Protect control systems from the Internet

The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that's just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

By Jon Westbrock August 1, 2005

The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that’s just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

But the front offices want immediate access to data from the plant floor. They either need to be able to reach down to the control networks or have what they want sent up. At the same time, local plant officials are pressed to provide more data via enterprise-wide networks to individuals in other locations.

However, any time access is provided to the control network, the control system is exposed.

Typically, large process industry plants have more than one network dedicated to process automation as well as a plant network, which is used for supplementary operations and maintenance functions. Above that is a network used by various business systems.

Firewalls, which help to secure network traffic by providing application-specific filtering to block malicious communications, should be used to block protocols and ports not used by an application, thereby separating and protecting each network. Firewalls also allow parts of the network to be disconnected in the event of an attack. However, firewall use between the business network and the plant network is much less common than a firewall between plant and control networks.

Three options

Here are three ways to prevent against potential intrusions into process control systems. Which one to follow depends largely upon the amount of risk you can tolerate and the benefit you’re seeking.

1. Isolate the network . The safest approach is to keep the control network locked down, allowing only physical access by authorized persons to the operator stations and connected machines. This is the most restrictive approach, preventing access by others in and outside the plant.

Most systems manufacturers are very protective and would be happy to see control networks untouched by the outside world. Emerson, for example, only allows connection to the plant or business networks through a limited set of workstations on the control network that have been specifically set up to provide this connection.

2. Go ahead and connect . The fast, easy, and reckless approach is simply to connect the control network to the plant and business networks and hope for the best. The worst may never happen, but if it does, consequences may be difficult to explain.

3. Make connections in an intelligent, controlled fashion . Several things can and should be done to protect control networks:

Use firewalls and routers to segment the network properly. Properly established firewalls block specific messages or message types, enabling network administrators to control what sorts of traffic can flow into and out of a control network. If well-known ports, such as the HTTP and RPC ports, must be open, risk of penetration to the control network increases. Unfortunately, these are the same ports that many applications require to be open.

Establish policies and procedures for maintaining firewalls and ensure that they are properly configured. Rules should identify who can change the firewall, define permitted changes and provide for oversight. System security is chiefly a process issue—not a technology issue.

Protection provided by firewalls can be enhanced through use of intrusion detection systems, which monitor network traffic to identify inappropriate activity. These systems can help identify when firewalls are ineffective or when an attack is underway through open ports.

All the firewalls in the world won’t protect a system with weak passwords. Automatically generated passwords are best, but tools are often required to help generate and manage them, such as Password Minder and Password Safe. Finally, keep all non-essential software off computers directly connected to the control network. The more software installed on these computers, the greater the risk of a virus that can disrupt or disable plant operations.

Author Information

Jon Westbrock is senior technologist at Emerson Process Management;