Safe and Secure

InTech, Dec 2004 by Fussell, Ellen, Sheble, Nick, Strothman, Jim, Hale, Gregory

Crowds pack in security sessions; automation industry picking up

While the industry outlook remained optimistic despite jitters on Wall Street stirred by recordbreaking oil prices, it was very easy to find the hot-button topic at ISA EXPO 2004 in Houston. All you had to do was look for the standing-room-only crowds in the security technical sessions. They were easy to find.

Officials needed to bring in dozens of extra chairs to seat attendees at a security standards panel discussion organized by Bryan Singer, chair of the ISA-SP99 standards committee focusing on control systems security.

Singer said the SP99 committee's membership now totaled 240 individuals from a broad cross section of industries, including international interests. Singer said the standards committee's goal was to reduce the complexity of implementing standards, provide a common means for vendors and customers to communicate and receive expert guidance, and reduce industry-wide risks.

Most manufacturing security standards that now exist "are of a guidance nature," he said, and not focused on plant control systems'specific needs.

Agencies involved in related standards, besides ISA, include the National Institute of Standards and Technology (NIST), International Electrotechnical Committee (IEC), American National Standards Institute (ANSI), Institute of Electrical and Electronics Engineers (IEEE), International Organization for Standardization (ISO), Chemical Industry Data Exchange (CIDX), regulatory agencies such as the Food and Drug Administration (FDA), and the U.S. Department of Homeland Security.

However, "manufacturing is not adequately covered" by existing standards, which is why SP99 is actively at work and working with groups like CIDX and NIST, Singer said.

ISA-SP99 has completed the first editions of two key ISA technical reports.

The first, ISA-TR99.00.01, security Technologies for Manufacturing and Control Systems, appeared in publication on 12 March 2004.

The second technical report, ISA-TR99.00.02, Integrating Electronic security into the Manufacturing and Control Systems Environment, became available on 12 April 2004.

ISA-SP99 will now focus on developing its first ANSI/ISA standard, while at the same time periodically updating the two technical reports to reflect new information and technology updates, Singer said.

Panel member Joe Weiss, of KEMA Consulting Inc., is heading up an IEEE task force for the electrical power industry, which is looking at improving security against cyber attacks. Based on his experience attending various meetings on the subject, "there is still a lot of disagreement" among various standards-making bodies on definitions of terms, he said.

"ISA is basically coming up with a standard for control systems, and then you can take it back to the other industries" for further refinement, Weiss said.

Security issues at the show were not just limited to the standards arena. Suppliers were keeping a sharp eye on the topic. But they also realized all systems are not tamper-proof.

"I think in a year's time to twenty-four months, security will be a given. Right now, people don't know what they don't know," said Mike Caliel, president of Invensys Process Systems. "I don't think people are prepared today."

Mike Bradley, Wonderware president, agreed users are not prepared, adding," this will take a while to get it fixed."

Industrial cybersecurity expert Eric Byres brought a new twist to who is really hacking into systems in a panel of government and private industry cybernetworking and critical infrastructure specialists at the session entitled, "Automation Systems-An Achilles' Heel to Our Critical Infrastructure."

No longer are the majority of attacks on industrial computer control systems coming from internal sources, Byres said.

Joining Byres for the forum were Dave Sanders of the U.S. Department of Homeland Security, Dave Scheulen of British Petroleum (BP), Elizabeth Rhodenizer of Public Safety and Emergency Preparedness Canada (PSEPC), and Karl Williams of the U.K.'s National Infrastructure security Coordination Centre (NISCC).

Byres, research faculty in critical infrastructure security at the British Columbia Institute of Technology (BCIT), introduced research numbers that he and Justin Lowe, principal consultant at PA Consulting Group in London, gathered.

Their breakdown of 13 incidents of industrial intrusion between the years 1982 and 2000 show that incidents were almost evenly split between accidental, internal, and external sources, with only 31% of the events being generated from outside the company. Accidents, inappropriate employee activity, and disgruntled employees accounted for most of the problems.

These statistics correlate well with the numbers expressed by security researchers in the traditional information technology (IT) world at that time. For example, one statistic was widely quoted in 2001: "A study by the FBI and the Computer Security Institute on Cybercrime, released in 2000, found that 71% of security breaches were carried out by insiders."