Comment Re:Internet facing? (Score 1) 203
Air gap as opposed to what? I'm unclear.
I'm sorry, let's see if I can do better.
By air gap I mean that I think that DCS systems should by default be fully disconnected from the Internet, e.g. instrument engineer workstations should be on a different physical network and they have to have two computers to do their job - one to check email and do MSOffice stuff, and another that they develop the DCS logic on. This is very inconvenient for both the instrument engineers and the normal manufacturing engineers (who just need read-only access), leading to a loss of productivity.
Many systems are not air-gapped. Instead the DCS network is put on a separate VLAN with a firewall and either Windows Terminal Servers or an X11 client at the border. This is the alternative that I am arguing should be avoided in the future.
However, I have only seen an air-gapped network once, and that was mostly due to the age of the system: it was installed in the 1980's and barely even had TCP/IP between the operator consoles and the DCS servers. Last I heard it was in the process of upgrading to a more modern system and it would be connected at the border like the other plants in the company.
Maybe complete Internet connect would be a good idea for a chemical plant but not a power plant?
That could be true. SCADA systems -- where a single operator screen needs to control many stations miles apart from each other -- are probably economically infeasible to operate on a wholly independent set of physical wires. But even then I would push for a network design that forces the instrument engineers to use a different physical machine than the one they check email on.
In truth I am in the minority even in the chemical industry. People want the convenience of checking the true operator consoles from their desk, IT departments want the convenience of VLANs over separate physical wires, and (yay) there haven't been any significant events attributable to external network attacks to trigger action. I suspect that if we had another Texas City caused by (insert hostile hacker group here), it would either be treated like a typical industrial accident (meaning beef up the SIS), or an overt act of warfare (meaning go invade a country).
It's really tough to get ChemE's to believe that an intelligently lying DCS can even exist much less be capable of causing an accident that the SIS won't stop. OTOH it's tough to get buy-in from IT departments to keep these networks separate when all their ChemE clients are demanding convenience over security.