Managing risk - the cybersecurity component

Ian Verhappen
Industrial Automation Networks Inc.

In 2009, a control system cyber security expert advised the U.S. Senate Committee on Commerce, Science, and Transportation that "current industrial control system cyber security is where mainstream IT security was fifteen years ago—it is in the formative stage and needs support to leapfrog the previous IT learning curve." As we all know, fifteen years is a long time in the technology arena. And at that time, deep wells were not really that deep, LNG plants were mostly on paper, and control systems were safe in their own proprietary worlds. Not so anymore. Everything is connected to everything else, and a "minor hiccup" on a platform off Australia will ripple through the energy supply chain to the LNG plant in Japan or the USA. Though no one is talking, at least not publically, we know that all the majors are being targeted, and it is only through their own diligence that anything that may have happened can be kept inside the company walls.

Cyber security must address deliberate attacks such as internal breaches, industrial espionage and terrorist strikes—as well as inadvertent compromises of the information infrastructure due to user errors, equipment failures and natural disasters. In the offshore environment, due to its location and distributed nature, cybersecurity is another risk that must be effectively managed. Many cybersecurity risks are often exacerbated with distance because the connection between the end nodes are difficult (if not almost impossible) to physically protect at all times. When this is combined with the fact that the majority of systems use some form of Ethernet to connect these nodes, it means that many of the same challenges faced by distributed office environments are also relevant when connecting offshore and on shore facilities.

Fortunately, because of the commonality of Ethernet and Windows, many of the same tools such as firewalls, Intrusion Detection Systems (IDS), VLANS, VPNs and techniques used in the office environment can also be deployed in real time, thus making it possible to quickly gain ground and catch up on the IT learning curve. Be mindful however that when using VPNs, it's critical to remember that the VPN only secures the tunnel and not the client or server. To ensure network security, it's critical that the VPN is seamlessly integrated into a suitable firewall and that appropriate protection is in place at either end of the VPN. Imagine you have a secure VPN between an offshore platform and the engineering support group on land. Then, someone accidentally types in the wrong IP address to download a test program to a remote PLC (in the room next door), but inadvertently sends the application to the controller operating the ballast pumps on your platform. Would that be an incident? You bet it would. To help prevent this sort of thing, major corporations have a range of policies and guidelines. And through their participation in open standards committees, they are able to share these best practices not only with each other but the industry as a whole.

In addition to the above hardware and software solutions that can be shared with the office environment, there are also a number of standards and guideline documents available to assist with system design and operation. The two organizations providing these documents are the North American Reliability Council (NERC), predominantly for the power industry; and the series of documents from ISA that are applicable across all industries. The ISA documents are in the process of being adopted as IEC standards and hence will have global applications.

There are several standards in the ISA-99 series, each covering a specific aspect or subset of the subject of manufacturing and control systems security. The available and standards under development and are:

• ISA 99.00.01 – Scope, Concepts, Models and Terminology; establishes the scope and context of the ISA 99 series of standards and defining the terminology used while describing the framework within which to position the basic concepts related to manufacturing and control systems security
• ISA 99.00.02 – Establishing a manufacturing and control systems security program; practical guidance and direction on how to establish the business case and design the program for a security program
• ISA 99.00.03 – Operating a manufacturing and control systems security program; this standard provides more normative material related to measuring or assessing program effectiveness
• ISA 99.00.04 – Specific security requirements for manufacturing and control systems; identify the differences between manufacturing and control systems as opposed to "traditional" IT systems.

In addition to the standards, the committee has developed and released two technical reports which by their nature are intended as guidelines on how to implement a standard, and are not normative in nature. The two technical reports are:

• ISA TR 99.00.01 – Technologies for protecting manufacturing and control systems; this technical report provides a reference for the selection of security technologies for protecting manufacturing and controls assets
• ISA TR 99.00.02 – Integrating electronic security into the manufacturing and control systems; provides a framework for developing an electronic security program and a recommended organization and structure for the security plan.

As a complement to the standards, there are a number of organizations providing "certification services" similar to what is available for safety systems. ISA now has a certification service, ISASecure, that verifies compliance with the ISA-99 standards. Two additional North American private companies, Achilles Certified Communications and MUSIC 2009-1 security certification, offer testing to a set of standards they have developed based on interpretation of industry best practices and a range of standards.

To reinforce the importance of cybersecurity in an industrial setting, and the importance policy plays as a component of the complete security and risk management program, let us examine Stuxnet, one of the most effective cyber attacks to date on control systems. Before discovery, Stuxnet was active for at least one month and probably six months. It infected at least 100,000 computers, and possibly many more systems. Stuxnet was particularly serious for two reasons. First, it took advantage of vulnerabilities that were unknown and un-patchable in the Windows operating system. Second, it was one of the first worms to specifically target an industrial automation system, as opposed to the more common tactic of attacking office-based computing systems. This indicates that attackers are now aware and capable of exploiting vulnerabilities in industrial automation systems. To this day, there are still no patches for some older Windows systems that may be used in some legacy real--time components.

The author

Ian Verhappen, P.Eng. is an ISA Fellow, ISA Certified Automation Professional, and a recognized authority on Foundation Fieldbus and industrial communications technologies. Verhappen operates a global consultancy Industrial Automation Networks Inc. specializing in field level industrial communications, process analytics and hydrocarbon facility automation.