To fill what it saw as a gap in its portfolio of cyber-security offerings for process manufacturers, Invensys Process Systems this week announced a new managed service in conjunction with global IT security company Integralis.
The managed service offering helps shore up Invensys' four-tiered approach to cyber-security engagements for process control systems, which includes planning and assessment; architecture modeling and design; modernization and implementation; and management and optimization.
In particular, the partnership with Integralis bolsters the fourth area — managing ongoing security threats and optimizing a system's defensive capabilities, according to Doug Clifton, Invensys' global cyber security program leader.
"If they're just installing a firewall [with] a static configuration, and they never touch it again, or they don't look at the logs that are coming out of it, it's really not providing them the benefit they thought they were getting," Clifton told Managing Automation today. That lack of upkeep, he said, is akin to installing a computer operating system and neglecting to update it with patches.
It's also a common state of affairs among companies with process control systems, he said, because most don't have on staff a qualified IT expert who can perform the needed maintenance and interpret the activity logs.
"Typical IT people do not understand how to go through and review security logs, because there's a lot of false positives in this business," Clifton said.
That, he said, is where the experts at Integralis come in. For customers of the new managed service, Integralis will remotely monitor the logs of devices such as firewalls and intrusion-detection and -prevention systems for viruses and attacks, and also to ensure that they remain online.
To enable the remote monitoring of the security equipment, Invensys installs a device on-site that connects to whichever firewalls and other systems are covered by the agreement. That device then sends their logs to Integralis' offsite operations center. There, security experts review the reports and send alerts to on-site personnel when needed.
The Invensys/Integralis offering also kicks in when a security device at a manufacturing facility fails. In such instances, the manufacturer will receive a replacement device within about a day's time. A worker on site must place the equipment in a rack and connect its cables, after which Integralis configures it remotely, using a backup log of the most recent configuration, which it updates daily.
Invensys considers itself brand-agnostic when it comes to security installations, according to Clifton. The new managed service offering can be applied to any process control environment or any plant where security appliances are installed. When Invensys initially designs a security system, the company recommends what it calls best-in-class brands of firewalls and intrusion-protection systems, such as Cisco, Juniper, TippingPoint, and Check Point.
Invensys isn't the first in the process control world to offer such a service. A young Massachusetts company called Industrial Defender (formerly Verano) has been plying the trade for a few years. In May 2007, Industrial Defender rolled out its own managed service offering.
"This would be similar to what they're doing, but on a much larger scale," Clifton said, noting that Integralis is an established, worldwide provider of IT services.
Analyst Sath Rao of Frost & Sullivan said today that other automation vendors "are yet to offer [security services] on their own." He noted that major automation solution providers might not push the managed security agenda if there is no related opportunity to migrate users to a next-generation platform.
Invensys will charge customers for the managed service based on the number of devices covered. A typical contract for management and monitoring runs $10,000 per device, according to Clifton. He compared that with what he said would be a price tag in excess of $700,000 to hire the appropriate staff and build a security operations center dedicated to this kind of monitoring.
Invensys is now rolling out the service at an upgrader plant in Saskatchewan run by Husky Energy.
"The process control industry has not really wrapped its arms around IT technology," Clifton noted. "Invensys believes that we require that relationship to really secure these IT-based networks, and I think this is something the market's needed for a while."
An earlier version of this article cited an incorrect price range of $30,000 to $100,000 for monitoring of three devices. MA regrets the error.