In today’s increasingly harsh cyber environment, it’s not enough to put your process control system behind a firewall. The Stuxnet virus has made it very clear that hackers can break into an isolated process control system, take control, and cause irreparable damage to plant equipment, jeopardize the safety of employees, steal intellectual property, and reduce the efficiency of the process enterprise as a whole.
The Cyber DMZ
The ISA-99 Cyber Security standard defines a security zone hierarchy that protects against any number cyber threats that may compromise plant safety and operations. Control systems must have the ability to protect against physical threats, accidental and malicious user actions, attacks that affect network functionality, and attacks related to malware, viruses, or other non-desirable spyware programs.
ISA-99 Cyber Security Zone Hierarchy
The D/3 Distributed Control System is designed to facilitate redundant server and controller installation in different buildings. This ensures system operability in the event of catastrophic failure or cyber attack of a given set of physical servers/controllers. Seamless redundant network design protects against loss of network hardware components or attack of network infrastructure. Locked down and authorized usage of client/server hardware prevents intentional or inadvertent infection through physical devices such as USB memory sticks or disk drives.
The D/3 employs an industrial Ethernet backbone and I/O network, and our system engineers can deploy and maintain robust network protection devices including firewalls, proxy servers, data diodes, and industrial security solutions in accordance with the ISA-99 network architecture standard. These solutions deliver optimal system performance while providing threat detection, termination and reporting.
Invalid User/Accidental Operations
D/3 software is provides granular privilege sets to allow only assigned operators and workstations to operate designated equipment. This prevents unauthorized operators, or operators at invalid workstations, from accidentally or intentionally operating unauthorized equipment. User Authentication is accomplished using Microsoft Windows Authentication, so no passwords are stored on the D/3 system, and user credentials may be maintained by IT staff using corporate standards for complexity and longevity. IT staff can easily authorize or de-authorize an engineer or operator from the entire D/3 system.
Whitelisting and virus protection provide excellent means of protecting against malware, spyware, and other malicious programs from running on D/3 computing hardware. Whitelisting allows the administrator to identify and define only those programs, executables, DLL’s, applications, batch files, etc. that are authorized to run on each computer. Any attempt to install or run an unauthorized programs (down to the kernel level) is automatically blocked, and Administrators are notified of unauthorized user logins or any critical changes to system parameters on each protected computer.