Cyber security in process plants: Recognizing risks, addressing current threats
As attacks on industrial control systems (ICSs) become more frequent and increasingly sophisticated, defensive strategies must evolve to keep up. Fortunately, the tools are getting better. See related video.
Process industries are no place for uncertainty and risk. Companies in the oil and gas, refining, petrochemical, and power-generation industries, among others, must prevent and mitigate cyber security threats that jeopardize their production operations, including risks to plant infrastructure, assets, personnel, and the environment.
Industrial firms should need to take certain steps to protect critical facilities. Taking those steps is easier with an understanding of current and future cyber security risks, past incidents in process sectors, and knowledge of ever-changing security challenges.
The situation today
In recent years, industrial cyber security threats have grown from the esoteric practice of a few specialists to a problem of general concern. All stakeholders now have a new responsibility in promoting the safety, reliability, and stability of critical industrial infrastructure.
With the rising threat of malware in today's open computing platforms, the typical ICS (industrial control system) is increasingly vulnerable to outside modification. Cyber attacks on plant-automation systems have not only increased, but also have grown more sophisticated in recent years. From targeted information gathering and theft to elimination of crucial data, these intrusions represent a real and present danger to plant productivity, reliability, and safety.
Taking steps to address ICS cyber security should also improve the control system's resilience to other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to "business as usual" following an incident.
The plant floor and process units have become a growing area of concern for cyber security. In much of the industrial base, operations are digitally driven. The era of analog has given way to networks of computers, automated machinery, and ubiquitous sensors. Plants are driven by a digital thread of technical data—product and process information—that can be shared throughout the enterprise and must be protected.
Much attention has been given to protecting technical information in IT systems and networks. But protecting the operational systems of a manufacturing enterprise presents a new and different set of challenges. Not only must the technical data be shielded from theft, it also must be protected from alteration that could impair proper functioning of a process operation or affect the safety and availability of the production system. These concerns are especially challenging for small and mid-size companies. For industrial sites, vulnerabilities to cyber threats include:
- Lack of security policies and procedures
- Communications between the Internet to the corporation
- Communications between the business LAN (local area network) and process-control network
- Insufficient or out-of-date cyber security controls, such as anti-malware software
- Obsolete or missing security patches
- Inadequate security configurations
- Incomplete or infrequent backups.
To safeguard their complex properly, including mission critical ICSs, process industry companies must work to make every networked device secure and protected against malware intrusions and malicious commands that may come from local ports and LAN interfaces. At the same time, all plant networks need to be shielded from intrusions and properly zoned to help deter and contain network-based threats.
Attacks on a plant automation system may involve only the cyber components and their operation, but those impacts can extend into the physical, business, human, and environmental systems to which they are connected. A cyber event, whether initiated externally, internally, or due to inadequate policies and procedures, can lead to a loss of system control and the corresponding negative consequences.
All of this brings us to the most important question: Are process industry companies prepared to handle a coordinated cyber attack?
Examining previous incidents
During recent years, the industrial sector has been the target of numerous, well-known cyber attacks. The U.S. Dept. of Homeland Security (DHS) reported ICS infrastructure faced at least 245 cyber security incidents in fiscal year 2014. The energy sector saw the greatest number of incidents, followed by critical manufacturing.
About 55% of incidents reported to the DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) involved advanced persistent threats or sophisticated threat actors. The majority of incidents were said to have an "unknown" access vector, meaning that there was not enough forensic evidence to confirm the method used for intrusion.
The Stuxnet attack on Iran's uranium enrichment facility in 2010 initially caused many companies to recognize their ICS installations were vulnerable and potential targets for cyber criminals, terrorists, and unfriendly nations. Since then, we've seen increased activity. The threat has evolved, continuing a trend that Stuxnet began with increasingly sophisticated and complex malware. Flame, Duqu, Shamoon, Dragonfly, Black Energy, and other campaigns continue to target energy and industrial organizations.
The threat is no longer speculative, but something that has been proven by history: The prospect of cyber attacks to critical infrastructure such as refineries, offshore platforms, power grids, and pipelines is significant and rising.
Addressing increased threats
Throughout all industries, there is a need for organizations to evaluate their cyber vulnerabilities and implement a robust security strategy to counter them. While most tier-one companies have a security plan to deal with cyber attacks, it is not the same with smaller companies where productivity is often deemed more important than security. These companies are either struggling with the cyber security issue, or may only associate cyber attacks with terrorist organizations seeking to cause mass destruction.
In process manufacturing sectors, organizations of all types and sizes must be able to adapt themselves to the latest technologies and international best practices. Smarter, information-driven business requires the use of smarter devices and increased digital communication. This in turn increases the attack surface, and so dictates a stronger and more comprehensive cyber security plan.
Key initiatives for process firms, therefore, need to include:
- Increased availability of operational data to drive smarter and more efficient production
- Continuous awareness of cyber security risk to align stronger cyber security controls with smarter business and operational practices.
Of course, this isn't as easy as it sounds. Significant factors make ICS cyber security difficult for suppliers as well as end users. An ICS cyber security solution is not a single product; instead, it is a combination of architecture, practices, behavior, security components (both hardware and software), and third-party services.
Effective cyber protection requires greater network separation; stronger authentication and access controls; much tighter control of portable file and media handling; increased group policy enforcement; and much more strict cyber-incident containment, security management, change control, configuration, and maintenance.
That's quite a list and few companies are prepared to take on something of that magnitude single-handedly. Many industrial organizations are seeking outside help in dealing with escalating cyber threats. Although solutions exist for protecting physical and electronic assets, only a comprehensive, integrated approach to information security will provide for the safety of employees, equipment, and intellectual property.
The essential steps for putting an effective cyber security strategy into action include:
Understand risk: A comprehensive cyber security risk assessment is invaluable for evaluating the current security posture, and prioritizing efforts to reduce risks. Recurring assessments can be used to track milestones and the maturity of a security program to indicate progress in reaching the desired assurance level. Technical controls can even be assessed continuously, using a new breed of security-monitoring tool that focuses on industrial risk management.
Perform audits to pinpoint trends: Industrial organizations should also undertake independent audits to assess the adequacy of system controls, determine compliance with established policies and operational procedures, and recommend necessary changes. This approach provides a view of trends and pinpoints performance versus predefined metrics.
Deploy secure and reliable architectures: A secure architecture approach provides a long-term baseline for control-system availability, reliability, and safety. It is important to realize the advantages and shortcomings of various cyber security architectures, and to understand the pros and cons of different topologies based on proper segmentation of security zones and conduits.
Establish proper network security: Network security typically serves as the first line of defense against a cyber threat. For this reason, firms should take care to employ cyber security countermeasures, such as firewalls, threat detection, and security analytics, to enforce policies and procedures restricting unauthorized access to, and use of, system resources.
Protect network endpoints: Effective means of protection are essential to secure various endpoints on the process-control network prior to granting device access. ICS departments can safeguard their network through patching, anti-virus protection, application whitelisting, end-node hardening, and portable media security.
Identify hazardous situations: The need for ongoing situational awareness of cyber vulnerabilities and threats cannot be overstated. Plant personnel gain the ability to interpret and understand activity on the control network through continuous monitoring, compliance and reporting, security analytics, security information and event management, and security awareness training.
Expedite recovery and response: In any industrial operation, backups of trusted and clean systems need to be kept current so they can be restored quickly. These precautions should be a part of a broader incident- and disaster-recovery plan to minimize downtime and limit potential damages.
To protect their enterprises, process industry companies must take a proactive approach to cyber security that involves ongoing risk assessment, well-defined security policies, and an aggressive overall security strategy. They must also remain highly vigilant, as the consequences of cyber attacks are too great to ignore.
- Eric Knapp is global director of cyber security solutions and technology for Honeywell Process Solutions. Edited by Peter Welander, content manager, Control Engineering, firstname.lastname@example.org.
- The number of attacks on industrial networks, particularly process plants, are growing rapidly.
- Attackers are gaining new skills that allow them to slip past defenses that would probably have been effective just a few years ago.
- Defensive strategies have also evolved, helping users keep their plants safe and their critical information under control.
- See related stories on cyber security below.