You should hold the line on controlling or even barring Internet access from your process control system.
A recent survey says that IT departments are having arms twisted to relax cyber security rules and allow access to social media sites, such as Twitter or GoogleApps. Such changes are not a good idea for your process control system.
The survey, published by SearchSecurity.com , polled 1,300 IT managers around the world. While these were generally “office” IT applications, the results are something to which process control platform operators should also pay attention. A few survey highlights include:
47% report some users are bypassing security policies to access such platforms;
86% are feeling pressure to allow more access to social networking Websites; and
Many lack Web application firewalls.
You may be dealing with some of the same issues. More people want access to Twitter, Facebook, MySpace, GoogleApps, and so forth. While those are useful and appropriate for home and even office use, they have no place on your control system networks.
In April 2007, Control Engineering published an article on 10 control system security threats , as outlined by NERC (North American Electric Reliability Corporation). Looking again at the article, two of the threats apply specifically here:
6. Use of a non-dedicated communications channel for command and control.
This would be the case with Internet-based SCADA. This vulnerability also could include inappropriate use of control system network bandwidth for non-control purposes, such as VoIP (voice over Internet).
“Many IT folks have bought the ‘converged network’ line and think it’s OK,” says Bryan Singer, chairman of ISA SP99 committee. “We have seen cameras, VoIP, business systems processing payroll, and a whole host of other issues, cause denial of service conditions on control networks. IT professionals typically look at application performance, and near real time for control is a foreign concept. Taking 300-500 ms extra to receive e-mail or a Webpage is largely unnoticeable; 300-500 ms for control messages or safety messages could be disastrous. Often, what is an acceptable level of saturation or utilization from an IT perspective can spell disaster for controls.”
Kevin Staggs, global security architect for Honeywell Process Solutions, warns that well-meaning individuals can make mistakes about infrastructure since “it costs quite a bit of money to add additional channels, and it’s hard to add infrastructure wiring after the fact. But you really need to understand where the information is and where it needs to flow, and lay out your networks accordingly. Keep the control traffic off the business network and vice versa. Don’t use the same channels. It’s really a bad practice.”
Using the control system for non-control communications, says Bob Huba, DeltaV product manager for Emerson Process Management, “regardless of how much ‘extra’ bandwidth appears to be available, can only lead to problems getting the mission-critical control information distributed as quickly as possible.”
8. Installation of inappropriate applications on critical host computers.
Most importantly, Todd Stauffer, PCS 7 marketing manager for Siemens says, the control system needs to safely and effectively control the process. “The only necessary applications are those that are directly involved with the control of the process. Additional software programs such as e-mail, games, and media players are not necessary and can make the system vulnerable. To harden the system, it is necessary to remove all unnecessary applications and to prevent new ones from being introduced. Unwanted programs or malware can be introduced any time data is exchanged with the world outside of the control system.”
Marilyn Guhr, marketing manager for Honeywell Process Solutions recalls, “A customer was experiencing slow downs on certain operator stations and they couldn’t figure out what was wrong. The ‘problem’ was tracked down to a TV hook-up on the operator station.”
Read the complete article: “ 10 Control System Security Threats ”
Your control system has one job, and that should be all it does. While connections to larger systems and even the Internet may be necessary for various functional purposes, following somebody’s Twitter account in the control room isn’t one of them.
Read the Control Engineering Cyber Security blog .
—Peter Welander, process industries editor, [email protected] Process & Advanced Control Monthly eNewsletter Register here to select your choice of free eNewsletters .
