Competitors only rarely team up to attack their mutual challenges. But when Dow and DuPont wanted to tackle the growing issue of network security nearly a decade ago, they realized it was an issue that required more insight and manpower than either could provide alone.
In 2002, the two chemical industry giants teamed up to form what has since evolved into a multi-company movement. Their efforts had obvious benefits for other industries, and quickly attracted support from the U.S. Department of Homeland Security. The advocates who started the program probably didn’t realize how much the project would grow and expand, but today the Chemical Sector Cyber Security Program (CSCSP) is being addressed by a large, multi-industry group managed by the American Chemistry Council.
The CSCSP has created a number of standards that form the basis of many corporate strategies for networking protection. Many of the documents are aimed at equipment owners, but they’re augmented by industry standards that complement chemical industry documents. As new attacks like Stuxnet change the landscape, product designers and standards developers are all racing to keep up. One positive is that efforts in one area typically carry over to other fields.
“We have around an 80 percent overlap with other industries,” says Eric Cosman, an engineering consultant at Dow Chemical of Midland, Mich. who helped set up the CSCSP. “Our documents lay out reference models that show how to organize networks and break the environments into zones.”
Chemical industry developers worked to supplement complementary work done in other standards groups and make those standards more accessible. By design, standards created by the International Society of Automation (ISA), National Institute of Science and Technology (NIST) and others are broad documents written for many industries. Guidelines can help simplify implementation, in part by providing examples that work in specific industries.
Though standards bodies have spent thousands of hours to help companies safeguard their networks, interest still remains surprisingly apathetic. The shift to Ethernet has made most facilities more vulnerable to attacks like those on the business side, but many companies still don’t feel there’s much need to protect manufacturing operations.
Vulnerability Planning
“Security is still low on many priority lists, but it’s been rising in interest and awareness,” says Brad Hegrat, senior principal security consultant for Rockwell Automation of Milwaukee. “When you ask information technology (IT) people about disaster recovery plans, they have a huge laundry list of things they practice for. When you ask about disaster recovery in industry, there are no plans in most organizations.”
Some security specialists say that, for many companies, not being impacted by viruses or hack attacks is almost accidental. Most companies spend a fair amount of time protecting corporate networks, but it’s not hard to find industrial operations that haven’t done much if anything to block vulnerable openings.
“We recently used a simple search engine to find several hundred instances of control systems that have ports open, providing an easy entry point,” says Bryan Singer, principal investigator for Kenexis Security Corp. of Helena, Ala. “There’s a very high level of unawareness. Most companies don’t start spending money on security until after they’ve been compromised.”
Many security standards focus on plant owners, who have the most to lose if their facility networks are compromised. Standards also address equipment makers, who augment these efforts with plenty of their own research and development. But plant owners can make many decisions that impact network security, limiting the impact of protection that’s built into equipment.
That’s why ISA99, the largest industrial security standard available, provides far more information for facilities than for equipment makers. “Its focus is about 80 percent on owners and 20 percent vendor requirements,” says Singer, who’s also co-chairman of the ISA99 committee on security.
Some groups focus more on the equipment side. For example, equipment makers can have their products certified by the WIB, the International Instrument Users Association based in The Hague, Netherlands. While ISA leaders acknowledge that there are definite benefits to this approach, they don’t plan to shift their focus from equipment owners.
“I’m very hesitant to push something like WIB certification into ISA99. If we’re not careful, owners will say security is a vendor thing and they won’t do as much to protect themselves,” Singer says. “You can’t just say ‘build a better device.’ It’s more about how you implement the system.”
Security Assurance Levels
One reason some companies don’t tackle security is that their facilities aren’t as likely as chemical plants, utilities or high-volume manufacturers to see focused attacks. That’s prompted the ISA to begin augmenting its highly regarded ISA99 suite of standards with a program called the Security Assurance Level.
This new concept targets the aspects of security that are needed for varying levels of protection. It lets users determine how much they need safeguards. “The concept of security assurance levels provides a method to semi-quantify security, and put it on a footing that people can measure. It’s similar to the safety integrity levels used for safety,” says Dow’s Cosman, who’s also co-chairman of the ISA99 committee.
That is only one of the areas in which standards bodies are changing their approach in response to the rapid evolution of threats to networks. “With emerging threats like Stuxnet, we’ve formed a task group to look at all our work projects, along with the road map, to see if we should change anything in light of the changing landscape,” Cosman says. Underscoring the need to quickly address this shifting environment, he notes that the committee has been put on a fast track.
Wireless Protection Schemes
If the challenges of protecting communications weren’t daunting enough, the growing use of wireless industrial networks brings a new twist to protection. In the past, security specialists spent much of their time figuring out how to thwart attacks from the outside or how to prevent damage when issues arise inside the facility.
Wireless protection schemes must ensure that outside interference doesn’t disrupt signals and that hackers with powerful antennas can’t steal signals or beam their communications in so they can hijack the network. As with network security standards, the cross pollination between fields makes for rapid development of best practices.
The security techniques developed for home and business networks are just as effective in industrial applications. “If wireless setups are done properly with the latest implementation of standards like Wi-Fi Protected Access Two, companies won’t see much of a threat,” says Raj Rajani, Ethernet infrastructure marketing manager for Siemens’ Norcross, Ga., facility.
When companies decide to install security programs and technology, they have to run through the same analysis of costs and benefits as they do for other capital expenditures. When security works well, nothing bad happens, so it can be hard to convince those who hold the purse strings that they need to invest in protection.
As hackers find new vulnerabilities to exploit software providers respond with software upgrades, finding the time to install patches can be difficult, since production must often be interrupted when upgrades are loaded onto systems. Managers must realize that the cost of not scheduling some downtime for patch installation can cause bigger problems down the road.
“In IT, no one gets a black eye if you’re down an hour or two for patches. In process control, availability is priority number one,” says Ken Keiser, PCS 7 marketing manager for Siemens Industry Inc. “Microsoft issues patches all the time. Some people are very vigilant about applying them, others are not.”
Measuring overall return on investment for network protection has been an issue since the early days of the shift to Ethernet. Standards bodies have written documents that help industrial managers analyze their need for security and understand which techniques and tools will give them the most for their investments.
“ISA99 has a good risk analysis section. You can see the risks and costs of doing or not doing something,” Keiser says. “That helps people show higher management the need for security.”
One element of this analysis is to understand the potential threat level. That’s an equally complex issue that’s also been difficult to analyze. The CSCSP made threat analysis one of its first documents.
“Vulnerability assessment was one of our early topics. It’s an area that was clouded with confusion,” Cosman says. “We set out the pros and cons of different approaches, saying ‘the authors feel these are the pluses and minuses of various schemes.’ Users can decide which techniques best fit their specific requirements.”
Many observers suggest that security can play a role in improving productivity. When managers analyze their networks and make changes, they can often eliminate many of the glitches that plague many facilities. When strange events occur, there’s a fairly good chance that security technology could have prevented the downtime.
“I prefer not to justify security on its own, but instead to look at any increase in uptime,” Hegrat says. “The easiest way to do this is to look at what causes downtime, looking at known security issues and outage anomalies with no known cause.”
Others agree that improving security can improve uptime, making that a good measure of effectiveness. “When a plant operator talks about weird shutdowns, it means there’s a serious problem,” Singer says. “A lot of plants today run in spite of themselves.”
May 2011, Related Feature – Technological Advances, Better Designs Protect Networks?
To read the feature article, visit http://www.automationworld.com/feature-8783
