Corporate IT Helps Plants with Security

When it comes to plant security, companies don’t like to admit their mistakes. Often, those mistakes come during a clash of misunderstanding between control engineers and the company’s information technology (IT) department. A process control center in a chemical plant is a recent example. The plant’s control center needed to upgrade to a new computer and install advanced software. Plant engineers installed the software and then went to lunch.

Meanwhile, the IT administrator on the company’s network recognized a new computer on the line and the virus scanner found data on a five-year-old, third-party historian package. The administrator thought the data was a virus and quarantined it. Problem is, the historian data contained production information that was required for compliance. Luckily, the process control team came back from lunch in time to fix the problem before the data was lost.

Many plants have spent recent years adding off-the-shelf computers and software. They’ve also started sharing data with the business side. This leaves plants vulnerable to intrusions of all sorts, many of them inadvertent. IT departments—normally the experts on securing networks—have given plants a hand, but they don’t always understand plants’ needs or the workings of control systems. Some companies have solved this clash by creating a mixed team of IT and control engineers.

No more isolation

Plants used to be secure by their isolation. They were apart from the business office, both physically and technologically. Their proprietary systems were not connected to networks outside the plant itself. Two things changed. One, plants began to adopt off-the-shelf technology—personal computers (PCs) and software such as Microsoft Windows. Two, plants started to share information with the office, customers and suppliers. That resulted in more efficient plants that were also vulnerable to intrusion.

Even as plants moved to off-the-shelf technology, they often remained securely isolated. The connections to the business and enterprise resource planning (ERP) systems created the greatest vulnerability. “In the past, even if you got a virus on the PC [in the office], it wouldn’t get on the network,” says Dan Miklovic, research vice president at Gartner Inc., in Stamford, Conn. “But users demanded more open systems. What won out was Microsoft at the network level. Now we can have connectivity and we can also get a virus down into the control system.”

With a fully networked plant, even the control devices can be infiltrated through the network. “The control devices have a lot of legacy stuff, and now they’re getting connected to the business enterprise, and there are challenges,” says Kevin Staggs, global security architect at controls vendor Honeywell Process Solutions, in Phoenix. “Legacy protocol has migrated to PC networks, and those legacy systems have protocols that are not open. But now they’re being sent out on an open system, so they have to be firewalled.”

Not all threats are deliberate. Once you have the plant connected to the enterprise, a well-intended employee can disrupt the plant network. “There are advertent and inadvertent threats. It comes from connecting the plant to the business,” says Doug Clifton, global managing consultant of security at the Cyber Security Practice at Invensys, a London-based automation conglomerate. “Plant devices are being installed, configured and forgotten. As a result, there are unmanaged connections. We believe they need to be managed.”

Clashing cultures

Many of the problems in securing the plant come from the differences in priorities between plant operators and IT staff. The conflicts come from misunderstandings of what’s required for security and what’s required to make the plant run efficiently. The plant’s highest priority is availability. IT’s highest priority is confidentiality. IT, by its nature, is willing to sacrifice availability to protect confidentiality; the plant doesn’t want to sacrifice anything to availability.

When IT has full control of plant security, decisions are made based on office protocol rather than on the needs of plant operations. “The worst case scenario is when IT has complete authority on the plant floor. If they see unusual activity, they’ll disable the protocol,” says Bryan Singer, vice president of security services, Wurldtech Security Technologies Inc., a Vancouver, British Columbia, Canada-based provider of industrial cyber security solutions. Singer notes that he saw a piece of machinery going down at a plant where IT was in charge. The plant maintenance person wanted to see what was going on with the error messages, but IT saw the machine dying and kept shutting it down. “The plant people couldn’t find out what was going on because the IT folks kept shutting down the network rather than analyzing the error message,” Singer relates.

The tools for securing the plant are readily available. But the issue often comes down to who is in change of the security system. “The number-one challenge is people and organizational structure, not technology,” says Brad Hegrat, senior network security engineer for vendor Rockwell Automation Inc., in Milwaukee. “There are plenty of tools to technically secure the environment, but there is a huge ownership challenge.”

The IT group thoroughly understands security, but IT personnel don’t always know how the plant operates, nor do they share the plant’s priorities of constant availability. “When it comes to patch management, things get tricky. The process used for desktops cannot be used for plant systems,” says Bob Mick, vice president of emerging technology for ARC Advisory Group Inc., in Dedham, Mass. “Corporate IT is good at collecting data and monitoring threats, but the plant guys are trying to optimize their processes. So they see what’s affecting them differently.”

Because the plant puts its greatest emphasis on availability, security can become an afterthought, even a threat to optimization. “Plant operators are not really tuned into security—the engineer is concerned about reliability,” says Roy Kok, vice president of marketing for Kepware Technologies Inc., Portland, Maine, a supplier of communication software for automation. “You have the traditional problem that engineering owns the plant, and IT owns the business applications. The IT network is too intrusive. For automation, intrusive means it can potentially do things that can disrupt the plant operation.” An intrusion for the automation system can shut things down and potentially cost someone an arm.

Blending goals

The best solutions for securing the plant usually come through strong communication between plant operators and IT personnel. One of the more popular emerging solutions is the creation of a team consisting of plant engineers and IT staff. This team takes on the responsibility for securing the plant, and no decisions are made without input from both control engineers and IT staff.

Many plants stick with the age-old solution of isolation. Add a few PCs, but keep the plant from touching the outside world. “Some systems get left alone. Power plants have systems that don’t touch the Internet,” says Dave Kennedy, practice lead for profiling and e-discovery at SecureState, a security technology firm in Cleveland. “They’re making the whole plant environment its own island. You have the latest software, but sometimes it is still its own island.”

While control engineers and IT personnel hold different views of how to secure the plant, companies are solving the clash through mixed teams and simple communications. The problem tends to be cultural, not technical. Successful solutions only come when plant engineers and IT people understand each other’s different priorities.