P.M.C.Nair, Executive Director, Rashtriya chemicals & Fertilizers Ltd.

P.M.C.Nair, Executive Director, Rashtriya chemicals & Fertilizers Ltd.

Rashtriya Chemicals and Fertilizers Ltd. Incorporated in 1978 with the re-organisation of erstwhile FCI Authorised Capital Paid Up Capital ` 800 Crore ` 551.69 Crore ISO-14001-2004, OHSAS- 18001-2007 & ISO- 9001-2008 accreditation for Thal & Trombay. Both the units accredited under IMS. MoU signing since 1988. Rated Excellent for 9 consecutive years. (Received Award at the hands of Hon ble Prime Minister for best performance in Fertilizer and Agriculture Sector for 2005-06, 2006-07, 2007-08, 2008-09 and 2009-10).

CAPACITY OF RCF PLANTS (Figures in Lakh MTPA) TROMBAY THAL UREA (Ujjwala) 3.3 17.07 SUPHALA 15:15:15 3.0 0 SUPHALA 20:20:0 2.7 0 INDUSTRIAL CHEMICALS 1.34 0.29 Apart from above, RCF Trombay unit also produces 100 % water soluble SUJALA fertilizers (Drip and Foliar), Bio-fertilizer BIOLA, micro nutrients fertilizer MICROLA.

RCF Ltd.(Trombay unit)

RCF Ltd.(Thal unit)

PROCESS PLANTS OF RCF LTD. WITH INSTALLED DCS TROMBAY THAL Ammonia I Plant (350 MTPD) Ammonia Plant (1750 MTPD X 2) Ammonia V Plant (1045 MTPD) Urea Plant (2020 MTPD X 3) Urea Plant (1000 MTPD) Methylamine Plant (15 MTPD X 2) Nitric acid Plant (1100 MTPD) Formic acid Plant (30 MTPD) Suphala Plant (1100 MTPD) DMF (7 MTPD) ANP Plant (1000 MTPD) DMAC Plant (15 MTPD) Sulphuric acid Plant (330 MTPD) Thal Ammonia extension Steam generation Plant (170 MTPH X 3) Steam generation Plant (275 MTPH X 3) Phosphoric acid Plant (100 MTPD) Argon plant (46 MTPD) Methanol Plant (240 MTPD) CO Plant (1200 NM3/HR) Sewage treatment Plant (5 MGPD) PGR Plant (14.5 MTPD)

SCENARIO OF INDUSTRIAL CONTROL SYSTEMS (ICS) IN RCF All continuous process plants are equipped with state of the art technology DCS (Digital control system) from reknown vendors. DCS are of i/o capacity ranging from 250 to 10,000. RCF Ltd. also has SAP system which works independently on Factory Intranet. Advanced process controls(statistical process controls) for Ammonia & Methanol plants.

RCF Highlights: Industrial control systems (ICS) in all plants of RCF are presently working isolated & independent and are not connected to any commercial MIS through Ethernet. DCS WITH EMBEDDED AVG / FIREWALL PROCESS PLANTS CORPORATE IT & SAP Hence DCS system security depend only on Firewall & Antivirus software embedded in individual system. There is no corporate IT involved in MIS or system security.

RELEVANCE OF PLANT SECURITY IN TO DAY S FERTILIZER & CHEMICAL INDUSTRY ENVIRONMENT

INDUSTRIAL SECURITY - TODAY S INDUSTRY AWARENESS : Industrial control systems (ICS), commonly encompassing DCS, PLC, SCADA and others are used for process monitoring and control. In future, Process industry would expand to permit access to, MIS for Technical depts., Top Mgt., Directors, Marketing depts., SAP, Intra-plant data viewing However, the vulnerability & consequences of cyber attacks against and infections of ICS can be much more serious and damaging. Safety, environmental impact, business sustainability and other factors are at risk.

The problem is that commercial products are common targets for hackers, cyber criminals, and malware, thereby increasing safety, environmental, business, and other risks. But if ICS are connected with these commercial systems then they are at equal threat as to those commercial systems. United States Cyber Command (USCYBERCOM) is America s answer to cyber warfare

.

All systems are vulnerable when attackers have the needed resources, skills, and sufficient time. ICS are used in almost all forms of manufacturing and include a diverse set of components. ICS, such as DCS and PLC-based applications, include unique devices and software such as sensors, actuators, speed control, switches and a very wide variety of automation software components.

Following General-Purpose Security Components Must Be Adapted for ICS Use

Firewalls : Antivirus Identity Management Remote Access Security System Monitoring & Management Always deployed at perimeter, also used to create zones, a few ICS specific firewalls are offered. Commonly deployed on all stations in ICS. Must be up to date a challenge for ICS User info tending toward common directories, rights still in applications Many differing strategies, need standardized solutions Infrequently used, likely to be a centralized function, needed for quick response to issues Security Patch Management Few ICS owners have auto-mated patch management, but most have documented processes

Firewall: Features Stateful inspection packet filtering Application layer firewall VPN gateway URL filtering, Web proxy and Web publishing Virus scanning and IDS McAfee Application Control has been compatibility-tested Configuration manual available

Examples of Cyber Attack: U.S. Cyber Consequences Unit on critical infrastructure vulnerabilities shows a 172-ton generator used in dams. The generator affected by a cyber attack demonstrated in the 2007 Aurora Project, capable of physically destroying generators. (Source: U.S. Cyber Consequences Unit)

The difference is that the consequences of a successful attack against infrastructure can be far reaching, potentially impacting a large part of a nation s population. Furthermore, ongoing investment in cyber security is significant and needs to be aligned with reasonable risk. Businesses and other ICS owners have always been concerned over the possibility of targeted attacks on ICS systems, but concerns have been dismissed quickly because of the specialized knowledge required for attacks, making the perceived risk low. In 2010, the most important and certainly the most visible ICS cyber security event was the discovery and analysis of the virus infection Stuxnet on Siemens equipment supplied for Iran. Stuxnet is a computer worm discovered in June 2010. It initially spread via Microsoft Windows, and targeted Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems. It is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.

BREAKING NEWS ON 7 TH April,2012

IN ESSENCE, TO SAFEGUARD THE PLANT ASSETS AND ENSURE PROPER ACCESS, SYSTEM SECURITY IS IMPORTANT. SECURITY IS ABOUT ENSURING BUSINESS CONTINUITY AND IT CAN BE ACHIEVED BY DESIGNING SYSTEM WITH STRATEGY AND ARCHITECTURE THAT CAN DEFEND AGAINST POSSIBLE BUSINESS INTERRUPTIONS. IT IS BEST TO CREATE SERIES OF PROTECTION LAYERS DESIGNED TO IMPEDE ATTACKERS A SOUND SECURITY STRATEGY MUST INCLUDE EXTENSIVE POLICIES, PRACTICES AND ENFORCEMENT

Ultimate goal : Safe and reliable control of an efficient system Today s reality is that we have a long way to go to understand and sufficiently protect our digital world to ensure continuing safety of the electronically controlled physical world. We are at a crossroads in time that requires us to push harder for resources to fix the problem and ensure that those resources are properly aligned with the most appropriate solutions. Every environment is different but the ultimate goal is the same: safe and reliable control of an efficient system. Now it is our goal individually, our company organically, and our industry collectively, to identify the appropriate path forward a path that will continue our prosperity safely.

PROS AND CONS OF OPEN COMMUNICATION AND INCREASED NETWORKING OF TODAY S PRODUCTION PLANT

The Pros of Open communication & Networking Integrated into a web accessible interface enables individuals to perform unmanned operation of utilities. Networking with ICS gives real time view of process,raw material and utilities for MIS. Statistical process control with ICS on open communication platform enables optimization of resources and efficiency of plant operation. The Cons of Open communication & Networking Networking open the doorway to potential piracy and invasion of your network to outside sources. The greatest issue with the networks is that of handling Data for information management.

Risk analysis of network security in Industrial Control System :

Methods: Balancing risk against investment is a very complex decision. Where ICS is involved, organizations must find ways to make risk analysis and mitigation a routine and critical process. A method for assessing and rating the risk of a possible vulnerability at a specific facility is needed. The risk is a function of the likelihood (probability) that a defined threat agent (adversary) can exploit a specific vulnerability and create an impact (consequence). Risk = Likelihood X Consequence Likelihood = Threat X Vulnerability The risk induced by any given vulnerability is influenced by a number of related indicators, including: Network and computer architecture and conditions Installed countermeasures Technical difficulty of the attack Probability of detection (e.g., amount of time the adversary can remain in contact with the target system/network without detection) Consequences of the incident Cost of the incident.

Potential Impact of a vulnerable network attack :

Process Control System Vulnerabilities and IT Threats The introduction of Internet based information technology within the process controls industry has increased vulnerabilities to the industry's computer systems ICS security strategies, components, and processes have a different lifecycle than the control systems themselves. Changing Security threats and new vulnerabilities mean that security processes and components must change to continue to perform their function. The critical national infrastructure industries, can experience risk of impacting large portions of the public. New attacks and vulnerabilities are discovered almost daily, requiring someone within each business to assess risk and develop mitigation strategies. Even the security components must be updated frequently or they become ineffective quickly. Traditionally, ICS have been designed and installed by engineering, but now in large businesses, corporate IT is involved, because of their strong cyber security and system management skills The ISA Security Compliance Institute (ISCI) was formed a few years ago and, in 2010, released its first test specifications. ISCI is now qualifying test laboratories.

The major categories of impacts are as follows: Physical Impacts. include personal injury and loss of life. Economic Impacts Social Impacts.

Customer/Market Expectations from Automation Vendor regarding security solutions :

Customer/Market Expectations Security technologies by themselves cannot guarantee that systems are safe from attack. However, technologies are an essential element for protecting both legacy and new ICS systems. Overall, ICS owner and suppliers have lagged in the use of specific security technologies relative to their corporate IT counterparts, and for good reason. Most security technologies require some adaption to be suitable for ICS. Furthermore, ICS owners must be very cautious about disrupting control systems because of the high cost and high business impact. Each ICS environment requires a security architecture that ensures comprehensive coverage and many security technologies. It is not feasible for ICS suppliers to develop a comprehensive set of security components just for ICS. Some security components such as firewalls and antivirus are common.

General-purpose security component suppliers (McAfee, Symantec, Cisco ) cannot justify creating a product just for the ICS industry. Accordingly, the ICS industry must first determine how a general- purpose solution can be adapted for ICS environments. Then, ICS owners must accept the solution. Most ICS owners want to avoid being the first to deploy a new technology and prefer fieldproven solutions. Consequently, this process typically takes time and explains the current situation.

Current Scenario of Industrial Security Solutions from different Automation Vendors : There are several security products that are marketed specifically for ICS, while others are general IT security products that are being used with ICS. Encryption : Encryption protects the confidentiality of data by encoding the data to ensure that only the intended recipient can decode it. Firewalls : Firewalls are commonly used to segregate networks to protect and isolate ICS. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are being deployed on ICS networks and components to detect well-known cyber attacks.

Vulnerability and Penetration Testing Tools: There are many tools available for performing network vulnerability assessments and penetration tests for typical IT networks; however, the impacts these tools may have on the operation of an ICS should be carefully considered.

Future Outlook :

As a prospective user of ICS with embedded security based, technology suppliers need to envisage for the following: While it is widely recognized that the future ICS requires built-in security mechanisms, the functioning of these mechanisms is less clear. In addition, and equally problematic, the adversarial model is not well understood. That is, while the current problems are known, it is not obvious which threats a future open systems must be armed against. However, identifying the adversarial model and anticipating emerging threats is the first step that is necessary to build a secure, future ICS. Only when the community has a solid understanding of the threats that the future ICS might face, appropriate countermeasures can be designed.

Thank You!!!