Control and automation in the chemical process industries (CPI) have evolved by leaps and bounds over the past century, bringing along a host of benefits. As a result, today’s state-of-the-art facilities are more in line with business objectives, less prone to unplanned shutdowns and better able to manage process safety. However, these improvements come hand-in-hand with a relatively new challenge for which few plant personnel have any expertise. That challenge is control-system security, and it must be addressed alongside nearly every one of the convenient features that the CPI employ.
Consider, for instance, the case of remote access to industrial control systems (ICS). A new report published by the Security Incidents Organization (www.securityincidents.org) shines a light on this practice across the industrial sector. According to data in the organization’s Repository for Industrial Security Incidents (RISI) database, up to 65% of industrial facilities allow remote access to their control systems. The benefits of providing realtime system visibility to approved viewers are obvious, but according to the report, approximately 35% of ICS security incidents (from 2001 through 2011) were initiated through remote access. Alarming as those data might be, the report suggests that industry is not necessarily in the dark on this issue. The percentage of control-system security incidents caused by malware (malicious software code) — while still very high at 28% — has been steadily declining over the past five years. In fact, survey data indicate that more than 60% of facilities have implemented patch and anti-malware management programs.
Unfortunately, implementing security protection is neither as simple nor straightforward as the word “patch” might imply. Earlier this year, Industrial Defender (Foxborough, Mass.; www.industrialdefender.com), in conjunction with Pike Research, released Convergence in Automation Systems Protection, a report that helps spell out why control-system security is so daunting today. Growing control-system complexity, is one of the key reasons. The report points out that since most automation environments were developed over decades without a master plan, they now contain heterogeneous systems that are difficult to manage. On top of all that, the exponential growth of intelligent devices deployed in automation systems has definitely not made things simpler. Meanwhile, today’s resource constraints require plant managers, engineers and operators to do more with less. As a result, the report says, automation systems now need the same levels of management and security that have been seen in enterprise networks for the past two decades.
Two upcoming events provide opportunities to learn more about these challenges and the ways that experts are addressing them. The Industrial Control Systems Joint Working Group (ICSJWG) 2012 Spring Conference, which is organized by the U.S. Dept. of Homeland Security’s (DHS) Control Systems Security Program (CSSP), takes place early this month (May 7–10) in Savannah, Ga. (www.us-cert.gov/control_systems/icsjwg/conference.html). An eight-hour Introduction to Control Systems Cybersecurity training course will also be offered on Thursday, May 10, 2012, at the conference site. Then, later this summer, DHS and the Society of Chemical Manufacturers and Affiliates (SOCMA Washington, D.C.; www.socma.com/events) co-host the 6th Annual Chemical Sector Security Summit & Expo in Baltimore, Md. (July 30–August 1).
In the meantime, consider looking back to Cybersecurity for Chemical Engineers (CE, June 2011, pp. 49–53).
Rebekkah Marshall