Shortly after 9/11 there was considerable worry about attacks on U.S. chemical plants. So far no plants have been attacked but is that just dumb luck or are we doing something right? This article will look at the nature of the threat, what’s currently available to protect plants, how industrial control systems are dealing with cyber-security threats, and what to expect in the future.
ACC Responsible Care
One of the earliest drivers of improved chemical plant security has been the American Chemistry Council’s (ACC’s) Responsible Care initiative, which began in 1988 and is mandatory for all members of the organization. The ACC Responsible Care security code requires that each company implement a risk-based security management system that includes 13 management practices: leadership commitment; analysis of threats, vulnerabilities and consequences; implementation of security measures; information and cyber-security; documentation; training, drills and guidance; communications, dialogue and information exchange; response to security threats; response to security incidents; third-party verification; management of change and continuous improvement.
On March 3 ACC came out strongly in support of the efforts of the Department of Homeland Security’s chemical plant security program.
Department of Homeland Security
The Department of Homeland Security (DHS) Appropriations Act of 2007 gave DHS the authority to regulate the nation’s highest-risk chemical facilities. In 2007 DHS published the Chemical Facility Anti-Terrorism Standards (CFATS), which requires “high–risk” chemical facilities to enhance security and establish new procedures for protecting chemical facility security information. DHS can fine or shut down a facility if they don’t feel they are taking the right steps to meet the standard.
Which facilities are "high–risk" depends generally on the type and amount of chemicals they possess, in accordance with DHS’s Chemicals of Interest list (6 CFR Part 27 Appendix A). Any facility possessing specified amounts of the specified substances must complete a Chemical Security Assessment Tool (CSAT) Top-Screen and submit it to DHS. DHS will then make a preliminary determination as to whether a facility presents a high level of security risk. A facility determined to be high risk must develop and implement a site security plan (SSP) that describes both physical and procedural security measures. DHS will send inspectors or do audits at a frequency determined by each facility’s tier ranking.
CSAT is a secure Web-based tool that can be accessed only by Chemical-terrorism Vulnerability Information (CVI) certified individuals. DHS encourages facilities to register on the CSAT website for a user identification and password if they believe they may be covered by the regulation. Once the Department validates a facility's registration, it will notify the facility how to access CSAT. DHS has also published the CSAT Top-Screen User’s Manual to assist facilities in completing the Top-Screen and submitting it to DHS.
So far compliance with CFATS has been good, says Scott Jensen, Director of Communications, ACC, and facilities have been submitting their site security plans, “but the big part of it is inspectors will be going out to facilities,” which is apparently just getting under way.
The original 2007 act included a sunset date. There are several competing bills under consideration that would extend DHS authority but take different approaches to strengthening chemical plant security, including H.R.2868, passed by the House in November, and S 2996, the ‘‘Continuing Chemical Facilities Antiterrorism Security Act of 2010,’’ introduced in February of this year. A controversial provision of the House bill would require companies to take action to reduce the consequences of a terrorist attack by the use of so-called inherently safer technology (IST), which would include changing chemicals or processes. Whether this will survive is unknown at this point, although ACC has come out against it.
We can hope for some sort of continuity, as Jensen puts it, “so that you don’t upset the continuity of the regulations because you’re asking people to take pretty big steps, make some pretty big investments.”
Industrial control systems once lived safely in isolation. While PCs could get infected with viruses, and IT departments kept busy tracking down malware and unauthorized connections to the enterprise network, the control system was considered pretty safe. For one thing it ran proprietary software that had little or nothing in common with Windows, and for another thing wise plant people ensured that there was no connection — an air gap — between the control network and the enterprise network. No matter how bad things got on the office system, the control system was protected.
Today, not so much, for two reasons, says Bob Huba, Product Manager, DeltaV, Emerson Process Control. First of all, he says, “you can’t be guaranteed that you have an air gap, even if you think you do.” And at a more fundamental level, he continues, most places can’t survive with their systems that isolated. “There’s too much data flowing back and forth people want access to.”
At this point it’s probably wisest to think of any network, anywhere, as being like a boat: It’s surrounded by a sea of viruses and other malware, and if there’s even the slightest leak the bad stuff will get in. There doesn’t have to be someone out there with your name and IP address, it’s simply there and will get in if you let it. For a scary look at vulnerabilities, take a look at the IndustryWeek article by engineering consultant Frank Dickman “Hacking the Industrial Network.”
Who are these guys?
Once upon a time the hackers who tried to break into computer systems did it for thrills and bragging rights, but today’s bad guys break down into two groups: crooks and terrorists. The crooks want to steal from you; they’d like to take control of your system and then extort money from you in exchange for not shutting you down, or worse. But they’re driven by greed. If it’s too difficult or time-consuming to break into your system they’ll move on and try somebody else.
Enemy governments and terrorists, on the other hand, want to “shut down your chemical plant or cause a Bhopal kind of thing, if [they] can, because what [they’re] trying to do is impact your economic structure,” says Huba. And they’re likely to be much more patient than the crooks are.
One would think that bad guys would go after larger companies and facilities, because there’s more money to be made or more damage to be caused, but Huba points out that doesn’t mean that smaller companies and facilities get a free pass. The bad guys may decide to use them as training exercises. “So the people who say, I don’t have to worry about this personally because I’m not going to be a target,” he says, “maybe you aren’t the target, but you are aiding and abetting if you’re not going to do some security stuff.”
So what can you do?
The bad guys’ motivations and patience mean little to the control system engineer, who must keep them out. Fortunately, there’s a lot of information available on how to do it. Control system makers have programs and classes on cyber security, and there are plenty of companies that will provide protection training and consulting, but even without them there are some obvious things to do. A good first step is to check the ACC's Chemical Information Technology Center (ChemITC) Web site, where there’s a wealth of guidance documents, white papers, podcasts and Webinars on the topic. And there are products like the Nessus vulnerability scanner that can help find holes in security.
DHS’s National Cyber Security Division (NCSD) provides a great deal of information, including technical security alerts and security bulletins for technical users, plus security alerts and security tips for non-technical users that are kept updated on a daily basis. NCSD offers online training via its United States Computer Emergency Readiness Team website, www.us-cert.gov, conducts its own instructor-led training sessions, and provides vulnerability assessments of operational control systems and vendor equipment. Its overall strategy for coordinating activities to improve control systems security is explained in its October of 2009 publication “Strategy for Securing Control Systems.
At one time control people and IT people seldom saw eye-to-eye when it came to security, and to some extent that’s still true, says Huba. An IT person tends to look at the control system as an extension of the plant LAN, he explains, and to treat control workstations like office PCs: as potential attack points, because there people tend to surf the Web and plug in memory sticks. In a properly configured control system that’s not possible, and, in fact the biggest danger to the control system is the plant LAN itself, not vice versa.
The essential concept is defense in depth: put a firewall between the corporate LAN and the control system, harden the control system workstations so operators can’t surf the Web or plug in USB memory sticks, and scan for intrusions. A survey taken by the Industrial Automation and Control Systems group of the ChemITC Cyber Security Program entitled Cyber Security in the Chemical Sector: Implications for Process Automation show that out of 30 responses, 24 (80%) use firewalls, four use router only, 10 use both, and just one response indicated complete physical separation. In another area of the survey, out of 12 responses, 83% used network intrusion detection systems (IDS) and 67% used Host IDS.
A look ahead
To see where DHS plans to take its chemical plant cyber security efforts over the next decade, take a look at its “Roadmap To Secure Control Systems In The Chemical Sector.”
In August the DHS office of the Inspector General issued a report entitled “Challenges Remain in DHS’ Efforts to Secure Control Systems” detailing the progress of the National Cyber Security Division’s (NCSD) Control Systems Security Program (CSSP) “efforts to establish a cohesive partnership between the public and private sectors to reduce risk to the nation’s critical infrastructure control systems.”
Looking ahead, says Jensen, “I think the good news is that CFATS will continue to move forward, if Congress has teed it up so that there will be able to at least reauthorize the program a little bit further, even though it’s kind of kicking the can down the road versus finding a more permanent solution.” So when Congress finally gets moving again we may finally get some clarity on where the regulations are going.