When worlds collide

Does a meeting of the IT group and the controls group always have to result in a collision? Can we avoid the broken glass?

11/06/2012


Recently I attended a session with a panel of security experts who were discussing process control system security. There were quite a number of surprising revelations from this gathering including the need to ensure that your facility’s control system isn’t found by a search engine called Shodan. It may sound like the villain of some cyberpunk novels, but can be a real threat to the security of your control system. 

I’d never heard of Shodan, so I was more than a bit taken aback that something like this existed and was regularly being used by hackers to attack industrial control systems. Hearing that the number of systems that can be found using this search engine numbers in the thousands was even more of a shock.

Having worked in this business for a very long time, I know that most of the installed control systems that I’ve been in contact with still have the default administrator’s password in place, so hearing that everyone should go back to their plants and do an audit of this vulnerability was old news. I was surprised to hear from one attendee that in his plant, all of the USB ports of the PCs used in the control system had been sealed with superglue. I’ve never seen even the most draconian IT person suggest that as a security measure.

Which brings me to the topic of this blog: the collisions that occur between the control system group and the IT group.

More often than not, when I am talking to the process controls group about expanding their controls infrastructure, their first question is if we can do it without having to engage the IT people. While they may react that way initially, it doesn't take long for them to realize that such an approach simply isn't practical. It's more important to work through conflicts over issues like security and reliability.

When I talk to the IT people, usually I hear complaints about how uninformed the process control people are about the latest technologies. The folks running the plant get especially concerned when the control system and the corporate systems have to communicate. The concern deepens when some manager wants to view control system data remotely.

A lot of the conflict comes from the need to protect the systems while still making it easy for operators to use. Unless you are in a heavily regulated industry like biotech, your plant probably has generic user names and passwords for functions like operators and technicians. You also have turned off the auto-logout feature and don’t have a requirement that passwords expire. God forbid that operators should have to log in when they start their shift. If you do have individual user names and passwords, they are probably tied to your corporate active directory so if anyone is successful in hacking into that, they automatically have access to the control system. Remote access to the system is probably protected by a VPN if you’re off site, but if you’re on site, you skip that. Consequently, if someone hacks the corporate network, they’ve hacked your control network. You probably haven’t patched your software recently because as the system manager for the control system, you’re also most likely doing a lot of other things that have a higher priority, at least they’re higher priority in your mind. After all, the control system isn’t open to the Internet and even if it is, IT should be guarding that door.

So what’s a control system manager to do to minimize the risks to his or her system? You can start by learning about ICS-CERT and what it has to offer to help you. It even offers free training via the Control Systems Security Program (CSSP). (The training is free, but travel and living costs are on you.) This includes a week long advanced cyber security course that ends with a 12-hour exercise pitting the students against hackers. Best of all, the director of this section within Homeland Security is headed by a former process controls engineer, not some bureaucrat who doesn’t have a clue about what we do. You should also inquire of your control system suppliers if they comply with the Achilles Assurance Platform guidelines or have Achilles Certifications. Finally, you need work through the differences between control systems and IT people so they understand why not all good IT policies are good control system policies and vice versa. This last recommendation has to take place at a high enough level that the decisions made get implemented. 

How has your company coped with this digital divide? Have you and IT made peace? If so how did you do it?

This post was written by Bruce Brandt. Bruce is the DeltaV technology leader at MAVERICK Technologies, a leading system integrator providing industrial automation, operational support and control systems engineering services in the manufacturing and process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, and business process optimization. The company provides a full range of automation and controls services – ranging from PID controller tuning and HMI programming to serving as a main automation contractor. Additionally MAVERICK offers industrial and technical staffing services, placing on-site automation, instrumentation and controls engineers.



No comments
Consulting-Specifying Engineer's Product of the Year (POY) contest is the premier award for new products in the HVAC, fire, electrical, and...
Consulting-Specifying Engineer magazine is dedicated to encouraging and recognizing the most talented young individuals...
The MEP Giants program lists the top mechanical, electrical, plumbing, and fire protection engineering firms in the United States.
2014 Product of the Year finalists: Vote now; Boiler systems; Indirect cooling; Integrating lighting, HVAC
High-performance buildings; Building envelope and integration; Electrical, HVAC system integration; Smoke control systems; Using BAS for M&V
Pressure piping systems: Designing with ASME; Lab ventilation; Lighting controls; Reduce energy use with VFDs
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Consulting-Specifying Engineer case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Protecting standby generators for mission critical facilities; Selecting energy-efficient transformers; Integrating power monitoring systems; Mitigating harmonics in electrical systems
Commissioning electrical systems in mission critical facilities; Anticipating the Smart Grid; Mitigating arc flash hazards in medium-voltage switchgear; Comparing generator sizing software
Integrating BAS, electrical systems; Electrical system flexibility; Hospital electrical distribution; Electrical system grounding
As brand protection manager for Eaton’s Electrical Sector, Tom Grace oversees counterfeit awareness...
Amara Rozgus is chief editor and content manager of Consulting-Specifier Engineer magazine.
IEEE power industry experts bring their combined experience in the electrical power industry...
Michael Heinsdorf, P.E., LEED AP, CDT is an Engineering Specification Writer at ARCOM MasterSpec.