The Anatomy of a Cyber Security Assessment

With cyber security becoming such a dangerous issue, we'll likely see industrial plants undergoing increased scrutiny with an eye toward safety. We may even see government-mandated cyber security reviews, since a breach at an industrial plant could pose a health and safety risk to a community.

Over the last five years, the DuPont Co. has regularly monitored all aspects of the security of its Sabine River Works plant on the Gulf Coast of Texas. The plant produces ethylene copolymers used in plastic packaging. The monitoring process began with a full security assessment. The assessment focused heavily – though not exclusively – on cyber threats.

The DuPont assessment was prompted in part by a 2014 report from Germany's Federal Office for Information Security (BSI) about an attack on an unnamed German steel mill. “Nobody cares about cyber security until it happens to somebody similar to you,” Cody Joines, DCS manager at DuPont’s Sabine River Works plant, explained, during a presentation on DuPont’s security assessment at a Siemens Automation conference in June.

MORE FROM DESIGN NEWS: Cyber Spy Versus Spy Hits the US Government Hard

He has a point. The Sony hack was colorful, but the attack in Germany was closer to home for industrial plant managers. The incident caused physical damage to the facility. Sophisticated attackers used spear-phishing and social engineering to gain access to the steel plant's office network. From this entry point, they made their way into the organization's production network. Control components and entire production machines suffered outages due to the attackers' actions. The outages prevented the plant from appropriately shutting down a blast furnace, leaving it in an undetermined state. This resulted in significant damage to the plant, BSI noted in its report.

DuPont corporate instructed the Texas plant to do an internal cyber security assessment. “We conducted an inventory of our automation process and control (A&PC) devices, developed a simple network diagram of the A&PC systems, performed risk versus consequence assessment for each A&PC device, performed security gap analysis of current security practices, and estimated the effort and funding required to close the security gaps,” said Joines.

Launching the Assessment

Early on, DuPont plant managers decided to bring one of their principle automation vendors into the assessment. “We brought in Siemens so we would have another set of eyes to see what we had, and to do a vulnerabilities assessment so we would know what to protect,” Joines said. “We wanted to find relevant, new, and undiscovered vulnerabilities and risks.”

On the first action day of the assessment, Siemens personnel and the plant managers conducted a meeting to discuss the process, tour the plant, and do an active network analysis. The team looked at physical security as well as online security. Corporate IT was also involved to give access to all of the connected networks. After the first meeting, the data digging went on for weeks. “We did all this during normal operation,” Joines said. “Nothing stopped during the assessment.”

MORE FROM DESIGN NEWS: Certification Training Brokers Peace Between OT and IT

Joines noted that the team analyzed all the data – a lot of data – and came up with a report. “The report included a list of initiatives or action items that needed to be done, and we attached priorities and recommendations to each of the action items,” Joines said. “It was a long list with long and short descriptions. We looked at what could go wrong and how likely it was to happen.” The team then used the risk analysis to come up with priorities.

In describing the ranking of risks, Joines noted that if a risk could do a lot of damage and it was very likely to happen, it was considered high priority. If the risk couldn’t hurt anyone or damage DuPont’s stock price, and it wasn’t likely to happen, then it was considered a low priority. “We created a list of high-risk, medium-risk, and low-risk items,” Joines said. “We also assessed the cost to addressing each risk, and we looked at the cost of the damage if things did go wrong.”

Measuring Risk Against Protection Costs

Joines noted there was a range of things that were part of the risk mitigation, each with its own cost and assessed effectiveness. “You could spend a lot of money on a smart firewall or a little money on a simple firewall. IT corporate worked with us to determine the cost of risk,” said Joines. “Some companies will do all of the inexpensive items first, others do all of the high-risk items first.”

The assessment team created a prioritized list of what to do, which became the plant’s plan of attack. “Cyber security is not a one-stop thing. You don’t fix it and walk away. So part of the solution was to put in a monitoring and alarm system for network cyber security,” said Joines. “You can also prioritize the alarm system. If one thing happens and another thing happens, you can assess that it’s a red event.”

MORE FROM DESIGN NEWS: Cisco and Rockwell Partner to Enhance Cyber Security

The time frame from the start of communication about the assessment to the presentation of the report took less than three months. “The conclusion gave us a roadmap to improve our position,” Joines said. “It gave us a blueprint of what we’re going to do. It’s both a check-off sheet and a roadmap.

Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine, Chile Pepper.