How will we manage the associated risks? What needs to be done to secure automation systems in the future? These questions were the topic of the recent IT Security Workshop held in conjunction with ARC’s Process Management Academy (PMA) in Antwerp, Belgium.
In Europe, two official “recommendations” form the basis of IT security design for the process industries: NA115 from the International User Association for Automation in Process Industries (NAMUR), and VDI 2182 from the Association of German Engineers.
In the European process industries, hackers or other intruders have yet to breach security—no attacks by viruses, worms, or Trojans have been recorded. Nevertheless, these protection scenarios are necessary because attacks have already been seen in other parts of the world.
In today’s data-intensive industrial environments, the uninterrupted operation and control of the plant are only possible with continuous data exchange between plant and enterprise systems. At the same time, new technologies such as wireless networking, remote diagnostics and computer configuration of field devices increase communications intensity. This creates new hazards, which may include faulty software or hardware, improper use of IT equipment, malware, manipulation by disgruntled employees, or hacker attacks from outside the fence.
When analyzing IT for industrial process applications, it makes sense to split applications into those for existing assets and those for new assets.
For new assets, end users can expect their automation system suppliers to provide a comprehensive solution for the industrial IT infrastructure. However, it’s critical for the secure IT concept to be included in the design phase during system planning, rather than added later as a fix. This means that automation system suppliers must offer proofs of concept for IT security for new applications.
Existing assets require a different approach. Existing assets are often multi-vendor installations requiring close collaboration between the end-user or system integrator and the IT security hardware supplier. The first task is to define the risk in the plant. IT security objectives and possible threats need to be defined to determine the level of required IT protection.
The second task is to select IT security hardware that meets the required level of IT protection. For the selection process, it is crucial to know required availability of connected IT systems, the level of integrity for data communication, and the level of authenticity in data communication.
At ARC’s PMA IT Workshop in Antwerp, representatives from automation system suppliers, security vendors, and organizations such as NAMUR, and WIB (the International Instrument Users Association) reached some conclusions (see box).
Among the findings, attendees decided that IT security in process automation needs special security concepts for existing assets. (Currently many end users institute concepts borrowed from the world of office IT security, but this is not the appropriate way to increase the level of protection.) After consulting with NAMUR, the working group will take the initiative to select existing assets to investigate IT security. The working group will work closely with NAMUR to define the risks and select the proposed hardware for these assets.
Representatives from automation system suppliers, security vendors, and organizations such as the International User Association for Automation in Process Industries (NAMUR) and the International Instrument Users Association (WIB) reached these conclusions at ARC’s Process Management Academy Europe 2011 workshop in February:
The international standard ANSI/ISA99 will not be released in the near future and may take several more years.
In addition, it’s possible that ANSI/ISA99 will be too theoretical for end users in the process field, leading some large end users to perform their own investigations.
For new assets, IT security should be a design goal and should be provided by DCS suppliers.
IT security in process automation needs special security concepts for existing assets.