“Shut it down.” “I can’t shut it down.” “Override it.” “It’s not responding.” Slowly, a robotic arm paints the name “Suki” on the side of a car. The announcer asks, “How secure is your business?”
This television commercial for EDS, which first aired in 2002, shows how vulnerable manufacturing control systems can be in the Internet age, when a young girl named Suki can remotely control an automobile painting line from her home computer.
Pure fiction? More and more industry experts believe that we’re standing on the precipice of a major breakdown in manufacturing and process control security. The same developments that have proved so beneficial to automation—open systems, standard software platforms, Ethernet, wireless networks, intranets and Web browsers—are leaving gaping holes in the security infrastructure. On a Web site that reviewed the “Suki” commercial, one visitor commented, “This is just too funny. It would be cool to hack into a car plant like that.”
Number one pain point
I recently discussed manufacturing security issues with Carolyn Vander Wall, director of the cyber security initiative for CIDX, the Chemical Industry Data Exchange trade association. With the creation of the cyber security initiative in February 2003, CIDX has taken a leadership role in the development of security guidances and standards for the chemical industry, and in the acceleration of technology to support products and services for cyber security.
Vander Wall, who has worked in various management roles in the Information Technology organization at Dow Chemical, is on full-time loan to CIDX for her initiative director position. She believes the area of greatest pain in cyber security, and conversely, the area for the most opportunity, is in manufacturing control system security. “There is a lot of attention being paid to this issue, by standards bodies such as the Instrumentation, Systems and Automation Society (ISA) and by the U.S. government, through the Dept. of Homeland Security (DHS),” says Vander Wall.
CIDX members have an active role on the ISA SP99 standards committee, which has recently released several technical reports on cyber security and has working papers out for comment. As well, CIDX is in dialogues with the Idaho National Laboratory (INL) Control Systems Security and Test Center, created by the DHS, and the Process Control Security Requirements Forum, sponsored by the National Institute of Standards and Technology (NIST), to promote its work in cyber security.
All of these organizations—CIDX, NIST, INL and DHS—share the common belief that the widespread use of information technologies for remote monitoring and control of industrial processes has unintentionally introduced security vulnerabilities. In particular, according to Vander Wall, the American Chemistry Council (ACC) has set a June 2005 deadline for its members to comply with the Responsible Care Security Code that includes a plant site assessment of cyber security vulnerabilities and the definition of an action plan to address any gaps that are found. According to the ACC Web site, its members have invested more than $2 billion in security since the terrorist attacks on Sept. 11, 2001.
Clearly, the time is now to address cyber security issues in your own facility. For assistance, contact your industrial trade association, or visit any of the Web sites shown here:
Idaho National Laboratory: www.inel.gov
Responsible Care: www.responsiblecare-us.com