A popular TV drama series here in the U.S. recently dramatized a cyber-attack on a chemical plant, raising awareness of process manufacturing cyber-security risks outside our niche of process automation. Within our industry, this has been an area of concern for many years and is being addressed in many different ways.
I mention this because Emerson’s Bob Huba recently spoke at the 63rd Annual Instrumentation Symposium for the Process Industries at Texas A&M University. His presentation was on Control System Cyber-Security.
His key message to the symposium participants was that the technologies alone are not enough. Security must be looked at holistically, much the way process-manufacturing plants take a holistic view for safety.
Bob starts by defining SCADA Cyber Security as protection from intentional computer misuse that would cause inability for you to properly control the process. IT security protects information, while SCADA security protects physical assets and production. It also encompasses the protection of your control system, which is required to manage your process.
Threats can come from undirected, automatic sources including worms, viruses, and malware. They can also come from deliberate attacks, which disrupt the system or even take over the system. The concern for these deliberate attacks continues to grow.
To combat these threats the automation industry is developing a standard for control system security, ISA SP99. This standard’s charter is to address:
…manufacturing and control systems whose compromise could result in any or all of the following situations:
- endangerment of public or employee safety
- loss of public confidence
- violation of regulatory requirements
- loss of proprietary or confidential information
- economic loss
- impact on national security
Bob reviewed the technology side of the equation that he shares in the whitepapers based on the philosophies of rings of protection and defense in depth.
His big message was that the technology alone is not sufficient. Process manufacturers must develop a culture of security. He suggested that the program could be modeled after the plant safety program. Most plants proudly display their days without a lost-time accident. Everyone in the plant has a role in keeping each other safe. Safety milestones are typically commemorated with high-level management participation to continue to reinforce its importance.
Bob shared that to be successful security must also become a “way of life.” It should include all people who come into the plant. The reason to follow the safety model is that the model is easily understood by operations. It is implemented at the right levels of the organization and helps reinforce everyone’s behavior in promoting security. The processes and procedures are localized, as they need to be to the site, department, or process unit. Also, control systems are different so some elements of the security enforcement procedures must be specific to the system.
Key to this approach is that you must have an owner or security champion in operations just like most facilities do with an operations safety person. As SCADA security has unique aspects that are different from classic information security, a major role of this “champion” will be to interface with IT to make security work in the control system. Their role is to “make security happen.” They are not the security expert, but are knowledgeable and passionate about the need for vigilance in security. Bob defined important roles for this champion including security policy development, system access go-to person, risk assessment team member, control system vendor focal point, and vulnerability reporting and mitigation.
Better security comes from establishing a security-minded culture where everyone plays a role. This approach fosters paying closer attention to the details of technology maintenance, patching, virus management, ongoing assessments and improvements.