As an end-user, do you know how reliable and safe your Safety Instrumented Systems (SIS) and Basic Process Control Systems (BPCS) are from potential cyber issues? Do you rely on your vendor statements regarding the robustness of their products? If the answer to these questions is “don’t know” or “yes” then maybe you should be considering using an independent 3rd party to perform a cybersecurity vulnerability assessment (for existing installations) and/or performing a cyber-risk assessment (as part of a HAZOP) for new installations. This is especially true for legacy systems that are still in operation using products from the mid-1990s. Although most software engineers won’t admit it, they often used to have “back doors” to enable fault-finding and debugging of programs during shop floor testing and site installation. This was because most systems were proprietary with little or no off-the-shelf tools for debugging externally. Most of these systems today are connected to their network using gateways. The problem is that most of these “back doors” were never removed and/or “sealed” so they represent just one of several potential entry points for cyber-attacks.
Many of these entry points went unnoticed for years, but two significant events changed the way we all look at these former proprietary systems. First was the move to standard Windows based platforms, and the second was STUXNET, which revealed the ability to directly target and affect control systems. Groups have been formed that not only investigate these vulnerabilities, but publish their findings on the Internet making them available for the world to see.
More and more end users over the past few years are becoming aware and sensitive to the potential threat posed to their installations from cyber-attacks. Much has been written regarding viruses such as Stuxnet, Flame, Shammoon, and most recently Heartbleed. One way to ensure robustness to cyber-attacks is to ensure that suppliers of SIS (Logic Solvers, switches, intelligent field devices, etc.), BPCS (Controllers, switches, intelligent field devices, interfaces, etc.) and SCADA (RTUs, switches, intelligent relays, interfaces, etc.) have had their products tested and certified to the ISASecure (IEC 62443/S-99) and/or the Achilles standards. End Users should be insisting on this as a prerequisite for their acceptance of suppliers’ products in SIS, BPCS, and SCADA applications. This would not only apply to the Oil & Gas, Refinery, Chemical, Fertilizer and Process industries, but also to critical infrastructure, such as pipelines, water and utilities (including electrical distribution).
Performing a non-intrusive “gap analysis” to the IEC 62443 standard is a relatively low cost and quick way of determining whether your existing installation is “vulnerable” to cyber-attacks and shows the areas that would need to be improved both “physically” and “digitally.” The end user would then have a means to address these risks and to put in place measures to mitigate and/or remove these potential threats. Regarding new installations, insisting on cyber certified products from suppliers is the best option.
No matter what, the cost of having a compromised SIS due to a cyber-attack that leads to an incident versus the cost of performing cyber risk assessments and/or vulnerability assessments could be one or two orders of magnitude higher. So the answer to the question of how secure is your SIS, BPCS, and SCADA needs to be addressed.