About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal. Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people. I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode.
I was brought to the facility by a control system integrator who had been working onsite and had concerns about the control system security and the potential risk that it represented. They wanted me to discuss options to evaluate and improve the security of the system. As soon as I was introduced, the plant manager banged his fist on the table and said, “This facility is secure! We have a firewall and nothing can get through it.” Then he turned to the IT guy and said, “Isn’t that right, Paul1?” Paul fidgeted a bit in his chair and said, “Well, uh, yes, we do have a firewall between the corporate network and the process control network.”
Of course, Paul knew full well that his firewall, just like the firewall between the passenger cabin and the engine compartment in your car, has lots of openings to allow necessary services to pass through. However, it was clear that the plant manager viewed the firewall as an impenetrable barricade - something analogous to the Berlin wall. I’m sure he was thinking, “After the price I paid for that firewall, the last thing I need is some hot shot control system security expert coming in here to tell me I need to spend more money to secure my plant from some invisible threat.” It was hard to blame him for feeling that way.
Fortunately, we went on to have a good discussion about defense-in-depth and how firewalls, while providing a great first line of defense, are not impenetrable. Not only can viruses and unauthorized persons slip through open ports there are also plenty of ways for malicious code or malicious people to circumvent them entirely.
5 years later I am still visiting plants and reviewing control system network diagrams and the only layer of defense is the single firewall between the corporate LAN and the big, flat control system network.
We’ve been talking about defense-in-depth for so long that it is almost cliché. But, the principle of protecting critical assets with multiple layers of defense makes sense, not just in SCADA system security and control system security. It starts with assessing the cyber risk to the entire control system, looking at every potential access point (e.g. firewalls, switch ports, USB ports, CD ROM drives, wireless communications, etc.) and asking, “What are the threats, what are my vulnerabilities, how much risk does that represent and, if it’s more than I can accept, how can I mitigate it”. In a nutshell, this is the security risk assessment process that exida helped that LNG facility work through and many others like it since then.
1Paul was not the actual name of the IT guy