By John Rezabek, Process Control Specialist, ISP Corp., Lima, Ohio.
While many consultants and purveyors of security enhancements emphasize the risks of cyberattack, the likely consequences has been discussed relatively little. In any HAZOP or what-if review, we normally look at risks along with consequences and then categorize the hazard systematically, with both severity and likelihood in mind. Safeguardsindependent layers of protectionthen are identified and evaluated to see if they sufficiently mitigate the identified risk.
Why dont we look at cyber threats the same way?
Based on information in the trade press, both for IT and controls professionals, the risk of cyber attack is practically 100%. One only can assume that fear of bad press must keep most victims from publicizing or revealing any successful cyberattack. Reports of serious breaches in industry still seem to be few and far between.
That we are vulnerable is hard to deny. One chemical plant was particularly lax in securing its process control network and suffered a worm attack that rendered every operator interface console dead in the water for hours. The Code Red worm, as it was called, breached the business network firewall and shortly thereafter found its way to the directly connected DCS consoles. Fortunately, a lone interface for model-predictive control was totally isolated, which allowed operations to see a few key variables and take some comfort that the process was not headed to some dangerous state. After running nearly blind for several hours, the operator consoles were cleaned and restored, and life returned to normal. This case was made less onerous by the fact that the process control network was a non-Ethernet, proprietary design and that the controllers used a Windows-independent operating system. Had conditions been otherwise, the consequences could have been much more catastrophic.
This plant was processing hydrocarbons, and one could imagine a scenario in which fires and explosions conceivably could lead to total loss of control. If this is the case in your plant, a layer of protection analysis would show where a totally independent, isolated system of safeguards was necessary. Even when the basic controls go berserk, some independent mechanism should exist to ensure the process gets parked in a safe state. Depending on the likelihood and severity, multiple layers of protection might be needed. If one or more of these layers involve COTS microprocessor-based automation, we are obliged to make sure that no part of that network has any potential to be breached from the outside.
In the large process industries, we give these systems a safety integrity level (SIL). If you think you need remote access from outside the plant to your SIL-rated system, then you need to do a little self-examination. If operations personnel call you on weekends and in the middle of the night to defeat interlocks or change trip settings, can your safety system be reliable? Your trips are set too conservatively, your plant is running in a dangerous mode more often than not, or perhaps your interlocks are not truly safety interlocks. Your SIL-rated system should be reliable enough to run months or years without routine tuning or other intervention, shouldnt it?
If your site isnt processing or storing extremely hazardous or toxic substances, perhaps the consequences of a breach arent quite as dire. Will an intruder possibly ruin a batch of beer? While deplorable and a potential large economic loss, one could take some comfort that theres no imminent danger to workers or the surrounding population. On the other hand, senior managements loathing of any blemish to its brand could be a sufficiently dire consequence in itself.
When evaluating the likelihood of an attack, it could be worthwhile to consider how attractive you are as a target. Money, notoriety, vengeance and crusades of one kind or another perhaps will motivate an intruder. A plant that heats corn mash in the prairie will be a less-satisfying target than one that provides a chance to shut down a pipeline that encroaches on defenseless, mating caribou. A treasured brand might serve as a motivation for hackers eager to see their exploits in the national news, as well as giving your management the incentive for adequate security.
Because of their importance as well as their appeal to potential attackers, critical and non-redundant infrastructure such as power, water, pipelines and their ilk merit the best security our industry can deliver. Along with good system-backup discipline, a clear evaluation of the real likelihood and its consequences, ensuring our safety systems are totally isolated and capable of acting, despite any network intrusion, can be beneficial to us all.