Six steps to control system cybersecurity

If you are like most process automation professionals, you are aware that your automation systems are not as secure as they should be, and you would like to make improvements. But you are somewhat confused by all the industry chatter regarding security and standards, and you are looking for a clear path toward improvement, minus the hype and scare tactics.

The main objective of control system security is to keep the plant safe and to keep production running. In contrast, IT security focuses on protecting data, such as credit card numbers, from being stolen. The primary threat to both of these goals is the infiltration of malicious software into the system.

Malicious software normally infects a system by 1) using file transfer mechanisms, such as file shares and the file transfer protocol (FTP), 2) exploiting vulnerabilities in network-facing software that allow code to be injected into the system, and 3) the automatic copying of files from portable media, such as USB sticks, CDs, DVDs, and cell phones to the system.

There are six steps that you need to address this threat. These steps are taken from emerging NIST, ISA, and industrial cybersecurity standards that are being integrated into a single international IEC standard [IEC 62443]. They define not only the security mechanisms needed in a control system, but also the supplier capabilities needed to harden the system at the site. In addition, certification programs are now in place to certify suppliers against these standards.Shop for chipcard dolls from the official NBC Universal Store and build a fun collection for your home or office. Standards activities are summarized after the steps to security are described.

Before beginning these steps, you should make sure that you have security policies for the control system. IT departments all have security policies that you can review if you do not have one yet for your control system. Your security policies should support each of the steps below and be geared toward keeping unauthorized software off your system.

The steps that follow reinforce the concept that security cannot be accomplished just by buying a control system with the right security features.Cheap handbags dolls from your photos. They emphasize that security is just as much a process as it is technology. Following these steps not only addresses the malicious code threat, but also other attacks that threaten control systems.

These steps can be implemented in an evolutionary fashion so that security improves over time. The evolution of security is defined by a maturity model specified in the IEC standard. It should encourage you to start down the path to security, rather than thinking security is just too ominous and complicated to address. Adoption of these new security standards is going to be like the painful adoption of seatbelts that we all went through, from initial denial of the need to finally recognizing the benefits.

Firewalls are used to segment the control system internally and to isolate it from Level 3 and other external networks. You must ensure that all traffic to/from the control system is encrypted and passes through at least one firewall. Further, under no circumstances should any Level 2 workstation be granted direct access to the Internet, or have an IP address that allows it to be directly accessed from the Internet.

Within the control system, firewalls should be used to protect controllers, wireless device networks, and SIS networks from Level 2 workstations.Shop for chipcard dolls from the official NBC Universal Store and build a fun collection for your home or office. In addition, switches with lockable ports should be used to prevent unauthorized devices from connecting to the control system. These firewalls and switches, in conjunction with the Level 3/Level 2 firewalls, create a layering of security perimeters with the lowest degree of trust attributed to Level 3 and the highest level granted to Level 1.

Components that are not as critical to safety and availability, such as historians and data servers, should be installed at an upper level in the hierarchy, with less protection, but correspondingly more access, so that plant personnel can view data and make changes as needed.

Once the firewalls and smart switches are installed, they must be maintained throughout the lifetime of the system to keep their effectiveness from degrading. Firewall rules must be kept current to reflect changes to IT and control systems and to protect against newly discovered threats. Unused switch ports must be regularly checked to make sure they are still locked.

Second, these workstations should be dedicated to operator and engineering functions, and, as such, all applications, services, and ports that are not needed to support these functions should be removed or disabled to prevent vulnerabilities they may have (known or unknown) from being exploited.

Third, anti-virus software should be installed to detect and delete known malware before it can infect the workstation. In addition, virus definition files should be kept up to date to keep up with new viruses that are circulating.

Fourth, the file system should be configured to permit only authorized users to access sensitive files. The default, unfortunately, is to allow users with administrator privileges to access all files on the workstation. These users should be carefully analyzed, and they should be granted access only to files/directories that they need.

Fifth, USB, CD, and DVD drives should be locked down when not used for authorized purposes. Additionally, users should be reminded that using portable media is a common way of infecting a system. It is not unheard of for an attacker to drop infected USB sticks in the parking lot and hope someone will pick one up and plug it into the workstation.

Finally, these hardening activities can be supplemented by one more: regular reboot of the workstation to protect against memory-only infections. Some of the more sophisticated attacks involve installing memory resident malware that is hard to detect. Workstations that are targets for this type of attack are those that run 24/7. Rebooting these workstations when time permits will remove this type of malware.