From: Engineer Live

Cyber security is becoming an increasingly important aspect of  plant management. Here we look at the strategies and technologies being  used by suppliers to ensure that process plants minimise their  vulnerability to cyber attacks. Eugene McCarthy reports.

Over the past two years, industrial infrastructure has been  identified as a key target for hackers and government-sponsored warfare,  attracting some of the most sophisticated cyber attacks on record.

Belden, a global leader in signal transmission solutions for  mission-critical applications, in coordination with Tofino Security –  part of Belden’s Hirschmann brand – has developed a product portfolio  and business processes to protect critical infrastructure against these  emerging threats.

Legacy industrial communication and networking systems originally  designed to work only within facility walls are opening up, as  organisations look to work smarter and more efficiently. As a result,  the industrial floor has become a hotbed of information activity, with  intelligence passing back and forth between industrial settings and  outside systems.

“It’s vital for companies to employ industrial Ethernet systems  enforced with secure industrial cabling, switches, routers and firewalls  if they are going to protect critical operations from cyber sabotage,”  said Eric Byres, cto and vice president of engineering at Tofino  Security. “The push for efficiency now requires increased information  passing between the industrial and enterprise systems. This  significantly elevates the risk and need for top-notch security –  starting at the plant floor.”

But the level of sophistication shown by Stuxnet, Night Dragon and  Flame – and the open aggression between countries – requires more than  advanced hardware protection. Company policies and internal security  processes across all system components are crucial to the success of any  security system in an era of heightened threat. The likely targets of  cyber attacks aimed at nation states include energy and water supply.

Complementing the Belden industrial Ethernet product offering, Tofino  Security, in partnership with exida, recommends a seven-step process  designed to help protect industrial systems from these highly advanced  threats:

– Assess existing systems: understand risk and prioritise vulnerabilities.

– Document policies and procedures: determine position regarding  industrial control systems (ICS) and develop company-specific policies.

– Train personnel and contractors: develop and institute policy awareness and training programmes.

– Segment the control system network: create distinct network segments and isolate critical parts of the system.

– Control access to the system: provide physical and logistical access controls.

– Harden the components of the system: lock down the functionality of components.

– Monitor and maintain the system: update antivirus signatures, install patches and monitor for suspicious activity.

John Cusimano, director of security at exida, said: “Security  researchers and hackers have identified numerous vulnerabilities in the  products used in industrial operations – specifically the water, energy  and transportation industries – and it’s absolutely vital that companies  start now to secure core components through best practice policies and  industrially-focused security technologies,” said Byres.

Dedicated teams tackle the cyber threat

Meanwhile Honeywell has formed an Industrial IT Solutions group, a  global team of experts who can help manufacturers and process industry  facilities protect against cyber threats.

Part of Honeywell Process Solutions, the Industrial IT Solutions  group specialises in the design, performance assessment and protection  of networks used in the process industry, including wireless instrument  and Scada platforms. Its offerings will provide a comprehensive range of  vendor-neutral technology and services required to assess, remediate,  maintain and manage plant automation network performance,  vulnerabilities and cyber security measures.

Jon Lippin, vice president and general manager, Honeywell Lifecycle  Solutions and Services for Honeywell Process Solutions, said: “As  control networks continue to expand and integrate to business systems,  the risks and complexity of cyber vulnerabilities must be addressed with  the same vigilance as process safety risks assessments.”

Honeywell’s industrial IT services are based on extensive knowledge  in IT systems and a deep understanding of process control environments.  The company has completed hundreds of industrial IT projects across the  globe.

“Honeywell has invested in building the Industrial IT Solutions  practice to help industrial plant, pipeline and asset owners stay ahead  of the threats, regardless of control system vendor or location. We  provide a scalable approach to managing all aspects of today’s  industrial control system networks,” Lippin added.

Comprised of network and security-certified professionals, the  Industrial IT Solutions group focuses on four key activities: assessing a  plant’s assets against industry standards, regulatory requirements and  best practices; remediating issues identified in the assessment phase  with a custom-designed programme; managing the plant’s industrial IT  investment with support, training, and services such as network security  administration, anti-virus management, and patch management; and  maintaining the plant’s solutions through programmes such as performance  and security monitoring, change management, monthly status reporting,  etc.

For its part, Invensys Operations Management (IOM) addresses  compliance and cyber security challenges from analysis through to  implementation and management. This begins with expert consulting,  followed by the creation of an overall cyber security plan and  remediation strategy encompassing processes, procedures, people,  products, networks and applications.

IOM says its solution is unique because it provides cyber security  compliance for critical infrastructure, and also integrates seamlessly  between manufacturing operations and corporate IT networks. Key  capabilities here include: compliance with information security,  physical security and business continuity; compliance with industry,  regulatory, international and internal corporate standards; security  experts with a regional and global understanding of current requirements  and constraints; government and regulatory understanding and  involvement; network design, optimisation and security implementation.

According to IOM, this approach brings a raft of key benefits such  as: hardware independence: cyber security compliant solutions works on  any vendor’s control systems and any type of security technology;  regulation knowledge: thorough understanding of all relevant  regulations.

Siemens says it is one of the very few companies with an in-house  private cyber emergency response team (CERT) that can help process  companies achieve North American Electric Reliability Council (NERC)  critical infrastructure protection (CIP). Its on-site cyber security and  NERC CIP assessments are designed to help users identify any existing  security vulnerabilities in control systems, related IT infrastructures  and beyond.

Together with its cyber security alliance partners, the company  provides comprehensive security audits to assess compliance with NERC  CIP-002 through CIP-009.

The process includes evaluating current control systems, and related  cyber systems to assess whether they meet the controls relevant CIP-005,  007 and 009 sections. These sections can be addressed separately from  the overall assessment.

Following the assessment, Siemens provides a detailed report  documenting all the findings. Customised recommendations also will be  offered to improve and enhance cyber security in order to meet and  maintain NERC CIP compliance.

Many of Siemens power plant automation (SPPA) systems are designed  with enhanced security configurations and architecture to meet NERC CIP  standards. For example the innovative SPPA-T3000 control system is  delivered ‘NERC CIP Ready’ (Fig. 1).v

Security solutions

New from Emerson is a tie-up with NitroSecurity to further enhance  the security of its Ovation system while also helping to reduce the  costs associated with the evolving North American Electric Reliability  Corporation (NERC) critical infrastructure protection (CIP) standards  compliance.

This relationship adds security information and event management  (SIEM), which provides continuous electronic access monitoring (CIP-005)  and security status monitoring (CIP-007). It also adds an intrusion  prevention system (IPS) (CIP-005) and log collection, storage, and  management (CIP-005). These capabilities add to the Ovation Security  Centre (OSC)’s user management, DMZ router/firewall, antivirus defence,  vulnerability scan and patch management, malware prevention, security  patch validation, virus signature validation, security advisories,  security assessment, technical feasibility exception (TFE) support, and  ports and services documents.

Rockwell Automation’s security taskforce has dealt with two security  vulnerabilities uncovered earlier in 2012. The first were discovered in  the Allen-Bradley ControlLogix L5561, 1756-ENBT module and MicroLogix  1100 controller and security advisories were immediately released about  them.

The company then learned of two previously unknown security  vulnerabilities in the RNADiagReceiver.exe service of the FactoryTalk  Services Platform (FTSP). An advisory has also been added to the  Rockwell Automation Security Advisory Index about this.

“We recognise that with every advisory, new concerns are raised about  control system security risks and their susceptibility to both  accidental and malicious threats. For this reason, we continue to invest  in our products, systems and services to help you protect what is  important to you. We also continue to maintain our close working  relationships with reputable agencies and the industrial security  research community at large. Through these actions and practices, we  remain committed to helping you and the automation industry recognise  and remediate contemporary security risks,” says the company.