This page contains a Flash digital edition of a book.
Chemical Focus


the subject of a deliberate breach of industrial security. 83% believed there is a growing threat around industrial security issues for their business. Such anecdotal evidence is important,


especially when backed by industry experts. Leaders in this field say there has been a 600% increase in industrial control system vulnerability disclosures in just the past couple of years. The threats are magnified in terms


of source, ranging from nation state- sponsored attackers working within companies to seek out vulnerabilities, to hackers using cloud computing, as well as internal or third-party accidental attacks that can still cause major disruption. Reported incidents include attacks


upon the energy sector with the electrical infrastructure having to be shut down, as well as unauthorised recipe changes that have led to considerable and expensive product loss. It is now widely accepted that industrial cyber security needs to be addressed and relevant standards adopted that can provide the guidance in developing secure products, architectures and solutions. The consequences of cyber security incidents are diverse but nonetheless highly impactful. For chemical manufacturers they can range from production interruption, reputation loss, the expense of retrofitting security after an incident, as well as supply chain impact. Symantec announced that between July and September 2013, hackers sought to collect intellectual property from a number of chemical firms, including design documents, formulas and manufacturing processes. In the case of industry, many companies have in the past considered their automation systems to be immune from attack. The trend had been for companies to use proprietary, one-of-a- kind security systems, specifically built for purpose, meaning that hacking into them was a complex task. However, more recently companies


have adopted commercial off-the-shelf- technologies (COTS) such as Windows- and Ethernet- based solutions for their plant control. Although there are many advantages to such systems, security is


something that proves to be a constant problem, as such ‘standard’ systems are easier to attack. With such requirements, the


complexity of modern automation systems and the importance of making sure operations are not interrupted by the unexpected, it is vital that chemical manufacturers protect their systems. But how can this be achieved?


t a gathering of manufacturers hosted by Siemens, a poll among delegates showed that nearly a third had been the subject of a deliberate breach of industrial security.


A


Sean McDonagh, business manager, Chemical, Siemens UK & Ireland


Protecting operations Any system that secures plant assets should use a ‘defence in depth’ strategy, one that takes a multi-layered approach to cyber security. No single security measure is good enough to prevent intrusions. ISA 62443 offers an approach that the chemical industry can adopt as it looks at the lifecycle of a product, plant solution and processes. It provides a methodology for carrying


out vulnerability risk assessments, implementation of a solution dependant on the security level (SL) requirement, and validation and continuous monitoring of the network infrastructure and installation to complete the lifecycle approach principle. The standard allows engineers to have a structured approach to the overall system design, ensuring that availability, integrity and confidentiality (AIC) are fully implemented within the overall system approach. ISASecure system security assurance


(SSA) is a certification programme for systems consisting of multiple devices that aims to offer a compliance programme for the ISA 62443 standards. A further consideration should be embedded device security assurance (EDSA), which focuses on the security of embedded devices and addresses device characteristics and supplier development practices. There are already certified products listed in EDSA and this will grow, providing end users with peace of mind that they are using products that have been tested against known vulnerabilities.


The EDSA consists of:


n Functional Security Assessment (FSA) to review security functions such as authentication


www.engineerlive.com 61


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68