Cyber-Security and Dual-Zoned Hosts

Cyber-security for automation systems is an ongoing worry for most process manufacturers. I always keep my eyes open for good articles on the subject. Just this week I came across a ChemicalProcessing.com article, Strengthen Your Cyber Security. It describes steps chemical manufacturers can take to improve their cyber-security efforts.

When I come across these articles, I turn to resident Emerson cyber-security expert, Bob Huba, for his thoughts. Bob knows the article’s author, Andrew Ginter and thinks his article is spot on from the standpoint that there’s still work to do in securing control systems, including basic “blocking and tackling” [an American football expression for taking care of the basics]. He senses in his discussions with customers that control system security policies need work and that some process manufacturers are not consistently doing basic security activities on their systems.

Bob notes that to be fair, these days everyone is busy and security is probably being done as best companies can manage with current staffing. This is yet another discipline that needs to be learned or at least understood. There is already much a process automation professional must know from knowledge of the process and its dynamics, to knowledge of the technologies to measure, control, and optimize it.

One area Bob wanted to clarify, specifically for process manufacturers with DeltaV control systems, is the sidebar section of the article on “dual-zoned hosts”. He thought this might be applicable to other systems, but might raise unfounded concerns about DeltaV security. The DeltaV system does use dual-ported or dual-homed workstations that act as “gateways” to interface data and external/remote user access into and out of their DeltaV system. These DeltaV workstations are not designed or intended to act as dual-zoned hosts.

Based on the ISA99 (SP99) security standard, a “zone” refers to a “security zone” and these “zones” are at different security levels. A device installed as a dual-zoned host is acting as a security device-a device that separates and maintains these different security zones. A firewall is an example of a dual-zoned host-but a firewall is designed expressly to be used as an inter-zone security device. DeltaV workstations are not intended to act as inter-zone security devices -they are not installed to act as a dual-zoned host. The recommended network architecture requires a perimeter firewall or other security appliance between the DeltaV workstations and any external LAN connection. This architecture moves the DeltaV “zone” boundary such that the firewall becomes the boundary security device. In this architecture, the firewall is the security device responsible for maintaining the separation between the security zones.

Perimeter security has never been the primary function of the DeltaV workstations. The workstations can assist in securing the system by running anti-virus software and providing another layer of network isolation functions to limit external access into the system. These are additional layers of security in the overall DeltaV security solution that should include a perimeter firewall/security device.

Process manufacturers should not be concerned that DeltaV dual ported or dual homed workstations pose a security vulnerability. By following the recommended cyber-security practices, it will greatly assist their cyber-security efforts.

GreenPodcast.gif MP3 | iTunes

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Leave a Reply