In last week’s Friday News and Notes we mention a story on access and management of PLC’s via Blackberry. This relates to one of the frequent and interesting discussions we have with asset owners when they are considering exposing their control system in new ways. What are the benefits of this increased exposure and is it worth the increased risk? Here’s a common example:
An organization is putting in Ethernet enabled PLC’s or other field devices, and the organization that will install, configure and manage the PLC’s wants to be able to do this from any computer on the corporate/enterprise network. This group is often not responsible for monitoring and controlling the process from the control center, but obviously if multiple PLC’s are corrupted or are unavailable it could have catastrophic results to the process.
Now in the maintenance group’s defense, they have come to this conclusion because the PLC sales and engineering groups are highlighting this as a standard practice and huge benefit. However you will find almost unanimity amongst standards, guidelines and security professionals that it is a bad idea to affect control from the enterprise. The difficulty is expectations are set and maybe even sold as an important benefit.
The next step in the discussion is “what if we implement this security product”. So a firewall or firewalls are suggested, followed by VPN’s, followed by strong authentication, terminal servers, … Layer upon layer of security, which by the way adds complexity, potential for configuration error and an increased attack surface. Every time we say it is a bad idea another security product solution is proposed. It becomes very difficult to focus on the real question of whether it is really necessary to allow regular access with an ability to affect control from any enterprise computer?
Is it possible for maintenance personnel to go to a site with a dedicated connection to the control system network to make changes? Is it slightly inconvenient or a huge problem? If it is a huge problem do we need to build one or more secure rooms with drops that access the control network? More often than not when we finally get past the “can’t we secure it” discussion – – which can take a while – – there is an admission that there is not a compelling need for access control any time from any computer on the enterprise. Just because something can be done, it should not always be done if it increases exposure without significant and required benefits.
Two related comments on this:
- Asset owners need to make sure they evaluate new access carefully BEFORE it gets installed. It is hard enough to stop new access, but it is almost impossible to pull away access that employees are use to having.
- Most asset owners should have a means of emergency remote access from outside the control network. This may seem inconsistent with the example in this blog entry, but the key word is “emergency”. If you don’t have this emergency capability or a workable administrative procedure an insecure method will likely be put in place in an emergency.