If you discovered that a computer worm or virus had infiltrated your distributed control system (DCS ), what would you do?

When Shell, the major, Dutch-based petroleum company, asked its operators this question several years ago, their answers came quickly. They would call the corporate information technology (IT) help desk.

The only problem, as a team of Shell control-system security experts discovered, was that the IT help desk didn’t know what to do. While the IT experts on the help desk were well-versed in the ways of corporate personal computers (PCs), office applications and global enterprise systems, they were not familiar with the requirements of real-time control systems that could not be arbitrarily shut down, patched and restarted.
 
“Doing something on a DCS is like fixing your car while you’re driving it on the motorway,” observes Ted Angevaare. “Of course, our operators are aware of that, but our IT people didn’t know,” says Angevaare, who is Shell’s global manager of process contro l security and architecture, in Rijswijk, The Netherlands. “IT and process control are two different worlds.”

DCS help desk

As a result, Shell today has established a dedicated process-control assist desk for security issues that is staffed by specially trained people who know the ins and outs of control systems. Shell control system operators, engineers and others in any of about 30 Shell refineries and thousands of other facilities worldwide can now call a special number and “always get a person on the phone who understands real-time systems,” says Angevaare, who heads up a team of 14 Shell experts involved in process control security and architecture, remote operations and training for Shell.

The 24/7 process-control assist desk, which currently employs nine people, has been in operation since the beginning of this year. And it is only a small piece of what Angevaare says is an ongoing, multimillion-dollar program at Shell aimed at process-control-systems cyber security. Among other things, Angevaare’s team has developed an extensive set of internal cyber-security standards that have been put in place at Shell facilities worldwide, and it is working with an outside cyber-security company to develop Shell security certification programs for its automation and control systems vendors.

Citing trends such as an exponential increase in the number of malicious codes on the loose—around 1.5 million by one recent count—and the malicious intent of terrorists and others, Angevaare warns that critical infrastructure companies cannot afford to wait to take steps to protect their control systems from cyber incidents and attacks. He cites a number of specific steps that companies must take.

One layer of protection comes from working with vendors to ensure that control systems are patched as soon as possible to protect against the latest cyber vulnerabilities. Shell’s process-control vendors are “working hard” on this front and doing a reasonably good job, says Angevaare, though, of course, he adds, “there is always room for improvement.”

Another necessary step is “system hardening,” which Angevaare defines as the removal of all software from a process control system that isn’t absolutely necessary. If only an Excel spreadsheet is needed on a DCS, for example, why install the entire Microsoft Office suite, which also includes applications such as Word and Outlook that can add more vulnerabilities, Angevaare asks.

An even more important step is ensuring that the people who work in control systems have a certain level of expertise, Angevaare notes. “At Shell, we are launching all sorts of training programs so that people can recognize security threats and issues, and so that they know what to do as soon as we are infected.”

When it comes to making control systems more secure, “the people side is very, very important,” Angevaare stresses. That’s why Shell has created and implemented its own set of standards company-wide that cover roles and responsibilities within the cyber-security space. “We have 18 standards, and that’s a lot, because we’re dealing with lots of subjects—security administration, remote access, risk assessments in the process-control world, and many other subjects that are very well described in our standards,” says Angevaare.

It was “a costly exercise” to develop these standards, but “we needed something to move forward,” says Angevaare, citing the slow pace of development for international standards on control-systems cyber security. The International Society for Automation’s ISA99 Industrial Automation and Control Systems Security committee—which held its first meeting in 2002—has still not produced a comprehensive set of cyber security standards, he points out. “Those are the standards we in industry are all looking for, and ...