet inspection, quicker identification of unusual traffic, and faster responses to probes and hacks (Figure 1). However, it remains that two of the most important tricks are to get staff trained and committed to help with network security, and to routinely and consistently update security tools, policies and capabilities.
"It's enlightening when we get to see what's really happening in our network," says Charles Harper, director of National Supply and Pipeline Operations at Air Liquide Large Industries U.S. "Gaining visibility into this world of previously undetected cyber-threats helped reassure our team that we were doing the right thing by adding intrusion prevention technology across our industrial network."
Mark Heard, control system cybersecurity lead at Eastman Chemical, says his company views process security as a routine business activity. "Cybersecurity must be taken as just another task that needs to be done to be a grownup and stay in business," says Heard, who reported on Eastman's efforts at the recent Invensys OpsManage meeting in Nashville. "Cybersecurity is a necessary layer in overall plant security — and safety. In fact, much traditional safety thinking can and should be applied directly to cybersecurity, too. As a result, safety and security are simply good business. This is because undesirable incidents of any sort detract from the value of a business. Safety and security incidents have negative impacts on all stakeholders, including employees, shareholders, customers and the communities in which each plant operates. No one wants to have downtime and deal with cleanup, regardless of whether it was caused by a design problem or a security issue."
The key to cybersecurity is collaboration, adds Ernie Rakaczky, program director for control system cybersecurity at Invensys Operations Management. "It all comes down to controls, IT and everyone else being responsible for mitigating security problems and balancing the risks in individual processes," he argues. "As a result, we're focusing on vulnerability mitigation because there are a lot of opinions on how to do cybersecurity, and some researchers are launching vulnerability programs that are irresponsible and unprofessional. Some are even blindly posting controls information to the outside world."