Fri Apr 8 06:49:41 PDT 2016

Redundancy: ICS control room redundancy: How many ICS control rooms are needed?


Options:

Option 1: Use a single control room.
Option 2: Use two control rooms; (1) a plant co-located primary and (2) a remote backup with switch-over.
Option 3: Use distributed control centers across the region where the business functions.

Decision:

IF Consequences are High AND Co-located control is normally required or desired AND Event sequences may make a co-located control room uninhabitable during times when operator control is necessary to prevent higher consequences, THEN Use two control rooms; (1) a plant co-located primary and (2) a remote backup with switch-over.
OTHERWISE IF Consequences are Medium or Low, AND Multiple similar plants can be effectively controlled from distant locations with increased efficiency, THEN Use distributed control centers across the region where the business functions.
OTHERWISE Use a single control room.

Basis:

Multiple control room and locations introduce both benefits and risks. Increased risks stem from increased complexity and paths to attack, while increased potential benefits stem from added redundancy and cost efficiency when a smaller number of total control rooms can manage a larger number of plants.

The manner of redundancy can greatly effect surety. For example, a redundant control center at a distance from a plant may allow for control when the co-located control room cannot be operated (e.g., when there is a hazard at the plant so severe that it cannot be locally controlled, and yet control will help to mitigate the consequences). But allowing remote control might also increase risks associated with the increased attack paths. One way to mitigate this is to only allow remote control from the redundant control room when local control cannot be maintained, for example through the use of a control cut-over located at the plant allowing remote control from a different secure facility. Thus risks of loss of control during a disaster can be substantially mitigated by redundant controls without substantial increased complexity or risks during normal operation.

Use a single control room well protected from all identified threats.
Most control systems have a single control room. Unless there is a financial benefit, physical limitation, or event-sequence related reason to have redundant control rooms, none are recommended, as this normally increases cost and complexity and creates increased paths for exploitation. When control rooms are co-located with ICS, the physical proximity is an advantage for physical access as well.

Use two control rooms, a primary and a remote backup.
For situations in which there is high consequence of control room failure and the system under control is so dangerous that event sequences may make a co-located control room uninhabitable during times when operator control is necessary to prevent even higher consequences, a remote backup control room may be highly desirable with an emergency cut-over when the co-located control room must be abandoned.

Use distributed control centers across the region where the business functions.
For a geographically distributed enterprise with multiple similar plants, a set of manned control centers remotely controlling a larger set of plants may be cost effective and more efficient and effective at managing a complex than individual control centers. In these cases, the similarity of controls may allow a smaller number of consoles to manage a larger number of systems from locations where other facilities such as research and development and quality control are located. This allows limited experimental control, for example, to be used, or expensive simulation environments to be operated in multiple modes for multiple plants at lower cost. When there are high consequences of failure for individual plants, this is problematic because the shared resource may be unable to handle the aggregated loads during common mode failure conditions or under high stress event sequences.
Similarly, in large-scale geographically distributed control systems such as large metropolitan area water systems and regional power systems, a small number of redundant manned control centers in geographically diverse areas within the region may be more cost effective, reliable, and efficient than many local manned control centers. In these cases, the similarity of controls and unification of systemic functions allow systemic control that would be difficult at best in a larger set of local control centers with only local controls.h At the same time, ;local control mechanisms should remain in place to allow local overrides for maintenance and similar functions, as well as to act as an emergency backup to attaining and maintaining less efficient manual control over the system.

In all cases: Backup control rooms and switch-over capabilities should be tested and verified at least periodically. This is typically done at least once per year as part of business continuity planning efforts.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved