Vol. 56 No. 5

MAY 2009 Covering control, instrumentation, and automation systems worldwide Addressing SIS Cyber Security: First or Last? When considering integrated control and safety systems, building a strong defense is an investment in ensuring business continuity.

Bob Huba and ebruary 2008: A company that boasts it pro- What these and the many other responses you Chuck Miller vides “total fire protection systems” went up hear illustrate is that most people consider security Emerson Process in flames. Smoke was seen coming from the synonymous with defense—defense against unex- Management warehouse-like buildings that house Atlan- pected interruptions to our daily activities. tica Mechanical of Dartmouth, Nova Scotia Frequently, businesses will approach securi- F —a contracting business that oversees the design, instal- ty using a domain-by-domain approach—protect lation and maintenance of fire protection systems. The the perimeter, protect the people, protect the intel- local fire department struck lectual property, protect the envi- the blaze, but the building and ronment, and so forth. However, contents were lost. Workers need when you step back and look at Ask a diverse crowd of better‘ training on it, security is really about ensur- people to define the term ing business continuity and it is “security” and the responses managing backup best achieved by designing a uni- will likely include financial fied defense-in-depth securities; fire protection; systems in case of and architecture that can defend natural disaster protection; attack. against myriad possible business protection against unau- interruptions. thorized access to property, computers, and person- ’Businesses have been aggressively engaged in al I.D.; protection against un-insured motorists; and establishing a strong defense against unauthorized many more similar concepts that tend to center on access to their digital systems for about the last physical things. 20 years. Today we generally refer to these defen- Conduct a similar exercise with business exec- sive efforts as cyber security, and while protecting utives and the responses will likely include cyber against attackers that are using the Internet is an security; protection of intellectual properties; pro- important consideration, cyber security represents tection of critical business information; protection of only one part of a robust strategy that builds a larg- personnel, facilities, assets, and the environment. er sense of defense-in-depth. inside process

Devil in the details protection mechanism; It only takes one March 2008: “Workers n Create a torturous path for intruders; operating networks sup- n Understand your company’s entire depth-in- n October 2007, about 1,100 employees porting the nation’s criti- defense architecture and leverage its infrastructure Iat the Oak Ridge National Laboratory cal infrastructure, such as to protect the control and safety system domains; received versions of seven phishing telecommunications and n Apply appropriate protection, including indus- e-mails which appeared legitimate. Rather transportation, need bet- trial grade devices, in control and safety domains; than verify the messages’ authenticity, ter training on how to man- n Connect control- and safety-system domains eleven employees opened the emails’ age backup systems in case using good engineering practices; and attachments, which enabled the hackers cyber-attacks take down n Accept that this is not a one-shot effort; that to infiltrate the Lab’s system and remove main systems,” said a top the sources, goals, and sophistication of attack- data. Later DHS investigations reported DHS (Department of Home- ers and the they use continue to evolve, that the hack originated in China. land Security) official. That’s requiring that you continuously re-evaluate, and, one lesson learned during when necessary, strengthen your protection layers. Cyber Storm II, a DHS sim- ulation of a large-scale coordinated cyber attack on the Closing and locking the doors nation’s infrastructure networks. April 2007: Lonnie Charles Denison, an employee of The underlying premise of a unified depth- Science Application International Corp. in San Diego, in-defense strategy is simple—no single mecha- was working as a contract Unix system administrator nism offers adequate protection against the variety for the California Independent System Operator (ISO) of attackers and their evolving weapons. There- Corp. Frustrated with an unresolved dispute with his fore it is best to create a series of protection layers employer, Denison tried to disrupt an ISO data cen- designed to impede attackers in hopes that they can ter in Folsom, CA, by hammering the safety glass of an be detected and repelled or simply give up and go emergency power shut-off and pushing the button. elsewhere to seek less fortified installations. Even the youngest child understands the need That certainly seems simple enough but, as the to close and lock the doors to keep out the “bad saying goes, “the devil is in the details.” Architect- guys,” yet all around the world businesses essen- ing a unified defense-in-depth strategy is not easy tially ignore this simple security measure and leave and, to be effective, its development and design many of their doors open. demands full engagement and knowledgeable rep- Following 9/11, process industries spent millions resentation from every part of your business. of dollars to install and upgrade perimeter fencing, Later, this article will focus on the control- and dig ditches, add berms, reinforce guard gates and safety-system domains but, as we just indicated, plant entrances, and install double-factor security the most successful defense-in-depth at employee entrances. To a person are those that encompass the entire business and driving by one of these post-9/11 chemical, phar- include the following elements: maceutical, or refining facilities, it appears that they n Close and lock the doors: policies, practices are nearly impenetrable. and enforcement; However, looks can deceive, especially when n Identify the “jewels” that must be protected— you probe a plant’s “back” doors. Vehicles with the why and from whom; correct markings—UPS, FedEx, caterer vans, and n Use what you already know by conducting contractor buses—are often waved through the con- risk assessments, layer of protection analysis, and tractor’s gate. Even if they are stopped, the check developing security assurance levels; by security personnel, who are usually contractors n Ensure that regular tests are conducted to exer- themselves, is often very cursory. cise detection and alert systems, and the actions of A sound defense-in-depth strategy must include persons responsible for responding to alerts; extensive policies, practices, and enforcements. n Establish and test disaster recovery implemen- Certainly one part of such a collection must tation, including reloading saved software; include what is required for visitors, contractor n Recognize and accept that there is no single personnel, vendors, utility personnel, and others, Troy’s lesson

bout 1200 BC, the Trojans protected Troy against an invasion by the Greek army for more Athan a decade. However, as the story goes, when traditional tactics failed, the Greeks pen- etrated Troy’s defenses using a wooden horse that hid a handful of soldiers. Troy’s lesson is that committed attackers create their own rules of engagement and will apply innovative technologies to gain access to your business. Ensuring business continuity requires your defense-in-depth implementation provide timely detection, robust prevention, and appropriate and timely reaction/response. to gain plant entrance. It should also address what refineries; and pipe- contactor companies that provide on-site personnel lines and compressors must do before allowing their personnel to enter at gas and oil trans- your plant—including background checks, safety mission companies. training, muster station, evacuation training, per- Alan Paller, the sonal , and so much more. director of research at the SANS Institute, Hardware and policies a cyber security edu- November 2006: Federal inspectors confirmed a securi- cation organization, ty breach at the Oak Ridge Y-12 nuclear weapons plant recently revealed a when an unauthorized laptop computer was carried CIA secret: “Accord- into a high-security area. Investigators confirmed that ing to the CIA’s top Y-12’s cyber security personnel did not respond properly cyber security ana- after the breach was discovered and did not report the lyst Tom Donahue, incident to Department of Energy (DOE) headquarters computer hackers in Washington until six days later. DOE policies require tried to infiltrate and that such incidents be reported within 32 hours. The disrupt the electric involved employees’ access privileges have been revoked power grids in sev- and they are awaiting future disciplinary action. eral foreign regions. Eric Byers, CEO of Byres Security, says, And in some places, “Policies and procedures are a quick win area. they succeeded.” Managing something as simple as laptops and Paller says he memory sticks is crucial. All the in decided to break his the world won’t help if you don’t have these secrecy agreement procedures in place.” with Donahue and Byers is correct, but even a vault full of policies the CIA, “because the and procedures won’t protect you unless you are heads of utilities get also willing to enforce them strictly. Until you are lied to by their technical people. The technical peo- Medieval concepts of prepared to back your policies and procedures with ple say ‘oh, nobody can get in! We’re not connected defense-in-depth still immediate discharge of employees, contractors, to the Internet.’ But we had three people at that same apply in newer forms. vendors, etc., they are essentially worthless. meeting who, for a living, did penetration testing of Source: Control Policies and procedures help close the doors; utilities, and every one of them said they have never Engineering tough enforcement locks those doors! failed to get in, even when the organization claimed they weren’t connected to the Internet. They just Identify the jewels don’t know all the connections they have.” January 2008: A Polish teenager reportedly turned the Certainly the intent of a business continuity of Lodz’s tram system into his own personal train security system is to protect as many assets as possi- set. Using a modified TV remote control, the 14-year- ble, but common sense tells us that we simply can’t old was able to change switches and control signals that protect everything equally. You must identify the resulted in the injury of 12 people and the derailment of “jewels,” prioritize the value of each, and then erect four tram vehicles. the defense-in-depth architecture that provides the Every company has physical assets and intellec- best solution to ensuring business continuity. tual knowledge that must be guarded at all costs: In part 2 (to appear in the July 2009 Inside Pro- n Intellectual knowledge includes client informa- cess section), we dig into implementation issues. ce tion at stock brokers; research and clinical trial data Bob Huba is a senior product manager for at bio-techs; and fragrance ingredients and recipes Emerson Process Management and coordinates secu- at perfume manufacturers. rity and cyber security initatives for DeltaV products. n Physical assets include generation, transmis- Chuck Miller is the business development manager sion, and distribution systems of electrical utilities; for safety instrumented systems for Emerson Process production process units for specialty chemicals and Management.

ER-00119-May09

Posted from Control Engineering, May 2009. Copyright © Reed Business Information, RBI™ a division of Reed Elsevier, Inc. All rights reserved. Page layout as originally published in Control Engineering has been modified. #1-26287901 Managed by The YGS Group, 717.399.1900. For more information visit www.theYGSgroup.com/reprints.