Process Control Network Security Weak Links

ArizonaCG's picture
Submitted by ArizonaCG on Wed, 08/19/2009 - 15:26.

Despite security measures we implement on Process Control Networks, I have observed these to be real-world security weak links at most sites:

1. Network and Windows Priviledge and Administrative level accounts and passwords become "public" knowledge during and/or shortly after commissioning. Examples: temporary passwords never get changed after commissioning, Plant Engineers, IT folks writing down passwords on a desk, cabinet, piece of paper taped to the cabinet, etc.

2. Unused network ports left in active state. Example: for Cisco switches, the "shutdown" command was not applied to the unused port interface. Often, the port is left active for "convenience" or due to lack of command-line knowledge for the network equipment.

3. PCs physical media ports are unsecured. Examples: USB ports, CD/DVD drives, floppy drives, etc.

4. Indiscriminate installation of unapproved/unqualified software that creates conflicts, crashes, unexplained behaviors with System Vendor's software.

5. Inadequate physical securing of sensitive Plant network infrastructure, not only from physical tampering but also from the environment (dust, heat, moisture, etc.), of which can cause unplanned, undesirable shutdowns.

These vulnerabilities can easily or accidentally be exploited from someone within (Contractor, disgruntled employee, Boudreaux, Billy Bob, etc.), which effectively bypass security measures which focus heavily on mitigating outside/external risks.

Take a quick assessment of your Process Control Network and determine if one or more of these vulnerabilities exist.

‹ How do you prevent unauthorized changes to smart instrument settings without limiting usability? CFATS Requirements ›

pre-secured

will.irwin's picture
Submitted by will.irwin on Wed, 09/09/2009 - 23:13.

I'm sure you are correct that some users would pay extra for specialized computer and network hardware if it could free them from having to worry about security problems. The question is whether enough would pay extra to make it worth suppliers' investment to develop such things.

Then there is the question of the long-term supportability of such hardware. Installed systems are expected to last for 15 years or more: when they consist mostly of off-the-shelf PCs it's not too expensive to replace them every few years if they run into spare parts availability trouble. This is not so easy with proprietary gear. And it's far from unknown for vendors to discontinue products or even go out of business leaving users in a bad position.

Bottom line: there were some extremely strong business reasons that drove us from the proprietary hardware of (say) 1990 to the off-the-shelf $1500 PCs of today. It would take some equally strong drivers to reverse that; and it is not clear - yet - that enough people take security seriously enough to do so.

Control Network Security/pre-security

kkchan's picture
Submitted by kkchan on Wed, 09/09/2009 - 16:21.

As a manufacturer of some hazardous materials, we follow the usual security guidelines (a)no one allowed into the plant/control room without employee/visitor ID (b)combination locks on process control computer room doors (c)userid and password requirements to log in and a few other requirements.

There are lots of suggestions in the user communities and forums about "no connnection between control network and plant LAN", "disable unused ports on Hub/switches", "disable USB, DVD/CD drives" etc.

Day to day activities like backing up databases (and moving them away to another location),export/import of tags, trouble shooting ethernet ports or cables and many other maintenance related activities require the use of these ports,drives and devices. Also, most process engineers and production supervisors access process history data from their offices (via the plant LAN) which needs a flow of information from Control Network/application stations to the business LAN. Firewalls can be used to make sure that information out of the control network is a one way street when it goes to business LAN.

In my view, disabling unused ports & media drives causes unnecessary headaches for day to day (maintenance) activities.

Any thoughts from other users?

Accessing Data Histories

pjcoyle's picture
Submitted by pjcoyle on Thu, 09/10/2009 - 12:46.

Back when I was working as a process chemist in a specialty chemical company I was on-call 24/7 to diagnose process upsets/problems. Since I lived 30 miles away from the plant it was very handy to be able to dial up the VPN, look at the process historian and be able to figure out what was going on without making the drive. Additionally, the time savings frequently prevented re-work batches.

While I only had access to the data historian, my boss had the same type of access to the actual control system, allowing him to operate controls and (I think I remember this right) actually program the control system from his house via the VPN.

Was this a potential security problem? Almost certainly, especially since the link was protected by only a VPN password.

Patrick Coyle

Chemical Facility Security News

Can't process control networks be "pre-secured"?

klarson's picture
Submitted by klarson on Thu, 09/03/2009 - 21:54.

It seems there's an untapped market opportunity for the process automation supplier community to provide computer and network hardware for use within process control systems that is fully "pre-secured," such that end-users -- most of who are not security experts -- can put systems in place and know that the standard vulnerabilities already have been addressed and eliminated. Heck, they'd probably even pay extra.

Keith Larson