Everyone understands that security becomes an issue when companies use Ethernet in industrial environments. But it’s often difficult for companies to approve the time and funding needed to set up security systems that are efficient and cost effective. In the current downturn, justifying these expenditures is a critical aspect of securing corporate assets.
Avoiding waste is critical, but it can postpone investments and leave a company vulnerable to shutdowns and other problems that can occur if viruses, attacks or other problems cause networks to shut down. That changes when regulators in environments such as power generation force vendors to beef up their protection. The Independent Electricity System Operator (IESO), which monitors the electric power grid in Ontario, Canada, took major steps after the North American Electric Reliability Corp. (NERC) began enforcing security compliance regulations for utility companies in 2007.
Meeting NERC mandates required a major network overhaul. “We started from the ground up, taking out all the networks, then upgrading them and putting modern operating systems on our equipment,” says Ben Blakely, Information Security Officer for IESO.
The Toronto-based company also added a number of other software tools. “We added a patch management system, put in a lot of anti-virus scanners and added TippingPoint technology,” Blakely says. TippingPoint Technologies Inc., Austin, Texas, is a 3Com company that supplies network-based intrusion prevention systems. “We wanted to get a system that would gather data and monitor what was happening on the wire. But we also wanted to make sure we weren’t blocking appropriate messages,” Blakely says.
Where’s the money?
Steps like these are just as important in unregulated industries. But before making a move, many companies are looking at security from a new stance. Security must contribute to the bottom line, helping increase uptime and reduce risk while justifying all expenditures of time and money. That focus on return on investment (ROI) has gained importance, given the sluggish economy. “Security without a good return on investment is a waste of money. But if you do it well, you get a good ROI,” says Eric Byres, chief technology officer for cybersecurity consulting and products company Byres Security Inc., of Lantzville, British Columbia, Canada. “Like safety, security pays for itself.”
It’s widely understood that the downside of the shift to Ethernet and transmission control protocol/Internet protocol (TCP/IP) makes security more important, offsetting the upside of improved corporate compatibility and reduced costs. But this understanding doesn’t always translate to increased efforts to reduce risk. Vendors of manufacturing equipment note that regulation is a key driver for the level of emphasis that firms place on security. Those in regulated fields don’t have a choice, while many in non-regulated fields are taking their time before spending precious resources on security systems and processes.
“Companies can almost be segmented into two halves. Process automation is usually more progressive and mature, driven partly by government mandates in areas like oil and gas,” says Doug Wylie, business development manager at vendor Rockwell Automation Inc., in Mayfield Heights, Ohio. “In factory automation, the focus on security is not as great.”
Running safely
Linking safety and security is becoming more common as companies look to trim any expense. Both are closely related to one of the most critical parameters in the industrial world: uptime. When either safety or security is compromised, production is usually stopped, regardless of whether the problem was caused by employees or outsiders.
“Security often means keeping out malicious attacks, but it can also mean keeping systems up and running. Companies need to control the often-unintended consequence of human actions,” Wylie says. “Companies need to look beyond cost and look at the value of protecting information and equipment.”
Late last year, Honeywell emphasized the links among security, uptime and safety when it began offering security courses created by TÜV Rheinland, which certifies facilities in Europe. “The training modules are designed to provide practical advice that manufacturers can use to help them be better prepared to deal with potential incidents, avoid downtime and protect their people,” says Scott Hillman, a marketing director for Honeywell Process Solutions, the Phoenix-based process automation vendor.
One of the biggest factors in security is to understand the entire network and acknowledge its weak and strong points. That begins with creating a solid architecture, then doing plenty of testing to fully understand the nuances of the full network. The latter step is a critical aspect of success.
“The real key to managing risk is to know more about your system than any hacker can learn. You can’t build a network based on spec sheets. There are emergent behaviors you won’t know about until you put the components together and run them through rigorous tests,” says Perry Pederson, vice president at Wurldtech Labs, a division of Wurldtech Technologies, an industrial cyber security vendor and consultant based in Vancouver, British Columbia, Canada.
At the same time, managers must determine the types of threats they’re likely to see. In some facilities, outsiders might take the time to engineer a social attack by figuring out ways to trick employees into creating openings by downloading files that include viruses.
Creating a hierarchy for protection means determining where critical assets are and assuring that they’re protected. But that hierarchy must protect the entire network, because it’s difficult to ensure that problems that get into the system won’t move into other areas. It’s better to devise techniques to keep problems on the outside.
“Threat modeling begins with figuring out where all the cyber assets are, then looks at all the entry and exit points and determines what happens when someone tries to intercept, change or block a message,” Byres says.
Unfortunately, performing a threat analysis is not a simple task. It’s an area that tool providers have largely ignored. This lack of automated tools means that the job will be tedious and time consuming. “One problem is that it’s still painful to do a threat analysis. Now, you need a lot of spreadsheets. A lot of tools nibble around the edges of the problem, but this is an area where IT (information technology) is not that far ahead of industrial,” Byres says.
Defensive position
Once teams have figured out where threats and openings are located, they can start installing protective technologies. Adding hardware and software that provide security is a necessary step, but it often raises suspicion for industrial personnel who didn’t have to worry about protection back in the days when proprietary networks provided security by obscurity. However, proponents say there is little reason to worry. “There’s nothing customers should be fearful of in security. Companies can install systems that don’t interfere with their operations,” Wylie says.
Firewalls are one of the first lines of defense. They can isolate front-office networks from industrial connections, and they can also stand between sub-networks in various parts of a facility. Though firewalls are an important tool, experts caution that their effectiveness shouldn’t be overrated. “You have to understand the weaknesses of the system and tune firewalls to those weaknesses. A firewall without proper rules is a pass-through device,” says Nate Kube, chief technical officer at Wurldtech Labs.
That warning is becoming more common as the arms race between hackers and security experts continues. A good rule set makes a firewall more effective, but nothing is foolproof. One intrusion specialist who helps IT companies find faults in business networks notes that they should be one of many barriers. “Firewalls aren’t a secure technology any more, our average penetration time is 30 to 50 seconds,” says Adriel Desautels, chief technology officer at Netragard LLC, Mendham, N.J. “Once you get through the firewall, you have control of everything behind it.”
One way to make a firewall—or most other protective technologies—more effective is to reduce the amount of troublesome traffic they see. That’s especially true in facilities where standard equipment is used. For example, it’s often cheaper and simpler to install a four-port switch in a spot where only two or three ports are needed. “You have to be sure you’ve done things that are simply good practice, like turning off unused ports on switches,” Wylie says.
While that seems obvious, it’s the kind of thing that’s often overlooked. A related issue is to make sure that all equipment is operating correctly, putting data packets on the network only when necessary. That can improve security and reduce network traffic, bringing the added benefit of effectively increasing the available bandwidth. “We were going to add a firewall in a refinery, but we found a lot of traffic that didn’t match what they expected. There were copious messages being sent from addresses like 000 that had to be cleaned up,” Byres says.
Soft solutions
There are also a number of software technologies that can help industrial managers safeguard their networks. Operating systems have evolved in recent years, offering partitioning to isolate tasks, while applications packages address the challenge of patches.
Software continues to grow in importance throughout the electronics industry, so it’s no surprise that its role in network security is getting more attention. As Redmond, Wash.-based software giant Microsoft Corp. has proven in the IT world, the operating system is a critical component that can be exploited by hackers. Its applications packages are also vulnerable, as are those of other suppliers in both industrial and front-office markets.
This software is as important as firewalls when managers are building the walls that isolate their equipment. “You only need one weak link to get in,” says Ganesh Devarajan, Associate Security Analyst for TippingPoint Technology’s DV Labs group. “Operating system vulnerabilities play a big role. After them come application program vulnerabilities.”
A number of operating systems now partition tasks so that a problem in one section can’t jump to another section. That largely eliminates the ability of malicious software to spread throughout a facility. This technique, sometimes called padded cell technology, was first used in aircraft and defense applications. It’s now expanding rapidly into industrial applications.
“When you have a secure operating system, it lets you create systems with far higher security,” says Dave Kleidermacher, chief technology officer at Green Hills Software Inc., of Santa Barbara, Calif. “Even if someone hacks in through your browser, you can isolate nodes.”
In environments where migrating to newer, more secure operating systems isn’t viable, there are software tools that can isolate sections. For example, these tools prevent messages from entering unauthorized areas and a critical area with expensive equipment. “If one sub-net is not supposed to talk to another, we ensure that they don’t
communicate,” Devarajan says.
Ongoing challenges
The task of setting up networking security systems is a bit like being given a pet, it’s a gift that keeps on giving. Those who create viruses and other maladies will constantly be finding new vulnerabilities, and equipment in the plant is likely to change.
That’s increasingly true in flexible factories, where the links between equipment change continuously. In facilities that remain constant, constantly creating the same product, there will still be alterations.
“This is a dynamic field, and you’re never really finished. Even if hardware is static, there will be changes in software that open potential vulnerabilities,” Pederson says.
Software upgrades are one area of constant revision. Improvements come sporadically, and they may not always provide enough benefit to warrant installation. But patches are another story. Many of them will be critical from the security side, closing openings that weren’t recognized until well after the program was shipped.
In industrial applications, patches are often installed months after they’re issued. That creates opportunities for those who want to exploit openings that can often be attacked successfully using free programs accessible online to anyone. Software and service providers are providing systems that step in during these gaps.
“We put a security device outside the network. It monitors traffic so things can’t enter and attack ports that haven’t been patched,” Devarajan says. The 3Com company provides intrusion detection tools.
That was important for IESO late last year, when a virus sprang up quickly. “When there was an issue with Microsoft’s Web browser, something was released into the wild and there wasn’t a patch out. We took advantage of the TippingPoint tools to make sure it didn’t come into our network,” Blakely says.
Leaders relevant to this article: