Chemical Processing-August 2008

attack routes taken Via corporate WAN & business network 49% Internet directly 17% VPN connection 7% Wireless system 3% Telco network 7% Trusted third party connection 10% Dial-up modem 7% Figure 1. In 75 incidents from 2002 to 2006, attackers and viruses infiltrated via corporate networks most often but far from exclusively. Source: Industrial Security Incident Database, June 2006. needs differ from those of the IT world and then modifying the IT security technologies and practices to properly use them in our world. This takes close cooperation and teamwork from both IT and process control staffs and not blind dependence on IT security procedures, a topic we’ll explore in more detail later. The other mistake the chemical company made was to assume that all security problems arise from outside the plant and those that do make it in come through obvious pathways that can be managed by a firewall. This assumption often means that companies base their entire plant-floor security solution on a single firewall between the business network and the control system network, believing that their firewall will be the ultimate security filter and will prevent anything evil from ever getting to the control system. Unfortunately as this chemical company discovered, nothing could be further from the truth. This firm isn’t unique. Many chemical companies make significant cyber-security mistakes. The sidebar summarizes the 10 most common errors. Multiple paths for attack To understand just how many pathways into a control system there can be, consider the security incidents caused by the Slammer Worm since its creation in 2003. This particular worm has resulted in more documented process disruptions than any other source, according to the Industrial Security Incident Database records. A few of its “achievements” include interrupting power-distribution supervisory control and data acquisition systems, infecting the safety parameter display system in a nuclear plant and curtailing oil operations in the Gulf of Mexico. What’s particularly interesting is that the Slammer Worm has used at least five different pathways to get to its control system victims. In one case, it August 2008 chemicAlprocessing.com 22 the 10 Most coMMon plant cyber-security Mistakes 1. Assuming that someone else (like the it department) is looking after the security of control systems. it often turns out that everyone thinks it’s someone else’s job. (upper management is especially prone to the mistake.) 2. no risk analysis for cyber incidents. Without a proper risk analysis that looks at vulnerabilities and consequences of cyber events, companies can’t be sure they are spending their security dollars effectively. 3. A lack of policies and procedures to govern control system security. security needs to be motivated from the top down by good corporate policies that are supported by upper management. 4. Assuming that it security solutions will work on the plant floor. security solutions need to fit the environment that they’re to be used in or they either will get ignored or bypassed. many it solutions work well but some don’t; it’s important to recognize those that don’t work and come up with alternatives. 5. Addressing security on a piecemeal basis. For security to be effective, it has to be deployed in a coordinated fashion across the whole plant or organization. 6. Forgetting the human aspects of security. good security starts with ensuring that staff, management and contractors understand and follow appropriate practices. 7. Designing control system networks without sufficient defense-in-depth architectures. Depending on a single firewall between business and control systems is asking for trouble — security needs to be layered to be effective. 8. poor patch management for applications on the plant floor. many companies have good patching systems for the operating system but then forget to patch the software applications (like hmis), which typically are far more vulnerable to software bugs. 9. either no tools to detect inappropriate activity on the control system or no procedure to ensure that the tools are used regularly. i see many firewalls in plants whose logs never have been checked. this is like installing a burglar alarm but not turning it on. 10. Allowing remote access to the control system without creating and enforcing an appropriate access control system. need i say more? entered a petroleum control system via a maintenance laptop that was used at home, infected there and then brought into the plant. In another case, it contaminated a paper machine human/machine interface (HMI) via a dial-up modem for remote support. In a third case, it passed through a poorly configured firewall. In a fourth case, it took advantage of a temporary Internet connection set up by a contractor — involving a remote virtual private network for system maintenance —that bypassed the IT firewall. In all these http://chemicalprocessing.com

Table of Contents Feed for the Digital Edition of Chemical Processing-August 2008

Chemical Processing- August 2008 Contents From the Editor ChemicalProcessing.com Field Notes In Process Energy Saver Compliance Advisor Protect your Plant What’s on Tap for Water? Keep Operations Safe Polystyrene Plant Gains Extra Output and More Process Puzzler Plant InSites Equipment & Services Adlits Product Spotlight/Classifieds Ad Index End Point

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.