Security across the Control System Lifecycle

Over at the Tofino Security blog is a post, PLC Security Risk: Controller Operating Systems. A question was posed to the blog’s author:

How could a hacker possibly attack an industrial controller like a PLC or SIS, since there is no operating system in these devices?

The post addressed the question with this answer:

Every RTU, PLC, SIS or DCS controller on the market today has a commercial operating system in it.

This post goes on to share the operating systems in the controllers of several automation systems, including the DeltaV system. The operating system listed for the DeltaV controller is not correct.

It’s always a good idea to check with your automation system supplier if you have questions about the technology-related components within your automation system.

I turned to Emerson’s cyber-security expert on the DeltaV team, Bob Huba for his thoughts on this post.

Bob stresses that it’s very important to include your control system supplier in security planning in order to develop and implement security plans that do not impact the robustness and availability required of the control system. Following “generic IT” security guidance can be problematic.

In an earlier post, With Security Comes Different Points of View, I shared several examples of how security for your plant systems and control systems should be viewed differently. Here’s one example:

…if an operator gets locked out and can’t immediately address a plant alarm condition, the results can be very different than if an accounts payable professional gets locked out from their workstation.

Each programmable logic controller (PLC), remote terminal unit (RTU), safety instrumented system (SIS), and distributed control system (DCS) has technologies, security best practices, and services to be a part of an overall security program to increase the robustness of the system. It’s important to work with the supplier to develop, execute, test, and maintain the program through the lifecycle of the system.

Much like the safety lifecycle we frequently discuss here, control system security is unfortunately not a “set and forget” activity, but rather an ongoing process that requires energy and focus to address. Here is where you can find more on DeltaV security and security-related services.

Podcast: MP3 | iTunes

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

One comment so far

Leave a Reply