by Liza Penarroyo
No business, individual, or government agency is immune to a cyberattack. Large processing facilities, nuclear plants, petrochemical companies, and other industrial environments make especially big targets for “hacktivists” and other cyber criminals.
To close up the biggest security vulnerabilities in your industrial process, it’s important to ask questions, such as: How do attackers get access to your systems? Where are your process controls most vulnerable to attack?
Here are five ways to look for the answers to those questions.
1. Physical security
Start with physical access. Your facility most likely has gates and controlled-access areas, but if they aren’t used properly, they won’t offer protection.
Unsecured gates and doors, as well as inadequate personnel screening and lax security measures, can all make your plant much more vulnerable than it seems at first glance.
2. To err is human
You rely on security technology to protect your facility at every level, from facility access to software to the automated controls that optimize your process: distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, and human machine interfaces (HMI).
However, the security measures you employ may also have drawbacks of which you’re unaware, such as:
- Designer or installer error in configuring or installing the system
- Inadequate maintenance and upgrade plans — do you have the latest version?
- Operator error in running processes — mistakes happen, but do you have a way to catch them?
- Inadequate skill levels among your employees
Even the most sophisticated security system can be taken down quickly by a cyberattack, but human errors, such as the ones listed above, can open doors for those criminals to inflict damage — and downtime.
3. Not always an accident
You can’t please everyone. Thus, one common cause of security problems is disgruntled employees who have personal grievances that motivate malicious attacks from the inside.
Also, the nature of the facility might leave it vulnerable to attacks made for political purposes. Attacks on process industry companies in the private sector, such as energy producers, utilities, or chemical companies, are becoming more common. Just consider the damage a cyberattack could wreak on an offshore refinery, oil pipeline, water supply, or power grid.
4. Beyond the individual level
Far too often, security problems arise due to glitches in the system itself. The overall process culture might have too much room for human error, or employees might not properly appreciate the gravity of the risks they take. Lack of communication between IT and process control staff also plays a part in these problems.
Operations and changeover procedures might not be managed securely enough, even in ways as basic as requiring frequent password changes and regular security auditing and enforcement. Sometimes, factories and industrial facilities might be using unsecured or outdated hardware and software with the attitude “if it ain’t broke, don’t fix it.” However, the failure to update also opens your systems up to security breaches.
If you’re not making use of available supervision and threat detection tools, you’re opening your network up to that much more risk.
5. Control system vulnerabilities
Like any workplace, factories, utilities, petrochemical production facilities, and other industrial sector businesses need to ensure that there are no security loopholes in the control network.
Common security holes include:
- Unsecured remote access
- Lack of crucial network segmentation to contain and minimize attacks
- Inadequate firewalls
Hardware and software security breaches can hit your network through a variety of devices and systems: unsecured remote terminal units (RTUs), PCs, USBs, mobile devices, peripherals, and specific HMIs and control software.
Because of the complexity and individuality of the industrial environment, it behooves all process industry companies to perform regular network security assessments. In addition, frequently revisit all process control systems to make sure the right protocols are being followed and the hardware and software supporting them are up to date.
Above all, when you implement new systems, be sure to get it right the first time. Building security technologies and systems into your industrial process at design time is the best way to ensure they are well-integrated and easily updated when the time is right.