In Secure Out of the Box Myth-Part 1 we highlighted some of the challenges and misconceptions around effective cybersecurity efforts. Part 1 explored the myths that a system can be made secure without ongoing actions by the end user in collaboration with their suppliers. Here in Part 2, we’ll highlight some ways that this collaboration can improve overall security and robustness of your control systems.Here are some additional key points from Emerson’s Neil Peterson‘s presentation at the AFPM (American Fuel & Petrochemical Manufacturers) 2015 Q&A and Technology Forum.
Separating the distributed control system from the plant network should be a firewall with rules to specify who is allowed to access the control system, what in it they can access and change management recordkeeping to identify changes made.
Within the boundaries of a control system, smart network switches should be configurable to lock ports to prevent connections from unauthorized devices. Neil highlighted the importance of establishing and executing ongoing maintenance procedures around these control network devices. Also, a controller firewall protects the controller from denial of service attacks and other automated attacks that could cause interruption of control functions.
Denial of service attacks use network storms, malformed communications, and other non-standard network communications to cause a network device to fail or become unresponsive to its normal functions and may interrupt control functions and cause process upsets.
For the control system workstation, security-hardening processes are required. Only authorized applications should be installed with the operating system specifically configured for use in roles these workstations must perform. Unused operating system services should be disabled as part of the installation process—preferable automatically to avoid errors and omissions.
Workstation hardening policies should include integrated supplier-specific policies with site-specific security policies. Examples of these policies include password complexity requirements, remote assistance, registry access, automatic update enablement and more.
USB and portable media access is a recurring security issue. DCSs such as the DeltaV system provide centralized locking and unlocking of all USB and portable media access on all workstations, which is similar to the network smart switch port lockdown. It is important that these automatic locking/unlocking mechanisms do not affect mice, keyboard and system dongle usage.
Neil noted that an ongoing site activity should include a policy for keeping anti-virus definition files updated and security patching for the operating system and applications. Some suppliers provide automated and local patch management services. This service establishes a strategy for anti-virus signature screens, operating system security patching and/or application hotfixes. It combines people, technology and best practices to automate the routine aspects of manual security software update deployment.
Neil shared ways the patching process can be performed manually and automatically. Here is an example of the manual method:
And, here is an example of an automated patch management approach:
Neil also showed a semi-automated way where the transfer between levels 3 and 2 were performed manually with a CD, portable disk or thumb drive manually transferring the metadata files between the upstream and downstream patch management servers.
User accounts and passwords require configuration and ongoing activity at commissioning and ongoing maintenance. The user configuration needs to integrate customer user policies with the control system network policies. Also, it’s important to define users and assign privileges/permissions in the control network. Smart card readers can also be used to provide 2-factor authentication.
He closed noting to get “secure out of the box” you have to:
Build security into specific requirements in your RFQ
- Ensure all the required associated activities are included
- Collaborate with your vendor(s) to get it delivered
- Create secure maintenance policies/procedures
You can connect and interact with other control system security experts in the Operate & Maintain group in the Emerson Exchange 365 community.
Update: Received some feedback that there might be confusion since this post, part 2, does not contain any myths. I clarified that these were in the initial post in a couple of additional sentences in the first paragraph.