The adoption and integration of new technologies coupled with the trend toward constant device and communication connectivity have led to an increased level of vulnerability of industrial plants and facilities to cyberattacks. Suppliers such as Pentair Valves & Controls, end users, and industry and professional organizations are developing solutions for protecting offshore and onshore E&P facilities by applying and adapting technologies borrowed from mature environments, namely the military and banking sectors.

The Pentair Valves & Controls Biffi DCM2 Diagnostic Communication Master offers a safe and highly secure option for the control of actuators from a remote control room. The DCM2 is an evolution of a Biffi Diagnostic Communication Master product that has been installed and operating effectively worldwide for more than 20 years. The DCM2 acts as an interface between the upper level of the control system and the field devices connected by a fieldbus network. The DCM2 also provides advanced centralized control and monitoring of up to 300 actuators through a multiprotocol network able to manage optic fibers, wireless and copper-wired connections concurrently and securely. The DCM2 combines Biffi’s experience in actuation technology with the flexibility and operative reliability of the LonWorks open and standard bus communication protocol.

Tighter safeguards

The need for connectivity and the availability of data on multiple devices has increased the threat of cyberattacks exponentially, creating a growing number of opportunities for infiltration by malicious parties. Attempting to curb this problem has led to the emergence of sophisticated firewall and information protection systems that increase the complexity of the security systems. The direct corresponding impact of the threat of cyberattacks in industrial settings is the growth in the number of employees who must be dedicated to the critical function of managing and protecting communications and data.

Equipment and firmware that govern industrial processes have been adjusted to the environment and increasing security demand. The effort to strengthen some devices that primarily demanded speed in the data exchange has now been partly moved toward the implementation of sophisticated protection algorithms, for which a significant portion of calculation power is needed. For this reason, despite the steady growth in the power of microprocessors in the last several years, there has been only a moderate increase in communication efficiency since this power has partly fueled complex algorithms dedicated to data protection.

Master stations

A device that has captured the attention of computer security professionals in industrial applications is the master station. The master station is a gateway that is primarily used in the petroleum sector and serves as the connecting link between the distributed control system (DCS) in the operator’s control room and the actuation systems operating in the field. The process is governed by the control room, which collects all the data from the field and then sends commands to the actuated valves that will act according to the procedures established. However, network control in the field to which the actuated valves respond is not directly entrusted to the control room. Rather, network control is connected to the master station. The master station has the task of interrogating all actuators in the field dozens of times per second to ease the DCS from this burdensome task, check actuator availability and offer the degree of redundancy to various levels by connecting the valves with multiple loop configurations, for which an interruption will not generate a loss of control of the infield nodes with the ultimate purpose of ensuring adequate safety.

The degree of sensitivity of the information passing through the master station is enormous. This device has control of the whole plant, having “the last word” on the opening and closing of all the infield valves, and it contains all data related to the configuration of the system from which sensitive information can be inferred. For this reason, the precautions implemented by the plant or facility, especially in the petroleum industry, are particularly stringent and prohibit any possibility of wireless access and auxiliary connections, even for maintenance and repair purposes.

Advanced cryptology systems

Given that these precautionary measures are not sufficient, information exchanged with the master stations must have the highest level of protection as with a banking system, a military defense system or an industrial database. To understand the complexity of the security systems implemented in the field, it is important to classify the types of potential threats to which these devices can be subject. Different countermeasures will respond differently to the categories of threats.

Previously, the simple application of symmetric encryption was sufficient to ensure the security needed. Both interfaced devices (control room and master station) were in possession of the same encryption and de-encryption key. This key could obviously not be sent together with the message/command but had to be communicated to both devices beforehand by a third party that was potentially in possession of the key and able to create a weak point in the system.

Advanced master station

The alternative is asymmetric encryption. The receiver has two keys. One is public (generated to encrypt the message but not able to decrypt it), and one is private (this is the only key able to decrypt the message). The public key can be distributed to senders to encrypt their message. Only the receiver has the private key and can read the message.

The infield gateway constantly exchanges information in this way. It is clear that the interception of a command or its modification could have extremely serious consequences. Therefore, the latest generation of devices has implemented this advanced encryption, which can guarantee the inviolability of the system.

Operational security guarantee

Password management poses other challenges. Password management in today’s environment is more organized and “official,” meaning that access keys are provided by the manufacturer under explicit request of the customer. The validity of the access keys can be associated with the role of an end user (observer, user, maintenance and administrator) and is limited in time and number of accesses. Thus, even a remote support request from the end user to the manufacturer results in the transmission of an encoded certificate with a public key that only the gateway can decipher. The procedures for use of the password, number of accesses and time duration also can be defined. Once used, the password is no longer effective and the master station remains protected for the functions that are inaccessible with ordinary use. The most advanced field control equipment also allows a direct connection to the manufacturer, usually established through a virtual private network for which the highest level of protection is required.

Increasingly sophisticated plant management technologies pose complex problems in and of themselves. At the same time, producers of the DCM2 and other devices, solutions and data that these devices and systems support must remain diligent in their surveillance of those cyberattackers. Although equipment, systems and solutions providers as well as plant and facility owners and operators will never be completely immune to future cyberattacks, this heighted level of awareness puts all stakeholders in a solid position to be better organized and better equipped to protect their assets.