31 January 2008

Control systems security

By Jim Pinto

After almost two decades of growth, the Internet’s inherent connectivity architecture is a double-edged sword. It has evolved to become the fundamental platform for all intelligent devices to share information. The problem lies in the fact that any Internet-connected device or system is vulnerable to security issues.

Beyond just being Internet connected (Ethernet TCP/IP), most of today’s automation and control systems use the same PC hardware (Intel) and operating system (Windows) as broadly deployed personal, corporate office, and administrative networks. This generates serious and steadily increasing problems.

As plants and factories connect to the Internet, and Intranets, worms and trojans can enter through mainstream software. In addition, plant systems must prevent external or internal intrusion. Automation networks should be completely separate from other systems using routers and firewalls specifically designed for the applications. Parallel installation of separate networks is not a luxury, it is a necessity. 

Malicious security breaches, and attacks from outside intruders, are rapidly growing threats for automation systems based on common architectures. Employees and ex-employees are one source of theft and retaliation. Additionally, there are “hackers” who may do it just for the thrill, or vandals and opportunistic criminals (including terrorists). Plug-in memory ports must not be generally accessible, limiting the possibility of “sneaker-net”—portable memory like floppy-disks or USB memory sticks, which may insert a virus or worm intentionally or unintentionally.

Well thought out system security should prioritize and manage network traffic, restrict outside traffic, and give preferential treatment to control traffic. The system must have the ability to prevent problems and security threats before they occur. There should be preconfigured groups and group policies that define desktop and console behavior. For example, manufacturers could limit operators to only auto start applications, supervisors could have the next level of security, engineers could only get relevant engineering functions, and administrators could have unlimited access with maximum security (password protection, etc.). Regular and consistent network management is the key to security protection.

Network security comes from proper design, operation, and maintenance to provide regularly updated protection. Automation systems security has become an urgent issue, perhaps even a critical one. Providers of effective security protection solutions and services will generate good growth over the next several years.

Related links:

• Microsoft Technet – 10 Immutable Laws of Security:
  http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true
• Find a security plan and allow it to evolve
  www.isa.org/link/Jan08_Talk2Me
• Making cyber security work in the refinery
  www.isa.org/intech/20071005

Behind the byline

Jim Pinto is an industry analyst and founder of Action Instruments. You can e-mail him at jim@jimpinto.com or view his writings at www.JimPinto.com. Read the Table of Contents of his book, Pinto’s Points, at www.jimpinto.com/writings/points.html.