ChemicalProcessing.com has an excellent article in their on-line magazine about security of control systems. The article, "Protect Your Plant" provides a good overview of the real world problems that security managers are going to have to deal with in a chemical manufacturing environment. The article it is short on details of how to ‘protect your plant’, but it does provide enough information to help explain the problem to managers not intimately familiar with control systems.
Eric Byres, of Byres Security Inc, provides real world examples to illustrate the points that he makes. This goes a long way to make the problems real to the average reader. To many control systems engineers working with these systems on a daily basis these examples should cause some forehead slapping, ‘oh my’ moments. These problems could happen at most chemical manufacturing facilities.
There are many good points, but two strike me as being especially important. The first is that the IT department is not equipped to deal with security issues with control systems. Byres points out that different operating systems and design requirements are completely out-of-sync with the standard IT security protocols.
The second important point is that a successful control systems security program must be driven by a commitment from management. Without that top-down drive security managers and control systems engineers will not be given the authority and resources necessary to implement a proper security program.
Byres provides a useful list of the "The 10 most common plant cyber-security mistakes". The list will never make the David Letterman, but it should probably be read as a catechism for every security team meeting. All of them are good, but my two favorites are:
- #1 Assuming that someone else (like the IT department) is looking after the security of control systems. It often turns out that everyone thinks it’s someone else’s job. (Upper management is especially prone to the mistake.)
- #6 Forgetting the human aspects of security. Good security starts with ensuring that staff, management and contractors understand and follow appropriate practices.
This article is a timely read. The recent publication of the instructions forcompleting SVA’s at more than 7,000 high-risk chemical facilities means that many people are looking hard at cyber security (see: "SVA – Computer Systems Analysis"). Articles like this will help these facilities move forward as they start to develop their Site Security Plans in the coming months.