This page contains a Flash digital edition of a book.
Safety in the Plant


Mission-critical applications and their vulnerabilities


 Cybersecurity is becoming an increasingly important aspect of plant safety as new strategies and technologies are implemented. Eugene McCarthy reports.


 Internetsicherheit wird ein zunehmend wichtiger Aspekt des Anlagenmanagements, da neue Strategien und Technologien umgesetzt werden. Eugene McCarthy berichtet.


 La cybersécurité prend une ampleur croissante au niveau de la sécurité des usines tandis que de nouvelles stratégies et technologies sont mises en œuvre. Selon Eugene McCarthy.


T


Fig. 1. Invensys cyber security solutions cover every aspect of plant activity to ensure that safety is not compromised.


ofino Security, a brand of Belden, and a leader in signal transmission solutions for mission-critical applications, has published new research showing that patching


is often ineffective in providing protection from the multitude of vulnerability disclosures and malware targeting critical infrastructure systems today. Patching is routinely carried out by process industry companies. While patching such systems is important


as part of an overall defence in depth strategy, the difficulties of patching for industrial systems mean that compensating controls such as Tofino Security Profiles are often a better method of providing immediate protection, says the research. Since the discovery of the Stuxnet malware


in 2010, industrial infrastructure has become a key target for security researchers, hackers, and government agents. Designed years ago with a focus on


reliability and safety, rather than security, supervisory control and data acquisition (SCADA) and industrial control systems (ICS) products are often easy to exploit. As a result, there has been exponential growth in


government security alerts for these systems in the past two years. In addition, they have attracted some of the most sophisticated (Stuxnet, Night Dragon, Flame) and damaging (Shamoon) cyberattacks on record. Eric Byres, cto and vice president of engineering at Tofino Security, investigated the effectiveness of patching for protecting control systems from vulnerability exploits and malware. His work revealed that: the number of vulnerabilities existing in SCADA/ICS applications is high, with as many as 1805 yet to be discovered vulnerabilities existing on some control system computers; the frequency of patching needed to address future SCADA/ ICS vulnerabilities in both controllers and computers probably exceeds the tolerance of most SCADA/ICS operators for system shutdowns. Unlike IT systems, most industrial


processes operate 24/7 and demand high uptime. Weekly shutdowns for patching are unacceptable; even when patches can be installed, they can be problematic. There is a 1 in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 per cent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites. In addition, patches are available for less than 50 per cent of publically disclosed vulnerabilities, and many critical infrastructure operators are reluctant to patch as it may degrade service and increase downtime. When patching is not possible, or


while waiting for a semi-annual or annual shutdown to install patches, an alternative is to deploy a workaround, also known as a ‘compensating control’.


Compensating controls do not


correct the underlying vulnerability; instead, they help block known attack vectors. Examples of compensating


42 www.engineerlive.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58