Control Network security is not ICT/IT security. The "security paradigm" for traditional ICT/IT is "Confidentiality, Integrity and Availability". For industrial control systems, the order is changed to "Availability, Integrity and Confidentiality". A useful example is the availability of a critical control or safety function across a control network. This is only a guideline, as certain actions on a control network utilising a high degree of intellectual property, for example, would require a different security model than an emergency shutdown mechanism.

Is your system isolated from the Internet? Do you need a Virtual Private Network to connect remote sites? Are your employees aware of basic security protocols? Do you have an Appropriate Usage Policy to enforce appropriate usage of the Internet and your computers in general?

A staggering 86% of firms in Ireland (for example) were victims of "cyber crime" (internal or external) in 2006 (98% indicated that they had been victims at one time or another). System intrusion attempts were detected in 32% of firms. Loss of productivity was observed in over 80% of incidents. Repairs and mitigation took from ten to fifty days and cost tens of thousands of Euros. Please read this report if you would like more information. Your manufacturing systems are likely exposed at least to your staff - and may also be intentionally or unintentionally exposed to the Internet.

Click here for general system security information including a brief glossary of terms and click here for more information on SCADA security - including ISA 99 and the Process Control System Forum (PCSF).

What can we do for you as an OEM, integrator or end user?

• Work with your Information Systems team and correctly identify and layout your SCADA or control network architecture (including Microsoft Visio® or Autocad® drawings);
• Remove weak or unnecessary connections in your network;
• Strengthen the remaining connections in your network;
• Work on critical systems and make sure that they are locked down with desktop locking tools and other measures;
• Make sure that the security methods provided by the OEM are actually properly implemented and that robust passwords are deployed;
• Make sure that any documented backdoors are correctly configured or closed - as required;
• Make sure passwords are recorded in a secure location;
• Conduct security surveys, training and audit trail overviews;
• Verify that everyone in your organisation or that your customer's team know their roles;
• Utilise ISA 99 concepts;
• Replacement or supplementation of bastion wall security (or "Great Wall", "Maginot Line" security) with a "Defence in Depth" system;
• Write up back-up and disaster recovery plans - testing options available.

We can assist you in the formulation of a Disaster Recovery Plan for your control system for insertion in your Business Continuity Plan.

• Identification of critical control system functions;
• Identification and off-site storage of critical documents and files;
• Assess availability of spare parts (is your control system obsolete?);
• Who are your service providers (is the OEM in Europe?);
• What service level agreements are in place with local suppliers or agents?
• Are there regulatory, safety or certification impacts associated with your recovery plan?

A comprehensive audit of your control system is essential.