August 2007

Sniffing out rats

Government regulations steering chemical industry’s security tactics to safeguard against intruders

By Ellen Fussell Policastro

Safety and security are still high up on the list of topics in the chemical industry, but the most talked about issue is the pending regulation from the U.S. government on physical and cyber security. The Department of Homeland Security (DHS) issued a ruling called 6CFR Part 29, which spells out what chemical companies must do to comply with security issues. The document was originally scheduled for release in June 2007, but has been delayed.

It is predominantly focused on physical security but has cyber security elements that cover the Federal government’s expectations and rules for the U.S. chemical industry. Once the rules go into effect, if you do not meet them, penalties could include shutting you down. The American Chemistry Council is working closely with DHS to make sure rules are reasonable and users know how to adhere to them.

“It boils down to this; all facilities that handle chemicals should be on a certain threshold amount,” said Eric Cosman, engineering solutions architect at Dow Chemical Co. in Midland, Mich. “Depending on the chemical, you can have small amounts of it, and it’s not a threat. Because you can’t break down every quantity of every chemical, you need to have threshold amounts of certain chemicals. If you have more than the threshold amount of certain chemicals on your premises, then all facilities subject to rules are put through a top screen, an initial screening process to determine which of the thousands of chemical facilities in the U.S. represent the greatest risk of being terrorized.”

Even though they are protecting against a physical event, that event is not necessarily triggered physically. “The reality is cyber security breaches in any industrial facility can have physical consequences because computers control the process,” Cosman said. Because the DHS ruling is risk-based, it comes at breaches first from a physical perspective. “But there are elements of cyber in it,” Cosman said. Once they decide a facility has a significant risk (whether a chemical plant or a plant that has chemicals in it), they ask not only if fences are high enough, but if the plant has adequate security around computers and communications to guarantee hackers cannot get in. Once they determine your site is high risk, they conduct a site vulnerability assessment, which could include cyber security elements. “There’s no question it will all be predominantly physically based,” Cosman said.

Standards committee bridges cyber gap

Traditionally, cyber security is largely thought of as an IT problem.  The past few years have demonstrated, however, the typical strategies used by businesses to protect their intellectual property and information systems from cyber attack or  unintentional compromise do not cover the entire enterprise when dealing with the typical industrial or process control user.  While the two worlds of industrial automation and IT existed separately in years past, asset owners today face increasing challenges as information systems drive toward a greater footprint of networking and applications to the shop floor. Given the protection strategies for near-real time nature of control systems are significantly different from IT systems, and coupled with the complicating dynamic of safety (an issue rarely addressed in IT), the need became clear in 2002 that a standard for automation systems was in order.

ISA’s control system security standards committee, ISA SP-99:  Industrial Automation and Control Systems Security, is in the process of drafting standards to address this growing challenge.  Beginning with two technical reports published in 2004, this committee continues to lay the ground work for an industry and vendor non-specific set of standards that can be universally applied to today’s enterprise on a local to a global scale. The first standards document, ISA-99.00.01 – (Part 1) Concepts, Models, and Terminology, begins this process by laying the groundwork by which an organization can understand, define, and implement their baseline industrial security requirements.  This document is in the process of final approval at the committee level and is due out soon.  

ISA-99.00.02 – (Part 2) Establishing an Industrial Automation and Control Systems Security Program begins the operational framework that an asset owner can implement to be sure they are performing all the necessary activities to appropriately address security.  This includes linkages to other areas within the business.  “You shouldn’t address cyber security in a vacuum, but as part of a larger issue, which includes the physical,” said Cosman, general editor of the ISA-99 standards.   The committee is trying to address a gap between cyber security with respect to automation and control systems. Historically, there has been a lot of information available for cyber security for general computer systems, and physical security for industrial systems. “But if you put the two together, there’s been a gap,” he said. ISA-SP99 is trying to bridge the gap between IT cyber security and industry physical security without duplicating the efforts of either one.  “Parts 1 and 2 begin the process of bridging this gap, by explaining in clear language the differences and unique requirements for control systems, providing a framework and vehicle for industrial users to communicate effectively with other groups (such as IT), in the organization, and to clearly understand and implement the appropriate multi-disciplined strategy to address security at all levels,” said Bryan Singer, chairman for the ISA-99 committee. 

These two documents will be available in the coming months as published standards.  Later parts of the standard seek to address such issues as security levels for control systems (similar to the safety SIL level concept) and patch management for control systems.

Chemical industry looks to cyber security program

Another endeavor to secure industrial cyber space falls under the chemical industry’s cyber security program, begun in 2002 and operating under the Chemical Information Technology Center of the American Chemistry Council. It serves as the chemical industry’s focal point for cyber security awareness, networking, and guidance. (See related sidebar on chemical industry cyber security program.)

The program offers chemical companies access to tools to evaluate security performance of their IT and manufacturing systems. A variety of outside industry organizations are working to develop practices and standards for IT and manufacturing systems security. Cyber Security Program Manufacturing and Control Systems Security team members participate in these external organizations, contributing chemical sector insights to cross industry efforts. The team is working with organizations such as DHS, ISA, Idaho National Laboratory (INL), National Institute of Standards and Technology (NIST), and the Process Control Security Forum.

Widespread awareness, acceptance, and adoption of cyber security practices and guidance across the chemical industry are goals of the program. Teams are working to support a vision of sector-wide adoption through trade associations, communication materials and outreach, and European networking and implementation.

Network segmentation creates barriers

Another key cyber security strategy for much of the chemical industry (as well as oil and gas) has to do with network segmentation, using barrier devices, such as firewalls, and routers, to separate off the higher risk process control systems from the business networks and business system devices. That whole strategy around network segmentation and concepts of security zones and conduits is all included in the ISA-99 standard Part 1, which is in final edit and cleanup to be released early fall 2007.

“The reason you segment devices is to be able to analyze the risks of those devices and to develop a counter-measure strategy to identify appropriate measures to reduce their risk levels,” said Tom Good, project engineer with Wilmington, Del.-based DuPont. In a process control system, the devices (controllers, operator stations, historical data collection devices) all play a very intertwined and integrated role in being able to perform the control functions needed in a facility. So the compromise of any one of those devices has the potential for interfering with continuity of production or at worst case, potential health, safety, and environmental issues. “When we segment those devices into security zones where we specifically apply appropriate counter measures, then we’re able to better control or reduce the likelihood of a security incident occurring that would have adverse consequences to our facilities,” Good said.

Security incidents could be as simple as viruses and worms. There is also the potential of key-stroke logging code/ modules getting into a control system and allowing an unauthorized party to capture operational details of controlling the process. “All these would be potential incidents that could have adverse consequence, such as causing lack of availability or incorrect operations of a control device,” Good said. One such undesirable situation would be “if a virus got in and caused the operator control station to reboot or interfered with the display functions of that device, the operator would lose their window to the process to see what’s going on,” he said.

“Quite often, if you can’t see what’s going on in the process, the only safe thing you can do is to go into controlled shutdown of the operation. Doing so could mean loss of production, producing off-spec material, and loss of raw materials during shutdown and restart operations.”

Another type of incident is a denial of service, which can take quite a few forms. Typically in the Internet space, it means a device is getting so many messages it cannot respond properly. “So it chokes and shuts down,” Good said. In a control system, a denial of service could be caused by receiving too many packets or improperly formed packets in the communications to that device. “So the device can no longer do what it’s supposed to do. So, it either slows down or totally shuts down,” he said.

With prevention measures, such as segmentation, Good’s team separates those devices, then places a great deal of emphasis on what is allowed to flow into or out of that segmented off process control system. “We block things that have a high potential for introducing malicious code, such as e-mail or Internet browsing type activity. We prevent that activity from being allowed to come into the segmented process control area. So, by putting controls in to prevent the entry, we reduce the likelihood of that type of incident occurring on our process control devices, which could result in an abnormal operation.”

An abnormal operation is any slowdown in response to a device or shutdown of device, or the incorrect data coming to a device. Abnormal operations impact the integrity and availability of the system and keep it from doing its job. Whenever those things take place, there are usually physical consequences to the facility or the product.

Balancing act precludes market hazards

While health and safety are definitely the most important aspect of security, meeting user demands is also vital, Good said. Any interruption in process may mean missing delivery to a user. Any interruption could have an impact such as making off-spec material or not being able to get quantity product produced in time to meet users’ expectations, resulting in short- and long-term financial consequences.

“Within the chemical industry, we sell to each other a lot,” Good said, “such as selling product to someone else as feedstock to their product. This means the supply chain is integrated together between multiple companies. “We may be buying a feedstock from Company A that we use to make a product we sell back to Company A. So, Company A wants to be able to meet our demands, but they’re expecting us to sell a different product back to them to meet their demands. We’re all in this together,” he said.

A big reason for addressing security is to prevent an interruption in production at one company, which can trigger interruptions with other companies down the line who buy those products and further process them.  “Sometimes we could have expensive custom-engineered mechanical equipment that all needs to work together,” Good said. If the control system of one piece of equipment gets out of sync with the other, there’s the potential for a physical situation where mechanical pieces could collide with each other and damage equipment. “That sort of activity can require extensive periods of production outage until that equipment can get repaired,” he said. A production outage can have high financial consequences, even on a facility that produces low quantities of material. “So it depends on how important that product is to the financial aspects of that business. The effort you spend to try to reduce risks and consequences is very much a balancing act between the cost and the benefit.”

ABOUT THE AUTHOR

Ellen Fussell Policastro is the associate editor of InTech .  Her e-mail is efussell policastro@isa.org.