Securing Distributed Control Systems

Nov. 2, 2021

Industrial control system cybersecurity is often discussed in broad terms, but the distributed control systems used in the continuous processing industries introduce some unique cybersecurity requirements.

David Greenfield

Distributed control systems (DCSs) are commonplace in continuous processing, particularly in the oil and gas and chemical industries where they’re used to control several machines or processes at the same time. This differs from PLCs (programmable logic controllers), as a PLC is typically used to control just one machine.

Tim Mirth, PlantPAx platform leader, Rockwell Automation.

This difference in how DCSs are used to manage multiple machines and processes ups the ante in terms of the impact a security breach of a DCS can have. With this type of vulnerability in mind, Tim Mirth, PlantPAx platform leader at Rockwell Automation, says plant decision-makers exploring DCS-related cybersecurity improvements should be aware of these common DCS cybersecurity challenges:

Open systems. “Open protocol networks are a historical hallmark of distributed control systems and are usually considered a huge benefit,” said Mirth. “But the additional avenues of risk associated with online, connected control systems may leave producers more vulnerable. The Zone and Conduit model can help mitigate the threat and keep critical assets segmented from most vulnerable areas. Managed firewalls are another important part of protecting open systems.

This illustration highlights the control connection differences between a PLC-controlled system (left) and a DCS-controlled system. Source: RealPars

Legacy equipment. Older machines, especially if they have not been updated in many years, are potential entry points for viruses, worms, and hackers. “This is where a risk assessment can expose a vulnerability and develop a strategy to strengthen them,” Mirth said. “In larger plants you may not even know there is still an obsolete operating system on your network.” Mirth noted that if replacement of a legacy device is not possible, some protection can be gained with network segmentation to build in layers of defense.

Evolving workforce. “The people who have access to your plant and systems are an important piece of the overall cybersecurity puzzle,” said Mirth. “Breaches can be caused by innocent mistakes as well as those with nefarious intentions.” To address this, Mirth said to ask yourself: Do you know who manages user accounts and system access for your company? Also, are there any accounts that have remained active and unused for years? Adhering to international standards, such as the ANSI/ISA-62443-3-3 standard, and managing your users as part of a cybersecurity strategy can help mitigate this risk, Mirth added.

Unknown ROI. Too often, companies view cybersecurity as an expense with an unidentifiable ROI (return on investment). Mirth said that, with cybersecurity or any risk mitigation initiative, “it’s less about how much money the company will make and more about what you don’t want to lose. With a proper risk assessment, vulnerabilities, risks, and mitigation strategies can be evaluated and allow producers to answer questions such as: What risk are we willing to accept? What will it cost to make the changes needed to feel comfortable in our risk posture?” Mirth said it may not be as expensive as you think to make changes, and the opportunity cost for not protecting your systems is too great to pass up implementing even some simple measures.

Finally, Mirth pointed out that it is necessary for industrial companies to realize that having an evolving plan will be needed to properly secure your DCS. That’s why it’s important to recognize the criticality of the cybersecurity challenges he cited and to “select a plan that keeps enhanced overall security, flexibility, and digital transformation in mind and won’t trap you from making the progress you need to run your business.”