Treating security like safety

Safety and security work hand in hand in the manufacturing automation arena. However, despite more and more sophisticated, frequent and costly cyber attacks, security still does not receive the same attention as safety. There is a growing need to elevate security awareness to the same level as safety - ensuring not only a safe, but also a secure manufacturing environment.

Let’s face it - security awareness today suffers from an identity crisis at manufacturing facilities across the globe. Big, small or anything in between, there is a general lack of understanding of security best practices.

With reported cyber attacks growing by 600% since 2010, according to NSS Labs, security awareness among manufacturing organisations needs to grow to the point where best practices end up ingrained in workers’ minds. That only makes sense as safety protects man against machines, while security protects machines against man.

Well known within security circles, cybersecurity awareness in the manufacturing enterprise remains nascent and needs to bust out and go mainstream within each organisation. But where does that awareness begin and how can a manufacturer get started on the journey towards security?

A decade ago, when most systems and business networks remained isolated from one another, security was relatively simple. The enterprise stayed connected to the internet but focused on keeping its network up, running and protected, while process control and safety systems remained isolated and really did not have to worry about web connections. However, in the name of progress and efficiency, the two networks became interconnected over time - a true sensor to boardroom communication. By the early 2000s, and especially after 11 September 2001, security professionals saw that safety systems and the control network, previously unguarded from any kind of security measures, needed protection. But getting industry leaders to understand and grasp that concept was akin to rolling a boulder uphill.

Stronger safety emphasis

The idea of safety, on the other hand, generated a strong following - especially after the disaster in Bhopal, India, when a methyl isocyanate gas leak occurred on the night of 2-3 December 1984 at the Union Carbide pesticide plant - leaving 3787 dead and 558,125 injured, according to the Indian government.

In the years since Bhopal, process safety gained corporate importance and all manufacturers understood and respected all safety initiatives. Yes, manufacturers had to look at cost, but it was imperative that companies targeted safety. ‘Safety First’ initiatives began in full force.

Process safety programs focus on design and engineering of facilities, maintenance of equipment, effective alarms, effective control points, procedures and training. It was, and still remains, a vital area to protect a company, its people and the surrounding area from any kind of potential disaster.

When it comes to safety, in order to contain a complex process (such as an oil/gas operation, refinery, chemical plant, steel plant, and automobile manufacturing to name a few), a manufacturer must design and implement management systems to:

• Understand the risk: Predicting problems, including predicting the risk of possible accident/loss scenarios, establish the appropriate design and the right layers of protection to control risk to a tolerable level.
• Control risk factors every day: Controlling the original design by maintaining the established layers of protection and managing changes to the design using integrated management systems.
• Analyse actual problems and determine weaknesses in the system: Identifying weaknesses in design and management systems and weaknesses in risk understanding through root cause analysis of actual problems (losses and near-losses).

Security adoption lagging

At a basic level, security follows the same set of guidelines. Why, then, are more organisations not implementing security into their daily mindset as they are safety? Some of the top internal reasons are: people, training, no real corporate mandate and no business return on investment.

With security being the new kid on the block for process control, getting people to embrace how to integrate security into their everyday work life is an ongoing education process. Teaching workers to not plug a thumb drive into a computer before checking to make sure it is free of any virus is just one example.

In essence, the lack of ongoing training is also a cause of not having automation professionals think of security on an everyday basis. In safety, manufacturers have ongoing training and standard operating procedures, but in security, there is not enough emphasis placed on total security worker education.

To talk security, there must be a solid business proposition behind why a manufacturer would decide to make the investment. Bringing the idea up to the executive suite that security is more of a business enabler that keeps the network and system up and running and productive and not just an insurance policy is important to generate awareness and send a strong message out to the company. After all, security is going to be an ongoing expenditure, not a one-time expense. Initially, there needs to be a risk analysis: what do you need to protect, what is the cost, what is the risk? Then there needs to be a way to quantify those numbers to assess the true benefit.

One of the advantages of safety, that is not as prevalent in security, is the concept of levels. With safety you have a very clear definition of safety integrity levels. A system must meet SIL 1 where there is safety, but at a basic level, through SIL 2, SIL 3 and SIL 4, which would be the most dependable. With security there is the concept of security assurance levels (SL), but it is not as prevalent and not commonly used throughout industry. Manufacturers are not yet demanding a security protection that guarantees SL 3.

Essentially, SL 1 would protect against a casual or coincidental attack and SL 4 would protect against an intentional attack using sophisticated means and extended resources. There are several values of SL within a solution. There is a targeted SL, which is where the user wants to be. Then there is an actual SL, which is the user’s current status based on the existing implementation. There is a maximum attained, which is the maximum attainable SL with your current technology. The ideal situation is your targeted SL and your actual SL end up equal. SL levels are a part of the ISA99 security standard specification, which the international industrial control committee defined and accepted.

The problem is that an SL is harder to determine than an SIL because of the ever-changing threat scenario. The idea of an SL could be a positive in that it can make a security program much simpler. The SL concept remains relatively new, however, and there will need to be some time for industry to have it become part of its embedded culture.

Cultural mindset

Technology will not fix a problem unless the right processes and the right best practices are in place. Technology will help enable people to make the right decision, but the security culture has to be on a par with the safety culture in order to protect against a cyber attack. Even with multiple technology protective layers, users need to enforce a strong security culture that reaches every level - and it has to start at the top.

That is evolving. In the early 2000s, people were starting to become aware of the entire idea of security, and by around 2005, people talked about devices like firewalls that could protect them. But from that time until now, there has been an increase in awareness. The thought process is changing about installing applications and users are starting to think more about security. But is it happening quickly enough?

It is easy to understand why a manufacturer’s mindset might be one of “we were never hit with a security breach before, so why should I install this complicated solution?” That mindset, while still common today, is starting to change - the idea of security being complicated and confusing is evolving into users knowing that they need to learn the basics to protect themselves without breaking the bank.

One of the basic areas of uncertainty is manufacturers not understanding what they need to protect. While safety is very specific in what needs protecting, security has vast areas to safeguard. Attackers today are not necessarily looking for destruction. In quite a few cases, they were working in stealth mode in an effort to steal a company’s intellectual property.

Take ‘Night Dragon’, for example. For well over two years, hackers were surreptitiously able to access oil companies’ systems and steal information including financial documents related to oil and gas field exploration and bid negotiations, in addition to operational details of oil and gas field production SCADA systems. That attack emphasised the need for security to be strong from the field all the way through the enterprise.

With Night Dragon, attackers compromised the perimeter security through SQL injection attacks on extranet web servers, targeted phishing attacks aimed at mobile workers’ laptops and took control of corporate VPN accounts. Several major oil companies were exploited by Night Dragon.

Standards set the tone

While it did take a long time to finalise them, safety often relies on adhering to a company’s standards or industry standards like IEC 61508 and 61511. What is interesting to note - and something most manufacturers should keep a vigilant eye on - is just about 66% of safety instrumented systems in use today predate these standards. The same is true of security, as most control systems on the plant floor today were in existence long before cybersecurity became an issue.

Even though the IEC Safety Instrumented Systems (SIS) standards are not legal requirements, their growing acceptance as guidelines for industry best practice means that non-compliance may have very real liability implications in the event of an incident. And in some regions and industries, compliance already carries the force of law.

Purposely non-prescriptive in nature, the IEC safety standards outline a holistic methodology for managing every stage of a safety system’s life cycle from risk analysis and design engineering through operations, management of change and decommissioning. Elements relevant to safety system performance assessment include adherence to accepted risk evaluation and mitigation methodologies such as process hazards analysis (PHA), hazards and operability (HAZOP) analysis, and layers of protection analysis (LOPA).

Industry and government absolutely mandate safety. Practitioners have to adopt safety under penalties or potential fines if they don’t. In addition, in most cases standards are international, so in a global manufacturing environment manufacturers have to adhere to them. In theory, that means solid safety practices should be the same in the US as they are in Europe, Asia, Australia, South America and Africa. Everyone understands the standards and everyone ends up measured against the same standards, and there are penalties if they don’t meet those standards.

These types of standards for cybersecurity could help drive awareness and implementation. Security standards are a big deal. In a world where attacks are fluid and changing, standards give a level of consistency. They are something you can measure against, especially if they undergo an external verification and end up certified.

In the security environment, there are a number of evolving standards with some more prevalent than others - like IEC 62443 (ISA99) and the WIB standard. The IEC 62443 (ISA99) series of standards has been in development for over 10 years and some parts are final. But there are other parts that are still a work in progress. The WIB standard, approved in 2010, is a standard that outlines a set of specific requirements focusing on cybersecurity best practices for suppliers of industrial automation and control systems.

Unlike safety, penalties for not adhering to security standards are non-existent, neither are there rewards for following them. Right now, with the exception of the North American Electric Reliability Corporation (NERC) in the US power industry, there is no real reporting requirement for security as there is for safety. NERC requires companies to follow their standards and if they don’t, there can be significant financial penalties for noncompliance.

Does there need to be a major incident?

One fear from all ends of the manufacturing automation industry is there has to be some major incident, much like what happened in Bhopal, which will force companies to focus on and ensure their systems remain secure.

There have been quite a few incidents since 2010 - Stuxnet, which brought down an Iranian nuclear facility; Night Dragon; Flame, which was a cyber-espionage malware program targeting Middle East countries; Duqu, a computer worm discovered in September 2011 and related to Stuxnet; and Shamoon, a virus that wiped out 40,000 hard drives at one oil company last August - that have come in and knocked off various networks and inflicted damage.

While those incidents are just a few that raised awareness, the level of urgency that is needed to get manufacturers thinking about security in the same way as they do for safety is still lacking.

Raising awareness

Security protection is still in its infancy. But that does not mean the industry gets a free pass to ignore or hold off on securing their systems. The list of attacks and potential exposure goes on. Corporate data losses hit the highest levels this year since 2008 as companies need to improve data security strategies against a greater variety of more sophisticated IT attacks, according to one KPMG report.

Former US Homeland Security Department Director Michael Chertoff told US oil and gas industry executives in Houston recently that the top threat their businesses face is from cyber attacks. Most companies, he said, experienced some type of cybersecurity event whether they know it or not. Energy companies are clearly in the crosshairs of cybercriminals as more than 40% of all reported malicious cyber attacks in 2012 ended up directed at them.

The risk is there for everyone, but by following a guide of best practices, providing mandatory personnel training and starting the task of undergoing risk assessments, manufacturers big and small can ward off intruders to keep their systems up and running so they can remain a profitable enterprise.

The basic need for security is to:

• increase plant safety
• reduce downtime
• reduce environmental and financial risk
• meet regulatory compliance
• connect the plant to the enterprise

In the end, manufacturers’ main goal is to make product and not deal with anything that throws them off track. That is why they have to demand security in the products they buy. They have to make those demands to force vendors to certify the products in an accepted standard, but be willing to pay extra for a more secure solution. After all, if a vendor invests in security for their products and no one will pay for it, then it will be a slow rollout. In safety, it is clear manufacturers will invest in higher safety compliant systems that have an SIL certified rating.

Security, like safety was, is a culture change. Technology must include security and people have to embrace it. Security must start at vendors and work its way through the product life cycle, and it has to continue once it gets up and running at the manufacturer. It is a huge job and the industry is moving in a positive direction, but there is a long way to go.

Safety requires investing in resources to achieve it. Security is exactly the same. Security takes money and people to manage it, to implement it and to verify it is working. It is an accepted practice for safety. It is becoming an accepted practice for security.

Security best practices Assess existing systems: Understand what you have and your exposure Document policies and procedures: Know what you have to do and when you have to do it Train personnel and contractors: Everyone has to be on the same page Segment the control system network: Define zones and conduits Control access to the system: Allow certain access privileges Harden the components: Lock down functionality of components Monitor, maintain system security: Remain vigilant and keep up to date