If, as Thomas Jefferson said, eternal vigilance is the price of liberty—it's also the price of cyber-secure operations. So after Honeywell Process Solutions (HPS) designs the latest security functions into its products, its developers know this is just the beginning of the updates they'll need to provide—and of the ongoing encouragement users will need to adopt secure work practices and maintain secure solutions over the long term.
"We must provide secure products and services because they're used in critical infrastructures, so users don't have to worry that their equipment and applications will be hacked and misused," said Mike Baldi, chief cybersecurity architect at HPS. "We have out-of-the-box security in all our products, but users may need different levels of security depending on where they're applied. So we can test and analyze solutions, conduct site assessments, and can add more secure communications, white-listing and other services as needed."
These were among the main themes of a panel discussion and question-and-answer session hosted by Baldi and Mike Spear, global operations manager for HPS' Lifecycle Solutions and Services group, this week at the Honeywell Users Group (HUG) Americas Symposium in San Antonio, Texas.
Despite assurances from Baldi and Spear, the mood of the discussion was at times tense and grim, reflecting many attendees' concerns that cybersecurity is over-hyped, poorly defined and extremely dangerous—all at the same time. Clearly, they worry about being powerless to stop a cyber attack that results in a loss of visibility, production loss, equipment damage or personal injury. "This isn't hype. There are real risks from a lack of cybersecurity, and not being aware of them can be real trouble," stated Baldi. "This isn't a case of if you'll be attacked. It's a question of when. So, users must determine what their applications and organizations can tolerate, assess how much security they need, decide on the right response to their actual risk and continuously reevaluate. Cybersecurity really is a continuing journey."
Spear added there's been a 50 to 70% increase in cyber attacks on industrial control systems since 2010. "Our services organization deals with cybersecurity daily, and we've seen a significant increase in the number of attacks in the past three years," said Spear. "Most of us never call on our home security alarms or life insurance, but we still have them. Each user has to decide how much risk they have a stomach for and how much security they'll need."
Baldi added that overall descriptions and individual details on many cyber attacks aren't publicly disclosed. "Not a lot is published, so you won't hear about most of them," added Baldi. "If you've been successfully attacked, you'd want to address it quietly. Most sites that have been exploited don't publicly release details right away because they want to follow a responsible disclosure policy of working with suppliers to minimize damage, notifying customers using their products, reestablish their security and then notify the public."
One cybersecurity problem that's been especially difficult to solve is patch management. Most patches come from the IT side and are supposed to be applied immediately. However, most plant-floor applications must wait to apply patches until safety and production requirements can safely allow them. Historically, many patches have been added via CDs or other portable media, but Spear says HPS now offers a remote, natively connected service that allows users to download patches automatically for subsequent deployment.
Baldi added that HPS is in the process of updating its cybersecurity reference architecture and recommendations, developing a continuous cybersecurity dashboard, and is opening a new Cybersecurity Lab to help users test their components and systems.