Once designed to operate in isolation, chemical manufacturing control systems are now being connected to the virtual world. Production data from control systems are integrated with IT analytic tools and online resources to help reduce production costs, enhance operational efficiencies and improve maintenance.
However, control systems that are open to data exchange are also open to the possibility of cyber attacks ranging from espionage to physical damage in the plant. An inclusive approach to cyber security that brings together engineers, IT professionals and corporate leadership can help chemical manufacturers benefit from the latest technology while maintaining a strong security posture.
A comprehensive strategy for cyber security needs to recognize the basic fact that control system security is not the same as corporate IT security. In fact, each side has different security objectives, a different technology background, and a different approach to managing security issues and technology issues in general.
Because of the differences between IT environments and control systems, the tools and techniques that IT uses to maintain and protect its dynamic network topologies are often not suitable or applicable to statically defined control systems. All updates, including patches and virus definition files, should be thoroughly tested with the control system before being approved for installation.
Although every organization is different in its security requirements, a strategic approach based on the efforts of stakeholders across departments, business units and parties outside the organization can serve as a strong foundation for control system security. This approach can be broken down into the following key phases:
Developing a foundation
Develop a control system cyber security strategy that is based on solid foundations that are aligned to the organization’s culture, environment, and business strategy. This starts by identifying all key stakeholders and securing their full cooperation with the security goals of the organization. Working together, stakeholders can identify gaps and develop the appropriate governance mechanisms to manage and control all aspects of control system cyber security.
Planning and control
Build the capabilities to prioritize, coordinate, and measure the work to improve security. Then review and design the extended risk and control environment for the control system assets. In particular, look at the risk management regime and ensure that is it appropriate for the control system environment.
Design and implement appropriate methods that allow processes to operate with a level of cyber risk that is as low as reasonably practical. Cyber threats are always rapidly evolving, so incorporate a review process that includes regular assessments and upgrades of security measures.
Cyber security will remain a critical issue for the chemical industry. Bad actors are nothing new; the difference today is how and why they act. Organizations can take an inclusive, coordinated, and strategic approach to planning, vigilance and ongoing enhancements to help them manage and mitigate cyber risks.