Chemical Processing - October 2007 - (Page 30)

early and effective detection and mitigation with countermeasures. In other words, the sooner you see the wound and the faster you can stop the bleeding, the more effective your policy is. Among the processes that facilitate incident handling are team notification, escalation procedures during an incident, containment procedures (for slowing or stopping the spread of viruses), interim measures for resuming business and post-incident analysis. Other processes. A proper security program must contain many other elements. To enhance security, consider, for example, processes for: • disaster recovery; • back up and restoration; • fire drills; • standards deployment; • annual assessments; • penetration tests; • remote access policies; • file transfer; and • vendors and visitors. The role of technology Perhaps the most obvious and fundamental piece of the security puzzle is the technology aspect. When used correctly, technology is an enabling, tangible part of any security program. However, simply buying and installing technology doesn’t necessarily improve a plant’s security. Technology investments must take into account the business model as well as physical topology and plant or operational requirements. Before deciding upon technology purchases or deployments, it’s crucial to first assess the potential impact of a new technology on workflow. If a firewall or new network topology interferes with access to data then it may not be best for the organization. The first word that comes to mind when discussing technology and security is a firewall. This response is both good and bad. On the plus side, the fact that a company is using or intending to use a firewall means that security is a priority and that the potential for locking out unwanted access exists. The problem is that many firms feel that the mere presence of a firewall is enough to immediately solve their security concerns. In a study of 37 firewalls from a number of industries (1), it was found that “…almost 80% of firewalls allow both the ‘any’ service on inbound rules and insecure access to the firewalls, these are gross mistakes by any account.” For the maximum firewall benefit, a plant needs to create a multi-layered topology in its process control network. This applies as well to the many other tools and toys that can be considered. The secure and effective deployment of technology depends upon implementation of a multi-layered or “defense in depth” approach to network topology (see www.chemicalpro 30 • October 2007 cessing.com/articles/2007/104.html). This approach has been called many names but regardless of moniker it’s based on the idea that the further removed a process network is from the business LAN and the outside world (i.e., the Internet) the more protected it is. More importantly, a plant must establish what traffic it will allow on a frequent basis and ensure that future projects don’t compromise those rules. Every few months, the plant must revisit the firewall configuration to ensure it’s working effectively and addressing new security threats. There’s always a second way to move data or to facilitate business decisions without compromising the firewall, which is the first line of defense. Unrelenting attention Security is not a “Y2K” type of issue with a defined shelf life and timeline. Plus, while the DHS regulations now only target “high risk chemical facilities,” they likely will eventually expand in scope to cover more installations. Likewise, the standard may evolve beyond simple assessments. The facilities that aren’t going to be overwhelmed by the amount of work required to properly secure their sites are the ones that begin before they’re forced to by government. The difficulty will be in convincing everyone to start playing along because the single biggest differentiator that sets a pacesetter apart in the world of industrial security is its security culture. Any security initiative is going to live and die by the support it gets outside of the project team implementing it. This means financial support for the time and resources required to implement the project itself. It also means support from executives and decision-makers in allowing and encouraging security efforts in the first place. Most importantly, it means getting the buy-in of the day-to-day owners of the systems being impacted by changes to processes or procedures required to increase security. Always remember that the amount of support shown is the key indicator of the success of any security initiative. Security traditionally has been seen as an expense without obvious return on investment. However, if security culture and systems are thought of in the same light as safety systems, then the opposition to security programs should begin to fade. Safety programs have provided benefits to organizations — security can provide unintended benefits as well once you get started! CP Rick Kaun is manager of industrial security and compliance for Matrikon, Inc., Edmonton, Alberta. E-mail him at rick.kaun@ matrikon.com. RefeRence 1. Wool, Avishai, “A quantitative study of firewall configuration errors,” IEEE Computer Magazine, p. 62 (June 2004). www.chemicalprocessing.com http://www.chemicalprocessing.com/articles/2007/104.html http://www.chemicalprocessing.com/articles/2007/104.html http://www.chemicalprocessing.com

Table of Contents Feed for the Digital Edition of Chemical Processing - October 2007

Chemical Processing - October 2007 Contents From the Editor ChemicalProcessing.com Field Notes In Process Energy Saver Compliance Advisor Biofeedstocks See Real Growth Become a Cyber-Security Pacesetter Go Beyond Condition Monitoring Disposable Equipment Earns Lasting Role Improve Control Loop Performance Ethanol Plant Boosts Output and Saves Energy Process Puzzler Plant InSites Equipment & Services Ad Lits Product Spotlight/Classifieds Ad Index End Point

Chemical Processing - October 2007

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.