You probably don’t need a reminder that process control systems have direct impact on the “real world”. That’s the whole point, isn’t it?
So we need to be extra careful about process control system security. This is not just because the programs or data might be damaged, but because there is the potential for real damage to equipment and life-and-death impact on plant personnel.
This is no April Fool’s Day joke. Intrusion into process control systems could shut down water, electricity, and sewers. Imagine the damage that could be done to an oil refinery or chemical plant.
There are basically 3 types of threat to your control system:
1. The internal person who intentionally or unintentionally makes a change to the control system. Some statistics suggest this makes up about 70% of all unauthorized changes.
2. The “rogue” hacker. An external person who tries to break in. This is the classic “computer hacker” that we all think about. They may not even know that they are dealing with a manufacturing plant.
3. The scariest of them all, the “organized external” threat. Primarily, this is organized hacking by the governments of unfriendly nations. What better way to start hostilities than to shut off the water & electricity all across the country?
The U.S. Department of Homeland Security recognizes this threat. They put up a booth at the last ISA Expo, and talked to anyone who would listen.
As a process control guru, what can you do? Here are a few suggestions:
1. Ensure that all control systems have security measures in place. This includes individual passwords, not “shared” passwords. This may be challenging, especially for older DCS and PLC systems.
2. Work with your IT department to ensure that appropriate network architectures are in place, including firewalls and other network measures.
3. Ensure that there is some form of audit process to test and confirm the capability of your security measures.
4. Ensure that you have a complete and current backup (and restore) system in place.
5. With process engineers, double-check the process design. Make sure that physical safety measures (i.e. pressure relief valves) are in place, in the event of control system failure.
This is hard work. It is no joke. You have a responsibility to yourself, your co-workers, neighbors, and country to make sure that the process control system is secure.