Don't worry about an isolated cybersecurity attack on your network. Worry about keeping your network safe from the cloud of threats that is out there every second of every day.
"Threats are everywhere," said Bob Huba, Emerson product manager. "You need a multi-level defense. I like to use the analogy that this is like water. If you have a leak, it finds its way. It's floating around out there. You never really clean up the Internet. You just keep yourself clear from infection."
At the 2009 Emerson Global Users Exchange, held in October in Orlando, Fla., Huba shared an overview of cybersecurity solutions and how to use a familiar plant model for implementing a process control cybersecurity program.
"Security is about ensuring business continuity, and that is achieved best by developing a unified defense-in-depth strategy and architecture that can defend against myriad possible business interruptions," explained Huba.
What is a defense-in-depth strategy?
The life of your most recent cybersecurity action is measured in days, because there's always something new—the next conflict or the next Sasser worm. It's constantly evolving, said Bob Huba, Emerson product manager.
Huba uses a physical example. "If you remember the television show, ‘Hogan's Heroes,' you remember the two fences and the guard dogs," he explained. "Defense-in-depth means you have more than one fence. You put in a firewall or bury your system deep within your network. You try to create barriers in an ‘onion' strategy. And, assuming those aren't perfect, you put things inside the system, such as antivirus programs and make sure your patches are in place."
Security also encompasses the little things such as making sure everybody has passwords, even internally, and turning off USB ports and floppy drives to ensure they're not accessible. "Create more barriers," said Huba. "Most security problems happen accidentally. You bring in a USB stick with something on it and infect your computer."
Huba also recommended "white listing," by which you set up the system so that only allowed programs will run, and malware will not even start.
"One of the things about DeltaV is that it was designed from the beginning to be secure," said Huba. "When we developed it 13 years ago, we knew it had to be a segmented system from the plant for robustness and security. Thirteen years ago, we knew security was there, but it wasn't a big deal. A big part of security is making sure your systems are segmented with edge protection and security. It is not an extension of a plant LAN."
The industry often confuses these control systems, and wants to treat them like nothing more than an information system, a plant LAN, explained Huba. "That's an inappropriate model for a control system," he said. "If a process control system, as opposed to a factory automation system, is going to be managed by the classic IT department, they need to understand that it's a different animal. We have a built-for-purpose Ethernet system. DeltaV treats itself in a very secure, robust manner."
Since security threats are constantly evolving, end users need to develop and implement multiple domain-by-domain protection plans.
While there are parallels between cybersecurity and safety management programs, cybersecurity can be more daunting because of its dynamic nature. "You put in antivirus software, and its life is measured in days, because there's always something new—the next conflict or the next Sasser worm," Huba added. "It's constantly evolving, and the management on the security side is much more complex and onerous than it is on the safety side."