Fri Apr 8 06:49:41 PDT 2016
Redundancy: ICS control room redundancy: How many ICS control rooms are needed?
Options:
Option 1: Use a single control room.
Option 2: Use two control rooms; (1) a plant co-located primary and (2) a remote backup with switch-over.
Option 3: Use distributed control centers across the region where the business functions.
Decision:
IF Consequences are High
AND Co-located control is normally required or desired
AND Event sequences may make a co-located control room uninhabitable
during times when operator control is necessary to prevent higher consequences,
THEN Use two control rooms; (1) a plant co-located primary and (2) a remote backup with switch-over.
OTHERWISE IF Consequences are Medium or Low,
AND Multiple similar plants can be effectively controlled from distant locations with increased efficiency,
THEN Use distributed control centers across the region where the business functions.
OTHERWISE Use a single control room.
Basis:
Multiple control room and locations
introduce both benefits and risks. Increased risks stem from increased
complexity and paths to attack, while increased potential benefits
stem from added redundancy and cost efficiency when a smaller number
of total control rooms can manage a larger number of plants.
The manner of redundancy can greatly effect
surety. For example, a redundant control center at a distance from a
plant may allow for control when the co-located control room cannot
be operated (e.g., when there is a hazard at the plant so severe that
it cannot be locally controlled, and yet control will help to mitigate
the consequences). But allowing remote control might also increase
risks associated with the increased attack paths. One way to mitigate
this is to only allow remote control from the redundant control room
when local control cannot be maintained, for example through the use
of a control cut-over located at the plant allowing remote control
from a different secure facility. Thus risks of loss of control during
a disaster can be substantially mitigated by redundant controls
without substantial increased complexity or risks during normal
operation.
Use a single control room well protected from all identified threats.
Most control systems have a single control room. Unless there
is a financial benefit, physical limitation, or event-sequence related
reason to have redundant control rooms, none are recommended, as this
normally increases cost and complexity and creates increased paths
for exploitation. When control rooms are co-located with ICS, the
physical proximity is an advantage for physical access as well.
Use two control rooms, a primary and a
remote backup. For situations in which there is high consequence of
control room failure and the system under control is so dangerous
that event sequences may make a co-located control room
uninhabitable during times when operator control is necessary to
prevent even higher consequences, a remote backup control room may
be highly desirable with an emergency cut-over when the co-located
control room must be abandoned.
Use distributed control centers across the region
where the business functions.
For a geographically distributed enterprise with multiple similar
plants, a set of manned control centers remotely controlling a larger
set of plants may be cost effective and more efficient and effective
at managing a complex than individual control centers. In these cases,
the similarity of controls may allow a smaller number of consoles to
manage a larger number of systems from locations where other
facilities such as research and development and quality control are
located. This allows limited experimental control, for example, to be
used, or expensive simulation environments to be operated in multiple
modes for multiple plants at lower cost. When there are high
consequences of failure for individual plants, this is problematic
because the shared resource may be unable to handle the aggregated
loads during common mode failure conditions or under high stress event
sequences.
Similarly, in large-scale geographically distributed control
systems such as large metropolitan area water systems and regional
power systems, a small number of redundant manned control centers in
geographically diverse areas within the region may be more cost
effective, reliable, and efficient than many local manned control
centers. In these cases, the similarity of controls and unification of
systemic functions allow systemic control that would be difficult at
best in a larger set of local control centers with only local
controls.h At the same time, ;local control mechanisms should remain
in place to allow local overrides for maintenance and similar
functions, as well as to act as an emergency backup to attaining and
maintaining less efficient manual control over the system.
In all cases: Backup control rooms and
switch-over capabilities should be tested and verified at least
periodically. This is typically done at least once per year as part of
business continuity planning efforts.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|