Like most automation specialists who peer into their production control networks, Marc Ayala was shocked by just how much traffic was on his. A senior controls specialist at Akzo Nobel Industrial Specialties Inc., Chicago, he noticed this activity during a migration to a new data historian at one of the company’s surfactant plants in 2006. “Any computer connected to the network automatically does a broad search and hits everybody on the line,” he explains.The number of hits was quite large because of the sheer size and complexity of the network need by the global manufacturer of coatings and specialty chemicals. Requests for information updates were coming from all over the world. What concerned Ayala was the fact that access to the historian was unsecured. To protect the integrity of critical control, safety, and regulatory data and processes, he joined the growing ranks of manufacturers installing the latest technology and adopting tighter policies for securing production networks.Working with the corporate information technology (IT) department, Ayala separated process control and information from the rest of the enterprise. When IT realized that the historian existed for reporting operational and environmental data, the department felt that it would be best for production experts in the field to take responsibility for it. Its recommendation was to establish a kind of firewall containing a gate where the enterprise network could knock and ask for updates.The technology chosen for this purpose came from Calgary-based Industrial Defender Inc. Not only can production personnel in the plant manage security from one “pane of glass” on the vendor’s Security Event Manager, but the console also has the look and feel of an industrial human-machine interface (HMI). It focuses on the tasks that production cares about, not wasting real estate and duplicating effort on securing activity already managed by corporate IT.The software allows only approved users into the network and checks for viruses at the perimeter. As unknown entities probe the borders, it also permits the staff to view patterns and decide whether to lock down the network, further isolating it from the rest of the company. The lockdowns are generated by a user-defined system of color codes and continue until the IT department neutralizes the problem.Another benefit of having Industrial Defender was that the company was ready for the Chemical Facility Anti-Terrorism Standards (CFATS) promulgated by the U.S. Department of Homeland Security in April 2007. “When our corporate office here in the United States asked about it, I was able to say, ‘We have a platform in place that is already doing the job,’ ” says Ayala. Since installing the first two Industrial Defender units, Akzo Nobel now has several installed across the company.Good segregationAyala’s segregation strategy is a key concept for securing control networks. In fact, it is the backbone of the security standards being promulgated by the International Society of Automation (ISA), in Research Triangle Park, N.C. (the ISA99 series) and the International Electrotechnical Commission (IEC), in Geneva (IEC 62443 series). These standards call for a manufacturer first to erect a firewall between process control and the rest of the enterprise, and then to repeat the process for various zones within the plant.The idea seems to be catching on, reports Andrew Ginter, chief security officer at Industrial Defender. “Five years ago, maybe half of our technology engagements with a new customer involved deploying firewalls to separate plant networks from enterprise networks,” he notes. “Nowadays, we see such engagements very rarely. Even when we go into a customer new to us, they almost always have such firewalls in place already.”He estimates that 20 percent of these plants have segmented their manufacturing networks further, beyond erecting the firewall between plant and enterprise networks. “We see roughly that many putting up firewalls between their second-level networks (HMI, input/output servers, programmable logic controllers, distributed control system servers) and their third-level networks (plant automation, historians, asset managers, maintenance managers),” he says.Two trends are driving interest in this strategy. One is the evolution within the hacking community. Hacking is no longer just a pastime for bored teenagers looking for kicks. Today’s hackers—at least the most worrisome ones—also include both professional criminals motivated by money, and political actors driven by ideology. “These guys have access to many more resources,” says Eric Byres, chief technology officer at Byres Security Inc., in Lantzville, British Columbia, Canada. These hackers want to extort money, steal intellectual property or financial information, or destroy property and lives.The second trend is the ever-tighter integration that has been occurring within corporate networks to streamline communications from processes on the plant floor all the way to the executive suite. “In many ways, the plant floor has become part of a much bigger network than people realize,” notes Byres. “So even if the plant floor is not connected directly to the Internet, you are somehow bringing stuff from the outside onto your platform through all sorts of secondary pathways.” These pathways include USB (Universal Serial Bus) keys, laptops and Internet connections elsewhere in the enterprise.Without segregating a plant into zones and putting each behind a firewall, the network has nothing to inhibit malicious actors successful at slipping past the corporate firewall or entering through a secondary pathway. DaimlerChrysler learned this lesson the hard way in August 2005. Probably by means of a laptop, a Zotob worm wriggled its way past professionally installed firewalls into the control network in one of the automaker’s plants, according to Byres. Once in, it was able to propagate to 13 plants within seconds, shutting them down and costing an estimated $14 million.Another weak point in many production networks is the wireless local area networks (WLANs) that might be connected to them. Many early wireless devices depended upon the wired equivalent privacy (WEP) mechanism in the IEEE 802.11 standard promulgated by the Institute of Electrical and Electronics Engineers. Unfortunately, WEP’s cryptography has proven to be too weak to protect sensitive data. Because replacing mobile devices is expensive, an option for monitoring legacy devices might be a security monitoring system like the one offered by AirMagnet Inc.,of Sunnyvale, Calif.The biggest challenge for establishing a second line of defense is deciding how best to divide the plant’s network. Rules of thumb given in the standards exploit similarities in such things as function, operational requirements, or equipment that would have similar risk. A good example is the safety system. Because the consequences of intrusion here tend to be far more severe than elsewhere, a safety system should have its own zone. Then, it becomes easier to justify devoting more sophisticated resources to secure it.The diversity in manufacturing processes has been an obstacle for adapting the sophisticated technology used by the military, banks and other industries for years. “The scope of industrial control products is quite large,” explains Ernie Rakaczky, control systems cyber security program manager, for automation supplier Invensys Operations Management, of Plano, Texas. “One solution is not going to fit all of them. If you want the best security at a proportionate cost, you really need a solution pinpointed at the types of controls being secured and the risks associated with the processes that they are controlling.”This is why Invensys worked with Byres Security to harden its Triconex industrial safety systems with an OPC firewall designed for them (OPC is an open connectivity standard). Using specific signatures for the systems’ Modbus transmission-control protocol (TCP), this inline firewall adds a layer of protection between safety and control systems. Only traffic that is appropriate for the safety system can get into it and only at rates that it can handle.Byres believes that such single-purpose micro firewalls and virtual private networks (VPNs) are the only way that control networks are going to absorb already-proven technology and become truly secure. “For technology to work,” he explains, “it has to be straightforward and not burden the person who is responsible for installing and maintaining it.”Assess risk annuallyBefore you start dividing up your facility and deploying technology, you might hire an expert to conduct a security risk assessment. “A risk-based assessment and internal and external penetration tests will give you a holistic view of your risks, giving your IT department the information that it needs to protect your environment adequately,” says Steve Marchewitz, vice president of SecureState LLC, an assessment company based in Cleveland.The results provide the data necessary for putting together a plan based on cost and risk. “Because of cost, you can’t do everything at once or you’d be out of business, so you have to make some choices,” Marchewitz continues. “Attack the highest risks with the budget that you have.”While making such assessments, owners and operators of control systems should invest the time to understand their applications to the point of knowing what device should be talking to others and why. The task might seem overwhelming at first glance, considering the thousands of applications and communications pathways that exist in an enterprise. “In an industrial automation control system, however, those variables are extremely limited when compared to the entire enterprise,” notes Bradford Hegrat, principal security consultant for Milwaukee-based controls vendor Rockwell Automation Inc.Once you identify those variables and chart how programmable logic controllers (PLCs), HMIs, and historians talk to each other, you are in a position to disallow all other communication. Hegrat, therefore, urges users to apply the control principle of least route, which is similar to the well-known IT security principle of least privilege. Both principles give a user or process the least privileges to perform its job.Although this process may sound a tad tedious, it transforms the network from a purveyor of attacks into a defender. Its cost is another source of good news. “You’re only talking about time here,” explains Hegrat. “Most modern systems already have the necessary hardware in them. You just have to configure what you already own.”Marty Jansons, a network consultant at automation supplier Siemens Industry Inc., in Norcross, Ga, concurs. Not only can PLCs lock out all but specified Internet Protocol (IP) addresses, but read-only features also can let authorized users view information without having the ability to change it. Jansons also notes that security features can be added via firmware. “It’s easier to upload firmware into a system than it is to install a new hardware platform,” he says.Because new threats arise continually and manufacturing facilities evolve over time, Marchewitz at SecureState recommends conducting security assessments at least annually and using them to update your action plan. “Even if a manufacturer did just one, that would be better than installing a firewall and hoping that’s enough—and way better than doing nothing,” he says. For more on securing industrial control system networks, listen to a podcast interview with Joe Weiss, managing partner at Applied Control Solutions, by Automation World Managing Editor Wes Iversen, at: www.automationworld.com/podcast-7304.
Subscribe to Automation World's RSS Feeds for Feature Articles
