You can't stay awake forever. So even though effective cybersecurity demands ceaseless awareness, monitoring and mitigation, you can't go it alone. From the overlapping shields of the ancient Greeks to the shift changes and teamwork needed in today's process industries, we need others we can rely on to spell us and help us succeed.
By now, the basics of cybersecurity should be well known by almost everyone:
- Turn on passwords and antivirus software;
- Separate device and production networks from enterprise/business networks and the Internet with managed Ethernet switches used as firewalls;
- Segment operations into functional sub-networks with more firewalls;
- Enable read-only functions that allow operations to send out data, but prohibit any incoming instructions or commands;
- Adopt and follow appropriate software patching policies;
- Train and retrain staff to follow agreed-upon security procedures;
- Establish regularly scheduled network traffic evaluation using IT-based software tools that can identify, disallow and purge unauthorized probes and intrusions.
However, because dealing with cybersecurity threats and attacks is a constantly evolving chore, it doesn't have an endpoint or final barrier to hide behind and relax. This also means the steps above are just the beginning of what's needed for effective security. Because time and labor are limited, what's really required for continuous cybersecurity is better and simpler tools, and cooperation among all of a process organization's members, integrators, contractors, suppliers and end users. Heck, the bad guys work in teams and share malware tools worldwide, so why shouldn't the goods guy cooperate to beat them?
Get on the same page
"When we talk about security risks, it's not a matter of when, but rather how one contains and limits the impact of a cybersecurity risk to industrial manufacturing," says Jim Labonty, director of global automation at Pfizer Global Engineering. "Every challenge to devices, applications, computers, networks and physical facilities is serious, and needs to be considered when protecting plants and manufacturing sites. The key takeaway is that no single product, methodology or technology can secure today's manufacturing control system applications, so we need to collectively work together on all aspects, such as patching software and running antivirus programs, to make sure we've established integrated layers of defense."
Labonty reported that a war on automation infrastructures is underway, and that external intrusions and attacks have been ramping up for the past 10 years. However, he added that control systems can no longer rely on their historically physical isolation because so many now have links to higher-level enterprise systems and the Internet to get useful data out. Unfortunately, this creates security vulnerabilities that must be managed.
"Pfizer isn't perfect when it comes to cybersecurity, but we're working with our plant sites to establish these secure layers," explains Labonty. "We're finding that they have different levels of security capabilities, but we also know this is continuous process for everyone. This is because intrusions and cyber-attacks are growing increasingly sophisticated. In fact, the number of attempted cyber-attacks on most manufacturing site—including Pfizer's—is now in the millions per day, so we've got to get cybersecurity infrastructures in place from our global networks down to the plant floor. Our initial cybersecurity designs were usually two network interface cards (NIC), Ethernet and servers, but we've been updating them to better designs."
And, as if existing security situations weren't dire enough, Labonty reports traditional hackers are increasingly joined by nation-states bankrolling teams of attackers breaking into corporate networks down to their lowest levels, mostly to discredit and disrupt their brands.
"Control systems must establish defense in depth, but they can also look at sending network logs and data back up to users for inspection," adds Labonty. "This can be very helpful because it lets users see if anything has changed or gone wrong at the control level, which is a huge advantage. Defense in depth strategies can also define authorized traffic, so at Pfizer, we use a series of firewalls as our network goes down to the controls level, where there are more secure zones. Firewalls aren't too costly, and they can pay back quickly, and report their logs back, too. We're also using Splunk software to analyze network traffic patterns, which gives good indications when something is trying to transgress and a proactive indicator of what to investigate."
Security joins control, operations
Beyond gathering and coordinating available security tools and related players, some users emphasize making cybersecurity part of their regular data acquisition, quality tracking, process safety and other efforts.
Dan Stauft, corporate engineer at Sugar Creek, reports it's celebrating its 30th year of manufacturing mostly private-label bacon and other food products at its 420,000-square-foot facility and at six other plants it's integrating. "Previously, we only did data collection for our machines, so we've started exploring Inductive Automation's Ignition SCADA software for use with our water treatment and refrigeration applications, and we're seeking to link them with our MES system," says Stauft. "We also do manual quality assurance logs to prevent recalls, so we're also starting to put in place better temperature monitoring of our refrigerators and freezers. This includes adding automatic alarms and reporting, so we can identify approaching temperature thresholds before there's a problem and we risk spoiling 20,000 pounds of pork; respond proactively instead of reactively; and make it easy for users to extract data without needing a master's degree in SQL programming."
Stauft adds that Sugar Creek also does product tracking and tracing, and that it's trying to plug Ignition software into this application, but do it securely. As a result, it employs Cisco's Converged Plantwide Ethernet (CPwE) architecture and topology (Figure 1).
"Our two-year-old plant in Indiana is a Cisco show plant for security," says Stauft. "The applications and equipment are air-gapped, and no one is allowed in through the VPN to the manufacturing zone. Instead, we run virtual desktop interfaces (VDI) with VMware software and servers. They sit in the network demilitarized zone (DMZ) that's configured for our suppliers to access their machines. They allow remote logins at the VPN, but make users go to the VDI to see machines and applications. It's like logging on through a remote desktop, but only VDI can talk to the machines. Even the vendor doesn't have direct access here, and can't push or pull files because they're all located at the DMZ on the devices. Each vendor and machine gets its own subnet, and the Ignition server is the only one that can access all of them. To access a PLC, for example, the vendor uses VPN to open a remote desktop session on a VDI. Each VDI has whatever software the vendor needs loaded, and only has access to the VLANs assigned to the vendors devices."
Sven Schrecker, chief architect of IoT Security Solutions at Intel and co-chair of the Security Working Group at the Industrial Internet Consortium (IIC), adds that, "Security is one of five characteristics that support Industrial Internet of Things (IIoT) trustworthiness. The others are safety, privacy, resilience and reliability. Together, they create the trustworthiness that IIoT needs to protect against system faults, environmental disruptions, human errors and cyber-attacks. We need a new, comprehensive adoption model for trustworthiness as the basis for industrial adoption of IIoT. Then we need to look at all environments from a security perspective, and leverage trustworthiness to manage risk and increase the likelihood of correct business decisions. Security can't be something we do just to do it or for compliance."
To aid these efforts, IIC recently published a 173-page guide, "Industrial Internet of Things Volume G4: Security Framework." The Industrial Internet Security Framework (IISF) offers a security model and policy built in conjunction with the Industrial Internet Reference Architecture (IIRA). IISF has a data protection layer with several security building blocks and techniques for IIoT, including security configuration and management, security monitoring and analysis, communications and connectivity protection, and plant protection that includes edge devices and the cloud.
"We need chips, boards and software with security built in from the beginning, and we need them attested to the right level of security from the top down," said Schrecker. "Owner/operators also need to demand better security and tell system builders and component builders to assert trust in their systems. End users can also assess security levels. Performing all these tasks is the only way to get consistent security into the IIoT. Also, we can't just be secure at the edge, and think we're secure overall. We need end-to-end security based on comprehensive models and policies. Each part of an application needs to protect itself, whether it's at the edge, on the network were in the cloud."