Critical Infrastructure, notably the Supervisory Control and Data Acquisition systems (SCADA) that operate them, will likely see increased cyber attacks in 2009.

Information Technology within core production

Information Technology (IT) has always been a key component for Energy, Infrastructure and Utility (EIU) companies. The sector is under continuing pressure to reduce costs, increase productivity and ensure efficient use of IT.

As the sector becomes reliant on current IT to support their core production processes, coupled with the threat from unstable geopolitics and cyber terrorism, a proactive approach to IT risk is paramount within the area of process control networks.

Process control systems and networks collectively describe the IT that operates core production processes. There are many terms synonymous with process control systems, including Supervisory Control and Data Acquisition (SCADA) or Distributed Controls Systems (DCS).

Process control systems are complex, key to productivity, and are often the most mission critical digital asset an EIU company will own.

The commercial impact from system failure or a security breach, within a process control network, is significant – and a system compromise could also result in environmental damage, personnel injury or ultimately the revocation of a licence to operate.

Increasing interest from cyber attackers

Industry analysis* predicts that process control systems will see increased cyber attacks within 2009 and beyond, as their inherent weaknesses are known within the public domain.

Security weaknesses frequently identified within the corporate IT environment have now transcended into process control systems. However, the protection measures common within the corporate IT environment, have not been deployed to manage the risk to process control systems, therefore, leaving them open to cyber attacks.

Security weaknesses

Through our experience, Deloitte has identified some of the known security weaknesses and vulnerabilities associated with process control systems, such as:

  • Poor segregation from the corporate IT environment, increasing the attack surface and exposure to business users or third parties
  • The use of insecure protocols, for transmitting time critical process information, which are open to manipulation
  • Process control systems with dated anti-virus and operating systems, due to ill-defined support processes, such as weak service level agreements with process control vendors
  • Limited in-house skills and poor security awareness of risks within process control systems

Combining these weaknesses and vulnerabilities with the potential impact should things 'go wrong' can present a huge exposure and challenge to the EIU sector.

The challenge

Addressing the challenges can be fraught with complications, such as meeting the business and IT demands to keep pace with competitors and regulation, including:

  • User demand for real time access to data to optimise the process and gain competitive advantage, such as remote access to process control system information for business partners
  • Typically once installed a system is used until the end of life, which could be in excess of ten years
  • IT and process control operations are typically separate with little or no collaboration

The real worry is that very few of the required security protection measures, which are in common with corporate IT environments, have been included into process control system designs.

A safer approach

The differences between process control and corporate IT environments drive a requirement for specific security frameworks.

EIU companies need to consider an approach to segregate access to their corporate IT environments from their process control systems. Furthermore, they need to establish mature processes, such as patch management and current anti-virus protection, in conjunction with a security policy that restricts who is permitted to access which systems within both environments.

Finally, EIU companies who recognise the risk to their process control systems must develop an ongoing process for assessing the threat to these critical systems and test the effectiveness of those controls.

So why Deloitte?

Our Security, Privacy and Resilience Practice includes experienced practitioners that work specifically with clients within the EIU sector.

We have an industry-leading team of process control security experts that have a range of experience with multinational clients. The team are not only information security experts, but also understand the engineering and business aspect involved with the design, operation, and maintenance of process control systems.

Our capabilities include:

  • Secure network architecture and system design that facilitate required business information flow and remote access requirements
  • Risk assessment to confirm that key threats are understood and ensure that implemented controls are commensurate with the risk exposure and appetite
  • Vulnerability management and system testing
  • Incident management, including continuity planning for the management of potential adverse scenarios
  • Vendor/Third party management
  • Security training and awareness programmes for control engineers and operators
  • Understanding business risk is fundamental to protecting process control networks from cyber attack.

Deloitte have experience assisting clients to establish current state assessments and risk management programmes to effectively manage the appropriate process control security challenges.

We are experienced in analysing process control systems and supporting operational processes against generally accepted information security and industry specific practices, such as those published by NISCC and the ISA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.