March 2008

Feel the impact, need for total security

By Steve Rubin

Until the start of this decade, the issue of security in industrial applications was often a secondary issue-on the radar screen, but not front burner.  

Safety was always paramount and generally addressed through instrumentation, fail-safe design, documented procedures, training, and good management. Today, the world is very different, and security has become the new, high-priority issue. Protecting the operating integrity of a plant, a system, and personnel is now a strategic imperative.

Security measures provide deterrence, detection, and support for forensic (after the event) investigation.  There are now many areas where security measures apply: The "low hanging fruit" for process automation systems has been in the networking area. 

As networks migrate toward Ethernet standards, they can become more vulnerable to hacking and other breaches.  Physical security has historically relied on brute-force methods like chain-link fences and door locks. Now a third element, video surveillance, is becoming a sought-after technology to provide the security elements mentioned above. There are even technologies that enable real-time video to integrate into SCADA and HMI systems in ways that cannot occur via commercial video systems.

For more than two decades industry practitioners have learned applying automation management systems must serve multiple departmental boundaries and their unique perspectives to deliver the highest value. Designing and deploying relevant security measures must leverage these considerations and production environments.

Under watch

Leaders focused on protecting their businesses, brand equity, and production from breach must confront a number of critical dependencies: People productivity, core processes and procedures, legacy and emerging technologies, and costs. Deterring the threats and minimizing the impact is even more challenging for highly distributed, disparate organizations. The best solutions undergo measurement for total cost of ownership, ease and speed of deployment, and integration while decreasing the burden on your people. 

People: Every enterprise must be vigilant, and every employee must share this vigilance. How do you avoid security becoming a silo and a hit toward productivity? Integrating security into the SCADA/DCS system provides a common operator interface for production operations speeding the acceptance of security as an integrated responsibility. Security Awareness Training is also critical to streamline relevant information and to identify threats and intrusions early.  Each group with an enterprise shares the responsibility to keep the organization secure. Security cannot become its own silo or owned by one department such as IT, audit, risk, or others.

Technology: Large organizations have deployed and incorporated a diverse set of physical and logic security and safety technologies spanning more than 30 different technologies. Newer technologies should integrate and make use of existing investment as much as possible without needless upgrades and new capital expenditures. 

Processes/Procedures: Managing the integration, introduction, and deployment processes must be simplified and at minimal cost. Automating evasive actions on your most remote unmanned operations is possible and is best served with technologies designed to handle long-haul remote applications. Solutions that include camera standards, integrated alarming, and event notification, over a diverse set of proprietary and often low-bandwidth networks, is critical. When you take this integrated approach common alert policies and procedures covering incident notification and response can be refined, distributed, and leveraged-one surveillance system and operator interface for all alerts.

Direct your attention to simplified systems that tightly integrate within your existing DCS, SCADA PLC, or RTU architecture. You will benefit from multiple sets of extra eyes wherever you need them operating every second of every day 24x7.  

Protecting headquarters to local has been traditionally easier, but the most vulnerable sites are often the most remote. Companies selecting those solutions that cover both the local and remote bases integrated within their existing legacy automation will be the ones that gain an upper advantage. 

ABOUT THE AUTHOR

Stephen Rubin is president and chief executive of Longwatch. He was the founder of Intellution, Inc., a developer off process control software for personal computers. His e-mail is srubin@longwatch.com.