Now more than ever, chemical plants are in need to ensure their control programs are equipped with the process controls necessary to ensure safe and efficient operations. The development and implementation of new technologies require system and process updates as well as increased attention to available tools that can be integrated at the plant level and throughout the entire enterprise.
Marty Martin, Manager of Advanced Process and Control Systems/Air Liquide International Expert at Air Liquide Large Industries, recently spoke with marcus evans about topics to be discussed at the upcoming Process Control & Automation Optimization for Chem, Petrochem & Refining Conference:
In your current role as Manager of Advanced Process and Control Systems, how would you describe the importance and application of security measures in process control?
MM: I have been at this quite a while and for the first 15-20 years of my career there really was not much worry regarding network security on the industrial side as there is today. It was a lot harder to connect to the networks back then and the hackers were not that interested in the “boring” industrial side. Typically DCS systems lagged in network functionality and security “know how” when compared to the business side. For the most part, physical security was most important because systems were not generally connected to something like what we call the internet of today.
Fast Forward to the current systems and it is almost unheard of not to be able to reach your system from the internet. The industrial side has had to come to grips in recent years with the threats that once only plagued the business side. We as a company take remote connectivity very seriously and as our previous solution has run its course, more sophisticated functionality, along with ironclad security measures are being implemented. My group is primarily centered around support of both domestic and international sites and remote connectivity is not a luxury, rather it is a must have. Being able to access control systems anytime/anywhere is now mainstream and it is expected from my employer to ensure maximum reliability and uptime.
There has been a dramatic increase in cyber attacks on control systems since the STUXNET incident which forces us to increase our security measures by adopting a more “defense in depth” type of strategy such as creating a DMZ layer and the setting up of internally hosted remote login solutions for example. Many on the industrial network side are typically conservative and do worry quite a bit about the potential consequences of an unscheduled shutdown of a production facility (applies to regulated and non-regulated industries alike). All one needs to do is google industrial network hacking/compromises and it is astounding what is going on out there. Carte blanche access to for those internal to the company control systems needs to be reconsidered as well given the documented incidents where “inside” individuals become vengeful against their employers. These are real threats, coming from both internal and external sources which require the adoption of new rules and documented plans that should be part of the total cyber security management system (CSMS – ANSI/ISA 62443).
Looking at process control and risk mitigation together, what do you consider the critical facets necessary to achieve effective and sustainable security?
MM: As I mentioned before, I believe having a documented and auditable security plan is paramount to effective and sustainable security for our control systems. This should be a living document that is periodically updated as technology advances and critical updates are made to the control systems. This plan should also include a risk mitigation analysis for any projects or significant updates that affect how users interact with the system locally and remotely.
Other factors to consider include proper procedural training that outline the expectations for system interaction and understanding the culture of the users of the system. The more complicated it is made to interact, the more likely that usernames and passwords will be forgotten and written down in places they should not be. Lastly, I believe that having an ally on the IT staff that represents and understands the needs of the industrial side is important to ensuring that effective security is maintained. This is a complicated topic that could have many solid answers and I have only touched on a few facets that, in my opinion, are important.
What are some of the challenges facing process control and security in terms of manageable usability?
MM: The whole “internet of things” is growing at such a tremendous rate that we are nearing the time when the number of connectable devices outnumber people. With the push for obtaining more data from the process and equipment, we must ensure that connecting a device to the network doesn’t mean inadvertently creating a backdoor into the control system.
From my company's perspective, mobile device (Android, iOS) security presents a high risk scenario. Given how easily it is to connect to computer networks using these devices, ensuring they are always in the right hands presents challenges. The number of devices that are lost or stolen is alarming and needs to be well thought out before allowing them access to critical systems. Anytime, anywhere support is a powerful tool and that has to include the new era of smart devices (phones, tablets, etc.) because fewer people want to be tied down to bulky laptops anymore.
Password change management has been and, to some degree, still is a nightmare. Many of the legacy systems were not built to handle single sign on, strong password enforcement, nor expiration like the business side has readily available. I still see operations staff writing down passwords when they are forced to create a strong one. I would like to see more biometric types of identification methods employed moving forward to ease the burden of complex security measures on the industrial side.
How have technological advances impacted security measures and what steps need to be taken to ensure reliability?
MM: From my point of view, the advances in smart devices, proliferation of wireless devices, improvements to embedded networking capabilities in devices and better software has been a blessing to those of us whose roots go back to when this was not easily possible. But as with any new technology, in the wrong hands opens the doors (more like floodgates) to those individuals/companies that want to cause harm. This is where a well developed CSMS should address the integration and use of such new technology on the industrial network. Smartphones/tablets accessing a control room were never thought of until recently. The ease at which they are lost and stolen has created a double edged sword when it comes to getting the right data into the right hands. If these highly mobile devices are allowed, then measures must be taken to quickly quarantine the account to prevent unauthorized access.
Wireless has come a long way compared to when it was first introduced into the industrial side, but so has the ability to break into it as well. Some of the vendors out there are doing an excellent job with the integration of safe and secure wireless devices into the industrial side and as time moves forward, more companies will start to adopt this type of technology given its flexibility.
Processing plants need to ensure their facilities are safe. How does Air Liquide seek to improve process controls and mitigation efforts through effective security?
MM: My company operates many plants across the globe. Therefore, it is very important that from both a supportability and operational standpoint that the right people have access to the systems in a safe and secure manner.
The biggest threat we see is those accessing the systems from outside the plant control room. Physical barriers are in place that limit access to the control systems for only those that are qualified to be there, but the remote access is where the risk goes up exponentially. Here is where it gets tricky because the traditional methods of secure access (such as VPN with corporate accounts) are becoming more confining to provide anytime, anywhere support. This is especially true if your company has offsite contractors/vendors. We are looking at solutions that have the potential to provide better overall security performance than VPN alone.
Properly integrating smart devices and breaking free from the physical secure tokens without sacrificing has become a priority. We, like many other companies out there, are having experienced workers leave and finding the right resources to support our systems is a constant challenge. Utilizing the latest advances in technology can help bridge the gap, but if not planned correctly, can also open security holes that may not have been present (or easily exploitable) just a few years ago.
What inspired you to speak at the marcus evans conference?
MM: I always enjoy being part of the sustainability of the Automation and Controls field. When I was contacted by Marcus Evans and they mentioned the title of the conference, it fit right in with my commitment to be involved. My supervisor has presented on other topics at Marcus Evans conferences and he mentioned that they were well run events. That means a lot to me because I always have quite a few tasks on my plate and I want know that my time will be well spent. It is enjoyable to meet new people and catch up with those that I have known for some time at events like these because the networking opportunities are invaluable.
Arnold "Marty" Martin, PE, CAP is an International Technical Leader in the field of Advanced Process Control for Air Liquide. Currently he is the Manager of Advanced Process Control Systems for Air Liquide Large Industries, USA. He has spent the past 30 years in the process control and automation field providing unique and innovative solutions for the Air Separation, biotech (applying batch and advanced control solutions for mammalian cell culture bioreactors), and specialty and commodity chemical industry sectors. Prior to joining Air Liquide, Marty held senior automation engineering roles with Amgen, Foxboro (Invensys) and Texas Instruments (D/3 automation system). Marty earned a B.S. in Chemical Engineering from the University of Maryland in 1985.
Join Marty at the Process Control & Automation Optimization for Chem, Petrochem & Refining Conference, January 13-14, 2016 in Houston, TX. For more information, check out the conference agenda here or please contact Tyler Kelch, Assistant Marketing Manager, marcus evans at 312.894.6310 or Tylerke@marcusevansch.com.
About marcus evans
Marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision- makers. Our global reach is utilized to attract over 30,000 speakers annually; ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.
Timely, incisive articles delivered directly to your inbox.