Does the process industry understand the cyber threat?

posted Dec 20, 2012, 1:15 PM by Webadmin Safepark Consultancy
On December 14th Joe Weiss asked on the Control Global Community pages "Another survey says utilities taking cyber security seriously - really?".  The background for the question is the so-callled Aurora Vulnerability, which is a threat to electrical distribution grid reliability, which appearantly can be mitigated by a hardware change in the substations. Joe Weiss is questioning if the utilities have really upgraded their substations.
Some years ago I visited a major hospital and had a tour of their ventilation system. That was quite impressed just by the size of the ventilations channels, and the underpressure generated on the doors to these. However, the system was controlled by standard of-the-shelf hardware which quite conveniently included an internet connection. That internet connected saved  the technician for many 100 kilometer trips to fix small operational problems at odd hours of the day and on weekends. They simply connected to the ventilation control hardward using another of-the-shelf product: PC Anywhere. However, at the time a single login was share among all the technicians. I wonder if this has changed today?
I also wonder how facilities still are software vulnerable to Stuxnet? Many facilities would require a shutdown to upgrade software on critical hardware. For some that shutdown window has yet to appear.
Today I also learned about some malware in the Middle East which erase all non C: partitions on the Windows computers it finds itself on.
Cyber threats are really anoying, since they require you to change how you work on a day to day basis, and you never know if you have stopped anything. For example you may need to establish special procedure for getting data from the process control network to the business network for e.g. performance analysis, design debottleknecking etc.
Have you ever heard about mainframe virus or mainframe malware? Maybe the exist in a laboratory somewhere, but their development and deployment would require Stuxnet like efforts. Have you considered a mainframe solution for your plant? Some did in the 1970's. They are now extending the life of their more than 30 year old investment. That is they have been running the same process control computer for more than 30 years! What other computer systems can provide that length of service?
Today you can actually get a mainframe with one or more extenders. So you naturally place the mainframe in or close to your head office (or other protected environment) and then extenders in each of your major plants. The extender can run both Windows and Linux software. Now the trick is to ensure there is no connections to your extenders except form your process control system - and that this system don't have any direct internet connections. Then there is a safe data channel from the process to the head office mainframe, where the process data could be used for optimization, performance monitoring using complex models, etc. Since the Windows and Linux systems on the extenders are isolated from the internet, there should be no need to regularly patch them with security upgrades.
Well, at the moment there is a small problem with the concept described here: The mainframe and the extender currently have to be rather close to each other. That currently rules out the mainframe solution, but the basic idea of a secure data channel from the process to computers for optimization, etc. could properly be implemented with other means. The concept is based on secure  data delivery from plant to user, and no internet connection directly to any part of the process control systems.
Will such a structure eliminated the cyber threat? Only if you can prevent your engineers from using random USB-drives to transport process data away from the process control network. For this to be a reality you would to provide the engineers with another easy means for access to the necessary process data. That I think is possible!