If you discovered that a computer worm or virus had infiltrated your distributed control system (DCS), what would you do?When Shell, the major, Dutch-based petroleum company, asked its operators this question several years ago, their answers came quickly. They would call the corporate information technology (IT) help desk. The only problem, as a team of Shell control-system security experts discovered, was that the IT help desk didn’t know what to do. While the IT experts on the help desk were well-versed in the ways of corporate personal computers (PCs), office applications and global enterprise systems, they were not familiar with the requirements of real-time control systems that could not be arbitrarily shut down, patched and restarted. “Doing something on a DCS is like fixing your car while you’re driving it on the motorway,” observes Ted Angevaare. “Of course, our operators are aware of that, but our IT people didn’t know,” says Angevaare, who is Shell’s global manager of process control security and architecture, in Rijswijk, The Netherlands. “IT and process control are two different worlds.”DCS help deskAs a result, Shell today has established a dedicated process-control assist desk for security issues that is staffed by specially trained people who know the ins and outs of control systems. Shell control system operators, engineers and others in any of about 30 Shell refineries and thousands of other facilities worldwide can now call a special number and “always get a person on the phone who understands real-time systems,” says Angevaare, who heads up a team of 14 Shell experts involved in process control security and architecture, remote operations and training for Shell.The 24/7 process-control assist desk, which currently employs nine people, has been in operation since the beginning of this year. And it is only a small piece of what Angevaare says is an ongoing, multimillion-dollar program at Shell aimed at process-control-systems cyber security. Among other things, Angevaare’s team has developed an extensive set of internal cyber-security standards that have been put in place at Shell facilities worldwide, and it is working with an outside cyber-security company to develop Shell security certification programs for its automation and control systems vendors.Citing trends such as an exponential increase in the number of malicious codes on the loose—around 1.5 million by one recent count—and the malicious intent of terrorists and others, Angevaare warns that critical infrastructure companies cannot afford to wait to take steps to protect their control systems from cyber incidents and attacks. He cites a number of specific steps that companies must take. One layer of protection comes from working with vendors to ensure that control systems are patched as soon as possible to protect against the latest cyber vulnerabilities. Shell’s process-control vendors are “working hard” on this front and doing a reasonably good job, says Angevaare, though, of course, he adds, “there is always room for improvement.” Another necessary step is “system hardening,” which Angevaare defines as the removal of all software from a process control system that isn’t absolutely necessary. If only an Excel spreadsheet is needed on a DCS, for example, why install the entire Microsoft Office suite, which also includes applications such as Word and Outlook that can add more vulnerabilities, Angevaare asks.An even more important step is ensuring that the people who work in control systems have a certain level of expertise, Angevaare notes. “At Shell, we are launching all sorts of training programs so that people can recognize security threats and issues, and so that they know what to do as soon as we are infected.”When it comes to making control systems more secure, “the people side is very, very important,” Angevaare stresses. That’s why Shell has created and implemented its own set of standards company-wide that cover roles and responsibilities within the cyber-security space. “We have 18 standards, and that’s a lot, because we’re dealing with lots of subjects—security administration, remote access, risk assessments in the process-control world, and many other subjects that are very well described in our standards,” says Angevaare.It was “a costly exercise” to develop these standards, but “we needed something to move forward,” says Angevaare, citing the slow pace of development for international standards on control-systems cyber security. The International Society for Automation’s ISA99 Industrial Automation and Control Systems Security committee—which held its first meeting in 2002—has still not produced a comprehensive set of cyber security standards, he points out. “Those are the standards we in industry are all looking for, and those will be rolled up into the IEC (for International Electrotechnical Commission) for development as an international standard,” says Angevaare. “We are still waiting, but I don’t think we can expect a lot [from ISA99] within the next year.”Work on Shell’s internal standards was first begun four to five years ago, and the standards are now fully in place, he says. Given that security threats and mitigation technologies continue to evolve rapidly, Shell is committed to continuously improving and optimizing these internal standards as well, Angevaare adds.Among other activities, Shell is also working with Wurldtech Security Technologies, a Vancouver, British Columbia, Canada-based company, to develop certification programs for Shell’s control-systems vendors, says Angevaare. Under one program, Shell will require each vendor to obtain a “basic security certificate” from Wurldtech, which will check to ensure that the vendor meets Shell basic cyber-security requirements.Banned laptopsItems covered will include a vendor’s use of security patches and its patching procedures, along with its use of system hardening and other steps to protect its products. The basic certification will also restrict vendor policies and procedures during activities such as site acceptance tests and field acceptance tests, including the use of laptop PCs on a job site, which could introduce worms or viruses into a control system network. “Imagine you have a start-up of a facility and you have hundreds of vendor representatives running around with laptops under their arms,” says Angevaare. “We can no longer accept this, and this basic security certification that we are launching and developing together with Wurldtech should put a stop to that.”Shell is also working with Wurldtech on its Achilles certification program, which subjects vendor control systems to a series of tests designed to determine robustness and resistance to cyber attacks. Controllers that pass currently receive Wurldtech’s Achilles Level 1 certified designation.“Achilles testing is not mandatory at the moment in Shell, but is still optional,” says Angevaare. “We don’t want to overwhelm the vendors by giving them too much too quickly to comply to.” Current plans call for making the Shell basic security certificate mandatory for vendors later this year when the program is completed, says Angevaare. Shell then plans to mandate Achilles Level 1 certification for its vendors “sometime during 2010,” he concludes.
Subscribe to Automation World's RSS Feeds for Feature Articles
