Safety vs. Security: What s One Without the Other?

Transcription

1 Safety vs. Security: What s One Without the Other? Executive Summary Safety systems in the industrial environment have evolved over the years to become increasingly complex and are relied upon to function to a level of adequacy to protect employees, production, and the environment surrounding a particula r facility. The investment in these systems is great, but the ramifications of their malfunction are even greater. The media has made it even easier for us to understand the impact of safety on companies and on their surrounding communities, and with incidents such as those that transpired in Texas City with a BP refinery explosion, and with the Bhopal disaster, involving a chemical leak, the potential impact of our operations has become greater than ever before. The evolution of safety systems is largely accredited to our ability to connect our systems and to automate notifications and alarm in the event of a safety breach. Safety systems have now become automated, more sophisticated, and since being connected by networks, for example being TCP/IP routable, they have also become more vulnerable to security infringements. At the same time, connecting our systems has allowed them to become more efficient, and to become a more dependable, de facto component of a facility s infrastructure. Increasing regulations and standards are a direct result of the importance being placed on safety systems, not just as a reactive alert system to crisis, but as a more proactive and predictive way of avoiding disastrous situations. Much like our telephone and internet connections, our safety systems have become something we expect to function correctly, and something that we rely on to alert us if the need arises. We cannot expect to become mindful that these systems may not be functioning correctly thanks to security issues.

2 Safety vs. Security: What s One Without the Other? 2 Table of Contents Executive Summary... 1 Why does security matter?... 4 How do we ensure our safety systems are secure... 4 System Architecture... 4 Connectivity Infrastructure... 4 Security Management... 5 Managing a Security Program... 7 Conclusion... 8

3 Safety vs. Security: What s One Without the Other? 3 Table of Figures Figure 1: Security Vulnerability Assessment...6 Figure 2: Secure Process Environment (SPE) Design...7

4 Safety vs. Security: What s One Without the Other? 4 Why does security matter? Security has moved from being a general topic of interest within the financial sector and the governmental departments, to an increasing concern within the industrial community. With the emergence of security recommendations and regulatory compliance requirements throughout different industries, people are wondering what events have sparked such an interest in security. Fai ling to maintain a particular level of security can create easy targets for a range of intentions, anywhere from international terrorism to a disgruntled former employee who wants to capitalize on access to information. Security of information is no longer the only concern security of data within an organization is now under just as much scrutiny. Studies have shown that data volumes are doubling every 18 months, and according to a study conducted by Deloitte, the averag e total cost associated with a data security breach can be anywhere from $225,000 to $35 million per reporting. Over half of the security breaches that occur, whether intentional or unintentional, result from the mishandling of sensitive business data to the wrong people, from within the organization itself. How do we ensure our safety systems are secure? Due to the connectivity of data sources to our safety systems, there are three major areas we need to focus on to ensure that our safety systems are fully secure, from all significant points of vulnerability. These three areas include your system architecture, your connectivity infrastructure, and your security management. It all comes down to ensuring that systems are plugged in together with the correct architecture, and that you have the right tools for the job both to set up your security systems, as well as to maintain them. System Architecture One of the first things to do is to find out if your system architecture itself is secure. To do this, an initial assessment would be a useful tool to figure out how your assets are configured, and how they interact with each other. This will make it easier to identify vulnerabilities and to prioritize your assets in order of criticality. If there is a security program in place, does it inclu de all of the appropriate assets and are best practices in play? Furthermore, process control environments use incredibly complex networks that are often undocumented or only partially documented. These networks have evolved over time through varied technologies and hardware as a result of multiple disparate networks being migrated into a single collection of networks, with unstructured IP addressing schemes, overlapping IP subne ts, varied cabling infrastructures and diverse operating system packages. Connectivity Infrastructure Moreover, critical infrastructures depend on control systems for their operation. Cyberspace is considered the nervous system of today s critical infrastructure, and it has become increasingly important for the process industry to address the possibi lities of growing internet threats, cyber attacks and regulatory compliance. In contrast with physical attacks, cyber attacks are not e asily identified, and may go unnoticed for long periods of time. However, the resources and tools for cyber attacks are b ecoming more commonplace and readily available. Companies have internet connections to the control systems to enable management, engineering, and others to monitor processes and progress. Vulnerability to the intrusions and attacks has increased with acc ess to the control systems through the internet. As a result, solutions such as network lockdowns are implemented to address those threats. Unfortunately, this knee-jerk reaction often conflicts with the legitimate need for access to plant data for day-to-day business decisions.

5 Safety vs. Security: What s One Without the Other? 5 A Security Vulnerability Assessment will reveal any vulnerability or weakness in your network, server and desktop infrastructure. The assessment will also establish the current state of your network infrastructure and form the foundation for the development of regulatory compliance or security/reliability and safety programs. A security vulnerability assessment is a highly detailed network audit that can be performed from a high level overview to the most in depth level of investigation and can act as a guideline to improving control of security and usage policies. Security Management When asked about cyber security, most people will think about technology such as firewalls and antivirus. Security technology is usually the primary area of money and time. But it is even more important to consider the people that use/manage the systems, and the processes that they use. It is in governance and operations that excellence is achieved. It is entirely possible to h ave the most technically secure safety system, but if the people do not participate or support the security processes it is useless. Think of security as a 3 leg table where all are required to prevent it from falling down. A security vulnerability assessmen t should approach security with these 3 distinct pillars: people, processes, and technology. This comprehensive approach delivers a thorough assessment of your initiatives including policy review, training programs and technological and physical concerns. People: In the context of security it refers to the employees, contractors and any visitor to the organization. In order for a security program to be successful, it is necessary for the participants and stakeholders to have the necessary awareness, training, documentation and roles. Everyone needs to understand appropriate system use and why it is important, and technical people also need to know how to identify and address security risks. It is recommended from an organizational perspective to have a dedicated security group with the authority and executive support to enforce security violations. But, it is more important to have a security awareness program for employees to share the importance of security and how they can participate. If organizations do not focus on their people, security policies will not be followed, staff will not understand security issues, and technical staff will not manage systems effectively. Process: When discussed in the context of security, process refers to the policies, procedures and actionplans. Regardless how hard you try, there will always be residual security risks and potential incidents. The measure of your preparedness and of the validity of your security program will determine how well you contain the incident and how quickly you recover from it. It is necessary to have documents in place like an appropriate use policy backup policy, and wireless policy to define how company assets should be used and deployed. Policies determine the rules of using a system; define procedural countermeasures for potential security risks, and any best practices. Procedures are step-by-step instructions on how to perform or execute a plan without being the expert on the system. Both policies and procedures are required for a good security program. Processes or procedures are also vital in outlining the overall security mentality and approach your organization wishes to implement. As your business evolves, so too will your environment. By having clearly defined expectations of future programs and applications you can evolve your business while maintaining the highest possible level of security. Technology: is the foundation for security and it is necessary to have the right systems installed. Companies should ensure they have good firewalls, antivirus, patch management, tape backup, remote access, authentication and physical security in place. Finally, a security vulnerability assessment should be scalable to meet specific organization requirements and should include, but not be limited to: ongoing policy reviews, exhaustive system by system site audits, frontend engineering and technical implementation, refer to figure 1.

6 Safety vs. Security: What s One Without the Other? 6 Figure 1: Security Vulnerability Assessment With the integration of process control systems, and particularly, our safety systems, we also need to examine the way in which data is transferred and shared. What tools are we using to connect our systems and how is the data being pulled and combined with other sources? Certification programs, such as the Achilles Certification by Wurldtech, work with compliance organizations and standards bodies to create certification programs that encompass the necessary security requirements for all software, includ ing OPC software used to create interoperability among systems. It is important to ensure that every step of your process is secure, starting with the data that feeds the rest of your business. If your data itself is not secure, this will have a domino effec t on the rest of the process from that point onward. A Secure Process Environment (SPE) design creates a layered network that segregates all process equipment from the Business LAN, creating a network that is dedicated to Process Equipment, while allowing the movement of data that is necessary for business decision making. The design incorporates a method of rejecting all communications from the Business LAN to the Process LAN, but still allows the movement of data to exist. Problems such as Software Virus, Trojan Horses and Worms are controlled without the requirement of loading antivirus software on process systems. This provides antivirus protection for those industrial systems that are not certified for running with antivirus software. This design also removes the requirement of ensuring all systems are loaded with Security patches to remo ve vulnerabilities to attack. As always it is still recommended to load all service packs and Security patches on all systems as required but the p roblems associated with not doing so is reduced significantly. The loading of Security and Service packs on p rocess systems is often not a Process Engineers primary concern and these patches are often left till all other tasks are completed. A Security Controlled Network layer, the Process DMZ LAN, is constructed between the Business LAN and the new Process LAN. This network provides an area for security control. Both the Business LAN and the Process LAN are able to communicate with systems on the Process DMZ LAN. This design provides a security focus in a small and limited area of the networks, reducing administration costs. All security programming on the Firewall and the process LAN Router is now focused only on rejecting or authorizing communications to the Process DMZ LAN and not to Process equipment. The security focus is now directed to a limited number of s ervers and not to all equipment on the Process LAN. ication/achilles-certif ication.aspx

7 Safety vs. Security: What s One Without the Other? 7 Figure 2: Secure Process Environment (SPE) Design Managing a Security Program Once all of the security systems are in place, the next step is to determine how your security levels will be maintained. Security threats and vulnerabilities change daily, with the introduction of new worms and viruses, change in staff, etc. and it is cri tical to have a program in place that will manage your security and ensure that it remains relevant. The only way to create a solution to this problem is to look at a system that automates the security program, by way of any relevant compliance initiative or maintenan ce of any particular normal state. There are many benefits to creating an automated security management system. In terms of efficiency, the ability to orchestrate workflow and automate systems into real-time deliverables allows companies to manage their security program on an on-going basis as opposed to ensure the reliability of safety systems. On-going programs are much more secure as well. For example, if you are not using a real-time system with automatic updates the only source of information (and frequency) would be for local staff to look at the data, sort through all of the documentation, realize that there is a security problem, and then begin to address it. By this time, there is already a risk to your network, your critical assets a nd your safety systems. By moving to a real-time automated system, you can be alerted when there is a change to your protected systems and supporting systems that is misaligned with your normal expectations and then generate work processes to update and re-align your compliance program.

8 Safety vs. Security: What s One Without the Other? 8 Conclusion The overall impact of implementing a comprehensive security program in the process control environment is far reaching, and typically includes: Improving employee safety, satisfaction and morale Reducing loss of production and revenue from intrusion incidents Improving data integrity, resulting in correct operator actions Preventing unauthorized disclosure of information Preventing unauthorized denial of services Preventing regulatory fines on environmental information not being recorded and within limits Preventing loss of major tangible assets or resources Improving public opinion and investor support Protecting intellectual property and trade secrets Preventing harm to the organization s mission, reputation or interest By understanding the complexity and breadth of an effective security program in the process control environment, we can see the direct correlation between security and its role in the maintenance of appropriate safety levels. The volume of information that is moving around a facility at any given time makes it imperative that security controls are put in place and maintained. Furthermore, the traditional focus of variety of process industries has been safety and productivity. However, recent threats to North Ame rican critical infrastructure have prompted a tightening of security measures across the different industry sectors. Reducing control system vulnerabilities against physical and cyber attack is necessary to ensure the safety, reliability, integrity and availa bility of these systems. For more information: For more information about Industrial Cyber Security, visit our website or contact your Honeywell account manager. security@matrikon.com Honeywell Process Solutions 1250 West Sam Houston Parkway South Houston, TX Lovelace Road, Southern Industrial Estate Bracknell, Berkshire, England RG12 8WD Shanghai City Centre, 100 Junyi Road Shanghai, China WP 813 August Honeywell Internati onal Inc.