PACE 60-year Anniversary Series: Security Systems
From gates and fences to CCTV surveillance and critical infrastructure preservation, safeguarding an industrial plant requires an armour of different security hardware and software systems, all working together to prevent both intentional and unintentional interference with the daily operations of a business.
Though some forms of industrial security are well-established – including safety-related technologies like alarms, sirens and warning lights, access control, and equipment monitoring systems – applications such as cyber security for industrial control systems are still gaining traction.
For Security Infrastructure Solutions (SIS) managing director and principal industrial control systems (ICS) security consultant, Dr Christopher Beggs, any business incorporating process control operations would do well to look more closely at their options, with a view to investing in securing their assets.
“Cyber security for industrial companies became more of an issue and realisation from about 2006-2007 onwards, however still today we identify some sectors and some organisations still pay little attention to the need and importance for cyber security in this space,” Beggs told PACE.
Beggs has spent over 10 years working with supervisory control and data acquisition (SCADA), industrial control systems (ICS) and distributed control systems (DCS), and researching technology to defend these systems from cyber-attack. His company, SIS, is the only national organisation solely dedicated to the preservation of these critical infrastructures.
Though industrial cyber security solutions have become more sophisticated in recent years, the uptake of these technologies is still fairly low in Australia, due to managing, supporting and resourcing issues, says Beggs.
“Security systems or products – such as intrusion detection systems (IDS) and security information and event management platforms – are not widely-implemented in industrial control environments due to the lack of security governance and management of SCADA environments. The maturity of managing security technologies at field layer environments is immature at present,” he explained.
“Security awareness of the cyber threats is rising, as is the development of international security standards and frameworks for ICS, however funding and investment from C-level senior management to fix these problems is still lacking across most industries.”
Cyber security research
One organisation that takes cyber security extremely seriously is the Australian Nuclear Science and Technology Organisation (ANSTO), a statutory body of the Australian government and the centre of Australian nuclear expertise.
ANSTO technical IT security officer, Mitchell Hewes, works with stakeholders across the organisation, along with external regulatory bodies, to produce internal standards, design guidelines and procedures on how cyber security is to be implemented. As part of his role, he assists with the implementation and review of systems to ensure both compliance and that policies do not hinder the rollout of new technologies.
ANSTO addressed both physical and cyber security risks when designing the OPAL Research Reactor at Lucas Heights in South Sydney, and continues to update its secure design methodologies in the ongoing operation and maintenance of the facility.
According to Hewes, cyber security originally became an issue for industrial process control around the 1970s, due to unaddressed risks in the sector. The team at ANSTO now implements secure design methodologies at both a physical and cyber level on all its ventures, including its Open Pool Australian Lightwater (OPAL) reactor – a state-of-the-art, 20MW reactor that uses low enriched uranium (LEU) fuel to achieve a range of nuclear medicine, research, scientific, industrial and production goals, built in 2007.
“It started when programmable devices were first used to control industrial processes, most notably the movement away from hard-wired relay logic systems to PLCs [programmable logic controllers] in the 1970s,” Hewes explained.
“Cyber security then became an issue, just as physical security was before it. Previously, an engineer would need to physically modify the wiring; now, only a soft-modification in program logic is required. While likely unidentifiable at the time, today this is firmly seen as a cyber security risk.
“The evolution of the way we use technology has only served to increase the risk – global inter-networking has connected everyone and computers have reached such a complexity that it is no longer feasible to track and review every single logical operation being undertaken.”
For Hewes, the integration of third-party security technologies in to major commercial operating systems has been a positive step in the evolution of cyber security in industrial process control environments.
“Where there was once a substantial cost involved (which may have conflicted with other organisational priorities), now the core functionality of these technologies is bundled into existing licensing,” he said.
“Locally, the re-organisation of GovCERT into CERT Australia has facilitated increased collaboration between a wealth of government resources and businesses operating in the industrial/critical infrastructure sectors.
“And as far as future developments go, I'm quite interested in further practical applications of a capability-based security model in modern operating systems, particularly the Capsicum framework being integrated by default into FreeBSD 10.”
Hewes also says constant developments in computer and networking systems have caused existing security solutions to evolve from being simply accessories, to core industrial technologies.
“The focus on which solutions have the largest impact has evolved too. There's an ever-increasing awareness that post-incident detection products are no longer solely sufficient, and there needs to be a shift towards more secure design methodologies, greater system hardening, and pre-incident control mechanisms like application white-listing,” he said.
People, process and technology
Though cyber security is an important issue to address, industrial security encompasses a growing range of technologies which should be issued in tandem to properly safeguard the plant, including its people, processes, materials, technology and intellectual property.
According to Honeywell Building Solutions regional leader – marketing and strategic development, Michael Brookes, the field of industrial security is constantly evolving, and has changed significantly during his ten-plus years in the industry.
“Security in an industrial environment is certainly not something new, however, the 9/11 attacks in America increased the focus on the threat of terrorist activity, which in turn led to governments throughout the world wanting to better protect their nations’ critical infrastructure,” Brookes told PACE.
“This has had a knock-on effect, particularly in places like mine-sites that store Security Sensitive Ammonium Nitrate which requires strict control and access. Industrial security now has a greater importance and risk profile than ever before, and this has impacted upon Australia's energy and resources sector.”
Industrial security encompasses a growing range of technologies which should be issued in tandem to properly safeguard the plant, including its people, processes, materials, technology and intellectual property.
For Brookes, the ongoing integration of security technologies continues to have a considerable impact on the uptake of these systems in industrial environments.
“Security systems have expanded to offer more than just security; life safety is a growing focus, as is workforce management. Integration enables companies to do a lot more with their technology; reducing the number of manual steps in any given process can be a great way to improve their operational efficiency, improve response times and more quickly restore business operations,” he explained.
“There is a big focus on integrating security systems with workforce management applications to better manage contractors, training and induction processes, background checks, time and attendance.
“At a technology level, the move to IP (Internet Protocol) is probably the biggest change affecting security – enabling the plug and play technologies that are used today.
“More generally speaking, there is now more of a threat-based approach to security management that is more akin to enterprise risk management. This is seeing companies taking a layered approach to security that enables them to deter, detect, delay and defend against major threats or risks. The focus is now on business resilience and how quickly normal operations can be restored, and is a mix of people, process and technology.”