In one of those hallway conversations, Chuck Miller reminded me of a workshop at last year’s Emerson Exchange. Chuck, well known for his safety instrumented system and safety compliance expertise, co-presented with a process manufacturer on the topic of cyber security in the control domain.
Automation systems have gone through quite a change from the ’70s and ’80s to our current decade. The architecture changed from proprietary data highways separated by gateways from operation stations, and separated from the enterprise local area network by another gateway–if they were connected at all. Using the ISA-95 (S95) model to describe the various levels of the architecture, the automation systems evolved where Ethernet/IP addressing is used between levels one and two, and between levels two and three. This move from proprietary technologies to commercially available technologies means that the issues with cyber-security must be considered and addressed.
The presenters defined risk as likelihood multiplied by consequence. Likelihood was defined as threat, vulnerability and target attractiveness multiplied together.
The process manufacturer described their risk assessment/reduction process. It included a risk assessment phase, risk reduction workshop phase, development of a risk reduction plan, and implementing that plan. Two key tenets of this process were that only the site personnel had the knowledge to assess the risks to their plants and their systems and that each site would use a risk assessment tool to develop a site risk profile. ISA-SP99 can help in the elements involved in this risk assessment.
Security levels were assigned based upon the consequences of a successful attack. Considerations included the level of hazard associated with the process or product, the location of the plant, and applicable federal critical infrastructure processes. The last consideration impacts the target attractiveness part of the risk equation.
They discussed the areas of the automation system that need to be addressed including the control of network access, user access and physical access. A key point is multiple layers of protection must be considered. Their analogy was a medieval castle protected by a moat, then by a drawbridge, then by a portcullis, then by murder holes, then by the outer walls and finally by the keep. Not all these layers of protection made castles impenetrable, but certainly extremely difficult to “hack into”.
An automation system has points of entry that must be addressed by the security plan. These include the connection to the plant network or other external networks, modems, CDs, floppies, USB devices, equipment on the level-one control network between the controllers and PCs and underneath from the I/O subsystems.
One example, the control network, should require that no devices other than the controllers and PCs running operator, engineering, and applications be permitted to connect. Also, controller firewalls can be added between the PCs and controllers. These function to protect the controllers that are installed on the secure side of the firewall against message flooding and denial of service attacks. This firewall is in addition to the router/firewall above the PCs between the automation system and level 3 applications.
In the case of this process manufacturer, this router/firewall was managed by the operations organization. They created a DMZ above the automation system, which contained an anti-virus server, data server, and historian server. Above these was another router/firewall, managed by the IT organization, which connected to the plant local area network.
The presenters also discussed anti-virus strategies, security bulletins, and disaster planning. They summed up the presentation with elements that should be in the plan. These include:
- Assess the risks
- Define the critical systems
- Mitigate for (at least) the high cyber security risks
- Test the plan on a regular basis
- Train the users in the plan
- Get stakeholder signoff
This whole security risk assessment process is not easy, but like process manufacturers’ safety risk assessments, is critical. For other automation system cyber security considerations, take a look at best practices in cyber security that is written around Emerson’s DeltaV system.