Plant Floor Security Assessments

This is a great time of year to be a blogger for Emerson with the Emerson Exchange happening next week. It’s that time when process manufacturing professionals, Emerson and local business partner professionals, and alliance members gather to exchange their expertise with one another.

It’s also a target rich environment for me to find great things to discuss in blog posts. Emerson’s Dave Rehbein, a senior data management solutions consultant, will be presenting a workshop, Plant Floor Security Assessments – Key Findings. I’ve known Dave for a long time. We represented Fisher-Rosemount in the original OPC standards effort back in the mid 1990s. Dave served as the master editor for the original OPC specification released in 1996.

If your responsibilities include the cyber-security efforts around your automation systems, and you’ll be at the Exchange next week, this is a presentation you’ll not want to miss (Wed 10/1, 2:15pm Chesapeake 7, Thurs 10/2 9am Chesapeake 7.)

Dave will present aggregate findings from three different process manufacturers where he performed plant-floor security assessments. He’ll discuss risks found in the areas of: patch management, isolation of plant control network from the office network, following existing security procedures, use of unsecure legacy operating systems, security log auditing, and hardening of PCs and servers.

Dave describes the security assessment process as one that typically takes two weeks and involves reviewing existing plant floor security processes, reviewing network and device security, developing a risk matrix of the plant floor systems and application, and developing the risk mitigation plan based upon the findings from these earlier steps.

It’s critical that the process manufacturers have participation throughout the organization for the plans to be executed and the work processes put in place for ongoing security. He recommends participants include an executive sponsor, a plant area engineer, plant IT director, security officer, chief network architect, network/telco architect and an operations manager. Dave presents an overview of the flow of activities over the two weeks.

Microsoft provides some excellent assessment tools that can gather information on the current state of security. Dave mentioned the Microsoft Baseline Security Analyzer (MBSA) and the Microsoft Security Assessment Tool (MSAT) as important assessment tools for things like identifying patch levels and to conduct interviews with key plant personnel to assess the maturity of the existing security programs.

The risk matrix that is developed as part of this security assessment process takes each recommendation developed and looks at its urgency, impact and investment required. Each of these parameters is graded on a low, medium, high scale. This helps establish the priority, justification and roadmap for cyber security improvements.

As I had mentioned in an earlier post, commercial off the shelf technologies (COTS) have allowed all automation suppliers to rapidly improve their platforms by taking advantage of the price/performance curve described by Moore’s Law. The downside is that security is a much greater concern since parts of the technology development are outside the control of the supplier. Security consultants help suppliers to rigorously test their equipment to identify and fix areas of security concern.

Process manufacturers must also do establish security practices for the lifecycle of the automation equipment on which they rely to operate their plants. The process Dave describes in his talk is a great way to compare with what you’re currently doing today.

Posted Thursday, September 25th, 2008 under Cyber-Security, Data Management, Emerson Exchange.

Leave a Reply