Users who post passwords next to control stations or insert unauthorized USB memory sticks into industrial equipment can easily thwart the best technologies. For example, Cimation (www.cimation.com) set up an integrated security system that included electronic door locks and networking protection on a large offshore oil platform. The roughnecks who live on installations like these often don’t have a lot of experience with computers and key cards, so educating the personnel was one of the major issues.
“Our challenge is not just to install the hardware. It’s more about educating the user,” says J-D Bamford, CRM/SCADA security engineer at Cimation. “People who live on oil rigs don’t necessarily understand computer security, especially security that works at this level.”
The human factor has even been addressed by the Dept. of Homeland Security, which issued guidelines for passwords used in utilities, oil facilities and other segments of the nation’s critical infrastructure. They suggest that process controls in these facilities should use role-based passwords, not single user log ons.
“Often the system that controls critical functions typically has one password that everyone knows,” says Shawn Gold, global solutions leader, industrial IT solutions at Honeywell Process Solutions (www.honeywell.com). “That should change. But in many facilities, operators absolutely get into these control systems quickly if there’s a major problem that could cause injury or damage to production. Everything is a tradeoff: how much protection you have versus making it more difficult for people to do their jobs.”
In critical infrastructure installations such as utility sites and oil rigs, password protection is often complemented by physical security systems that take pictures or require biometric signatures when personnel enter and exit protected areas. These inputs, as well as manual sign-ins are often entered and stored on electronic systems that can be integrated with other safeguards such as passwords. This multifaceted approach can help prevent people who sneak into facilities from accessing critical control systems.
“What happens if someone signs into a workstation but in reality that person hasn’t been there for two days, someone has stolen their password,” Gold says. “Tying entry to lists of those who have signed in at the gate or signed in to a room can tie this together nicely and prevent unauthorized entry.”
The problem of false passwords is rapidly being overcome by the use of biometric readers. Some hardware such as iris readers is still expensive, but fingerprint scanners have become a low-cost technology that easy to deploy. While fingerprint scanners won’t work in dirty or oily environments, many security experts feel that some form of biometrics should be used in high-risk facilities where passwords may not be a strong enough roadblock.
“You should definitely have operators sign into systems using biometrics when you’re working with something like a key electronics system station room,” Gold says. “However, that can be difficult in some industries, such as lead smelters and coal fired electrical plants where conditions can prevent biometric usage.”
Security systems also need to protect sites from personnel who don’t have malicious intent. Systems may ask personnel for authorization if they connect unauthorized PCs or USB sticks to plant equipment. Security rules may also prevent users from accessing the Internet, providing protection against viruses and intrusions while also minimizing unnecessary bandwidth consumption.
“If there’s a rule against any Web traffic, the system can record anyone who tries to access the Web. That information can be sent upstream to a manager or supervisor,” says Dan Schaffer, industrial security specialist at Phoenix Contact (www.phoenixcontact.com).
Companies also need to set a strategy for the personnel who will respond when security systems detect problems. Some companies set up teams that are trained to respond. Others train a few key personnel so they can respond. Either technique is better than what happens in many facilities.
“Very few process controls systems are supported by incident response teams,” says Rick Kaun, global business manager, industrial IT solutions at Honeywell Process Solutions. “Usually when an event comes through, the reaction is panic, people start turning systems off.