Integrated Safety, Security Plan Catches Threats, Potential Incidents
By Gregory Hale
Summer was in true form in Michigan a few years ago on a warm Saturday evening in June. But for quite a few workers at a major U.S. auto manufacturer, that idyllic setting had an abrupt ending at 5 p.m. when they fell victim to the Slammer worm.
A SQL patch had been available to take care of the worm for the previous six months, but the automaker did not apply it to their systems. The system is running fine, they probably thought, so why apply a patch? The worm was efficient and quick. It ultimately slithered its way into 17 of the manufacturer’s plants, and it took eight hours to contain.
In those eight hours, that worm cost the automaker $150 million. Today, with the industry losing over $20 billion a year from preventable safety and security incidents, it shows manufacturers need to be on the same safety and security page throughout their manufacturing enterprise.
The Slammer worm hit years ago and did serious damage. Stuxnet hit just last year and brought down a nuclear enrichment facility in Iran, causing severe damage to centrifuges, which ran out of control while the operators thought everything was just fine.
Industry security experts agree these events will continue, and one way to help protect your plant is to arm yourself with a strong defense-in-depth strategy. That is where an integrated safety and security plan comes into play.
“An integrated safety and security strategy can not only decrease the risk to plant operations, but also increase uptime by catching threats, potential incidents and accidents before they cause problems in the plant,” said Scott Hillman, manager of the Global Technical Assistance Center at Honeywell Process Solutions. “A lot of it has to do with timeframe analysis of the threat. For example, if we can give an operator 30 minutes’ notice or up to an hour’s notice of an impending threat using abnormal situation management technology, the operator can take action. They can actually prevent the need for the emergency shutdown system to kick in and stop the process.”
Know the Goal
In the case of the automaker, after rectifying the problem they conducted an audit of all plants for external unwatched/unprotected data connections. One plant alone had over 400 violations. They ended up running security awareness training in all plants.
“There are many different approaches depending on the nature of the threat that you are trying to examine and the overall perspective,” Hillman said. “It really depends on the site’s objectives, perceived threats, and where they feel comfortable given a certain layer of protection and a given perceived threat. From an integrated safety and security perspective you can go into a consultative mode and analyze where the threats could occur within the plant from a safety standpoint or outside the plant from the security standpoint.”
There was a period of time where safety stood alone and, while physical security existed at a plant, the relatively-new idea of cyber security was hardly a thought in anyone’s mind.
“In safety and security, one cannot exist without the other. The safety system is the last line of defense in a plant to secure it from accidents or incidents,” said Erik de Groot, manager safety systems, Honeywell Process Solutions. “Security is required to protect physical and intellectual assets. That means you need perimeter security, access control and cyber security.”
To give one example of how safety and security go together, de Groot said Honeywell went out and worked on getting its Safety Manager product ISASecure certified from the ISA Security Compliance Institute. “That means it is designed to stay secure against cyber security attacks.”
The certification covers the embedded device, but it also looks at the entire development cycle.
“It looks at if the requirements were well-defined. Do you have the right documentation in place? Did you do the right testing on the product? This means security is built into the product from the beginning,” de Groot said. “This ensures safety and security are fully integrated.”
“In a defense-in-depth strategy, we will employ Safety Manager as a layer of protection for emergency shutdown systems,” Hillman said. “To protect that layer, we go to great lengths to ensure it is secure from cyber security attacks. That is why we had Safety Manager tested and certified under the ISASecure certification program, because at the end of the day even your layers of protection need layers of protection.”
Security, Safety Meet
Coming from a security perspective, it is easy to see how safety and security intermingle.
“A secure solution requires there to be an inclusion of safety,” said Shawn Gold, global solutions leader of open system services for Honeywell Process Solutions. “When you talk about security around equipment, and when you are talking about safety, then you are talking about personnel. Even though the two are interrelated, an insecure plant is an unsafe environment for people. A safe plant will also be a secure plant.”
Technology will continue to be there on the plant floor, and it will continue to get stronger, faster and smarter, but one of the major components needed to ensure a safe and secure environment is the people running the processes.
“The human element in an integrated solution can be the weak link,” said Adrian Fielding, senior manager of industrial security solutions at Honeywell’s Automation and Control Solutions. “So, the technologies we use and the information we bring together enable us to automate as much as possible. If there is an emergency, the technology can provide the operator with information that would include his step-by-step response procedure, in order of priority.”
“Technology alone does not solve all your problems,” Gold said. “When you are talking about a good, holistic security program, you need to make sure you mitigate risk by dealing with the human element, understanding how they behave.”
“People are curious, and they may want to play around with things. They may want to explore areas they shouldn’t. So you need to train personnel and put in not only policies and procedures – which are good to have as guidelines for personnel – but also barriers to access so they don’t inadvertently go into areas they shouldn’t or touch and manipulate things they shouldn’t,” Gold said. “It is a combination of making sure there is an understanding of human needs and basic human behaviors and making sure you have the proper training, processes, policies, procedures and physical barriers in place to protect your investments.”
“There are a lot of technologies that can be applied to improve safety and security in the process industries,” Hillman said. Ensuring a safe and secure plant “ends up being about the work processes of the people at the plants on a day in, day out basis, ensuring technologies are utilized the way they should be, in the best possible way.”
Automating work processes and understanding what operators do on a daily basis has a strong safety and security element to it, especially with baby boomers approaching retirement.
“With the impending retirement of the baby boomer generation that has been running these plants, it is more critical than ever, especially for process safety and security, that we capture that knowledge. We must codify it into multiple layers of protection and integrate it into a holistic safety and security approach, because much of the knowledge that has been accumulated over the years is going to walk away from the plant,” Hillman said. “These are the people on the front lines who make sure the plants remain safe every day. As they go, we have to make sure we maintain that knowledge by capturing it and putting it into the systems and technologies that we employ in the plants. This will ensure the plants remain safe for the next generation.”
With one generation leaving, a new collection of workers will need to acquire the historic plant information, along with training for new technologies to ensure a safe plant.
“A lot of knowledge is going away, and the manufacturer needs a way to capture that knowledge,” de Groot said. The manufacturer needs to look at “procedural operations where they can capture the procedures operators execute in an automated fashion. The procedural operations can be kept electronically on the control systems, and the operator can execute it manually, or it can be automated by the control system. That way, you can capture the knowledge in the heads of the operators and make sure each time the procedure is executed, it is done the correct way.”
“One other aspect is a simulation software product that can be used from the design of the plant all the way up to the advanced control you use at the facility,” de Groot said. “It allows you to use dynamic simulation to train operators. Operators don’t get a chance to start up or shut down a plant on a regular basis. You can train the operators on specific situations by going through abnormal situations and making sure the operator knows how to handle them. You can use that environment to certify operators every year so you are assured they know how to deal with abnormal operations in your facility.”
Total Team Effort
One of the other important aspects behind an integrated safety and security platform is understanding that no one person, or technology, stands alone. Everyone works together, including different departments within the organization.
“A holistic, integrated approach to safety and security reduces the risk to a plant’s operations,” Hillman said. “It is not just about the technology or about the process engineering piece of it, but it is an approach that encompasses many different technologies and many different disciplines from the plant. All the disciplines in the plant have to be involved.”
“Within a plant, safety is everybody’s business. Whether it is the plant’s operators, the IT group, process engineers or the maintenance shop, they all have to be involved. They all must be engaged and leveraging their expertise,” he said. “I can’t stress it enough – it also has to come from the top. Plant management must make this a priority. They have to make sure the people have the tools, whether it is technology or work processes, to employ their knowledge in these areas.”
Hillman then added, “The Baker report strongly emphasized the culture of safety within the plant and the need for management to stress that safety is the most important thing within that plant.” The Baker report came out of the 2005 BP Texas City refinery explosion that killed 15 workers and injured more than 170 others. That report, headed by former U.S. secretary of state James A. Baker III, talked about BP’s lack of a safety culture. It also went beyond that to talk about how all companies should regularly and thoroughly evaluate their safety culture, the performance of their process safety management systems, and their corporate safety oversight for possible improvements.
One area that will increase the safety culture is for engineers to understand and work well with the IT department as that area gains a stronger foothold in the plant environment.
“For a long time, (engineers) felt they had to bypass their IT department in order to get things done,” Gold said. “In many ways that was the case. In order to get remote connections and troubleshoot plant equipment, they needed to go through backdoor methods. That is not the way to do it today. In this open environment, that is very dangerous.”
“The process control people have to work much closer with the IT folks to make sure they are following best practices,” he said. “They also have to understand the new threats in the IT environment, because those threats will be passed down to the process control environment.”
Understanding threats and putting them in the right context will ensure a worm like Slammer, a virus like Stuxnet, or the next vicious piece of malware remain under control and the plant keeps running productively and profitably.
Gregory Hale is the editor and founder of ISSSource.com.