When it comes to plant security, companies don’t like to admit their mistakes.
Often, those mistakes come during a clash of misunderstanding between control engineers and the company’s information technology (IT) department. A process control center in a chemical plant is a recent example. The plant’s control center needed to upgrade to a new computer and install advanced software. Plant engineers installed the software and then went to lunch.

Meanwhile, the IT administrator on the company’s network recognized a new computer on the line and the virus scanner found data on a five-year-old, third-party historian package. The administrator thought the data was a virus and quarantined it. Problem is, the historian data contained production information that was required for compliance. Luckily, the process control team came back from lunch in time to fix the problem before the data was lost.

Many plants have spent recent years adding off-the-shelf computers and software. They’ve also started sharing data with the business side. This leaves plants vulnerable to intrusions of all sorts, many of them inadvertent. IT departments—normally the experts on securing networks—have given plants a hand, but they don’t always understand plants’ needs or the workings of control systems. Some companies have solved this clash by creating a mixed team of IT and control engineers.

No more isolation

Plants used to be secure by their isolation. They were apart from the business office, both physically and technologically. Their proprietary systems were not connected to networks outside the plant itself. Two things changed. One, plants began to adopt off-the-shelf technology—personal computers (PCs) and software such as Microsoft Windows. Two, plants started to share information with the office, customers and suppliers. That resulted in more efficient plants that were also vulnerable to intrusion.

Even as plants moved to off-the-shelf technology, they often remained securely isolated. The connections to the business and enterprise resource planning (ERP) systems created the greatest vulnerability. “In the past, even if you got a virus on the PC [in the office], it wouldn’t get on the network,” says Dan Miklovic, research vice president at Gartner Inc., in Stamford, Conn. “But users demanded more open systems. What won out was Microsoft at the network level. Now we can have connectivity and we can also get a virus down into the control system.”

With a fully networked plant, even the control devices can be infiltrated through the network. “The control devices have a lot of legacy stuff, and now they’re getting connected to the business enterprise, and there are challenges,” says Kevin Staggs, global security architect at controls vendor Honeywell Process Solutions, in Phoenix. “Legacy protocol has migrated to PC networks, and those legacy systems have protocols that are not open. But now they’re being sent out on an open system, so they have to be firewalled.”

Not all threats are deliberate. Once you have the plant connected to the enterprise, a well-intended employee can disrupt the plant network. “There are advertent and inadvertent threats. It comes from connecting the plant to the business,” says Doug Clifton, global managing consultant of security at the Cyber Security Practice at Invensys, a London-based automation conglomerate. “Plant devices are being installed, configured and forgotten. As a result, there are unmanaged connections. We believe they need to be managed.”

Clashing cultures

Many of the problems in securing the plant come from the differences in priorities between plant operators and IT staff. The conflicts come from misunderstandings of what’s required for security and what’s required to make the plant run efficiently. The plant’s highest priority is availability. IT’s highest priority is confidentiality. IT, by its nature, is willing to sacrifice availability to protect confidentiality; the plant doesn’t want to sacrifice anything to availability.

When IT has full control of plant security, decisions are made based on office protocol rather than on the needs of plant operations. “The worst case scenario is when IT has complete authority on the plant floor. If they see unusual activity, they’ll disable the protocol,” says Bryan Singer, vice president of security services, Wurldtech Security Technologies Inc., a Vancouver, British Columbia, Canada-based provider of industrial cyber security solutions. Singer notes that he saw a piece of machinery going down at a plant where IT was in charge. The plant maintenance person wanted to see what was going on with the error messages, but IT saw the machine dying and kept shutting it down. “The plant people couldn’t find out what was going on because the IT folks kept shutting down the network rather than ...