By Charles Landis
With frequent warnings from the Department of Homeland Security and Congress threatening to mandate action, the pressure is building to continue the “Hardening” of our Industrial and Utility Plants and Utility Infrastructure. Improving plant security crosses many boundaries within an organization and you can be sure that the control’s engineers will play a major role in the projects.
In large organizations the corporate security personnel usually are responsible for initiating the program, but the process engineer has a responsibility to see that the security improvements are installed safely, operate correctly, and do not impact the operation or safety of the plant. In smaller organizations and utilities the process engineer could be responsible for the entire program.
When the call for improving plant security lands on your desk where do you start?
Many plant engineers have tried to go it alone and speak directly to security equipment and software vendors who are more than happy to design a security solution for free. However as many have found out the hard way this is a risky approach. The vendor only uses their own equipment or specifies equipment that will financially benefit them, rather than give you what is finically and operationally the best for your company. Also, to protect a plant you will need much more than equipment and software, you need to assess the possible threats and possibly rewrite your operating procedures.
What you may want to consider is hiring an expert who will design a whole program that is in your best interest finically and operationally. You may want to consider using a Security Consultant.
What can a Security Consultant do for you?
First, an experienced consultant will be able to help you define the scope of the project. They can provide the unbiased balance needed between security and productivity. The consultant can act as the mediator between the security personnel and the process personnel and help determine the level of “hardening” your company feels they need to achieve. Next, they are trained to do a vulnerability assessment, make recommendations on new systems and software or upgrades to existing systems, as well as, recommend any changes to the operational structure.
How do you find the right Security Consultant for your application?
Security Consultants can be found with experience ranging from retail store camera systems to systems protecting high-level, Top Secret government facilities. Although the same technologies that are used in these applications can be used in a plant or utility application the “robustness” of products needed for plant applications differs dramatically.
Selecting security equipment for a plant or utility facility application provides a real challenge. Plants are electrically noisy. The equipment is exposed to temperature extremes, dust, corrosive chemicals and the issue of Hazardous areas must be addressed. Also the consultant must understand the difficulty of maintaining and servicing equipment in an operating plant so it is important that the Security Consultant that you select have experience in the field of process control.
The consultant must understand the need to secure the PLC, DCS and computer networks vital to the operation of the plant without creating barriers that hinder the plant staff. Maintenance technicians and plant engineers must be able to quickly access the systems for diagnostics purposes to limit plant downtime.
Today, plant and infrastructure security must take into account a whole range of scenarios ranging from attacks to destroy the plant to attacks designed to release or steal chemicals within the plants. A Security Consultant must understand basic plant operation and the potential danger of materials contained within the plant.
Finally the consultant needs to have experience in a wide range of products and technologies. Due to the massive size of a manufacturing facility or utility plant they will need to have experience in fiber optic and secure radio communication networks to both protect the process control communications and bring back video and data for the security system.
If you are looking to hire a Security Consultant here is a checklist of questions. Some are obvious but some are not?
- Have they ever consulted on an industrial or utility project and are they aware of the issues such as Hazardous Areas and critical control networks?
- What experience do they have with security equipment like cameras, access control systems, network and control system software, and computer security?
- Have they worked with or been trained on more than one vendor’s product in each of the categories listed above?
- Do they have experience with secure fiber and radio communication systems?
- What certifications do they hold and have they had a background check run and at what level, state or federal? Some states like the state of Texas require Security Consultants to be licensed.
One last note if you run a search of the web for “Industrial Security Consultants” you will come across an organization known as ASIS. The American Society for Industrial Security is an organization dedicated to training and certifying security personnel including consultants. The term “Industrial” refers to the Security Industry not Process Control. There are many fine Security Consultants certified by the organization, however do not assume that they have Process Control experience.
Charles Landis is a licensed security consultant and an expert in the field of industrial fiber optic communications. He has over 25 years of experience in the process controls industry and is a senior member of the ISA. Currently he is serving as the Director of the Electro Optics Division of ISA. Mr. Landis is also a member of the DFW Homeland Security Alliance. The phone number for Landis & Associates is 512-671-9219 or you can e-mail him at [email protected].