CT1912-FC-294x280
CT1912-FC-294x280
CT1912-FC-294x280
CT1912-FC-294x280
CT1912-FC-294x280

12 days of cybersecurity: Weiss calls for ground-up cybersecurity

Dec. 16, 2019
12 days of cybersecurity: Day 5
Check out the 12 days of cybersecurity mini-series!

Just as users must be sure their contractors and clients are protected—and not just themselves—they must also extend cybersecurity beyond—and below—their usual networks, especially to sensors, instruments and other plant-floor devices. If identifying and fixing cybersecurity vulnerabilities means pursuing them into the trenches, then it's not time to worry about getting dirty. The constant downpour of cyber probes, intrusions and attacks are only increasing, and just like flood, are seeking entry at any vulnerable point. Fortunately, ground-level troubleshooting is one of the traditional jobs that process control engineers, operators, technicians and other plant-floor personnel know and do best.

In the sensor trenches

"Almost all cybersecurity, whether IT or OT, is based on network threat hunting and network anomaly detection. Control system users rely on information from OT networks. However, they typically lack expertise at the process sensor level, even though attacks can come from that source," says Joe Weiss, managing partner at Applied Control Solutions (ACS) and producer of Control's Unfettered blog. "Some attacks can look like malfunctions, so even if a user's data appear to be secure, their system and equipment could still be corrupted. Many disasters have been caused by sensors and physical device failures. Process sensors have been hacked. Consequently, it's crucial to understand how these and other Level 0 components must secure their own ecosystems for any control system cybersecurity program to be effective. Unfortunately, no sensors to date have completed cybersecurity testing, which is needed to monitor their raw signals in real-time. Ironically, the serial-to-Ethernet filters that used to move data up to Ethernet networks don't allow higher-frequency, raw data anymore, but this is what's needed for sensor-level forensics to monitor and plug these holes at the lowest levels."

Weiss adds that sensor-level cybersecurity and process safety can be improved by implementing an independent network for plant-floor devices that's not tied the usual Microsoft Windows, human-machine interface (HMI), and other Ethernet-based, IT-related networks as these were compromised by Stuxnet and Triton. "It's important to do a cybersecurity risk assessment (RA) to understand all critical processes and sensors, and determine what's needed. However, their relative criticality is in the eye of the beholder, so having a serial, I/O-Link or other hardwired network that's totally removed from the Windows and IT network can help an operation maintain its process view and control if and when the main network goes down due to a cyber attack," explains Weiss. "This really is back to the future because it's a lot like the redundant safety networks mission-critical processes used to avoid having a single point of failure. Luckily, installing a redundant network is easier and less costly these days. For example, for a feedwater control or critical condensate application, all that a redundant network would need is less than 10 sensors to monitor critical measurements such as  temperature, pressure, flow and valve position."

Always, the human element 

Of course, even if all the bases are covered—at all levels—with the latest cybersecurity solutions, they can't be effective if the people using them aren't made aware, thoroughly trained, and routinely practiced in good cybersecurity hygiene and best practices. Of course, this requires committed, consistent leadership over the long-term, which is often in shorter supply than cybersecurity training.

Want more?

Hear Jim Montague's full interview with Joe Weiss in the latest podcast from Control Amplified: The Process Automation Podcast. Tune in now! 

Just as sensor-level cybersecurity must be understood and implemented, Weiss reports laptops, tablet PCs, smart phones, calibrators and other portable/handheld devices are often taken inside firewalls, even though they're potentially cyber vulnerable and could transmit malware. Consequently, these devices also need to be secured before connecting them to sensor networks.

"Engineers and other users must be trained, so they can understand whether the process is doing what's expected. If there's an upset, does it make sense? If not, they must be able to talk to their network people to see if anything funny is happening," says Weiss. "IT doesn't usually care if a motor has a problem. However, cybersecurity is also about better understanding operations and what's going on. That can't be done by keeping process engineers out of the picture. Policies and procedures can be drafted, but you must have control system expertise, not just cybersecurity, to make sure cybersecurity policies that don't negatively impact control systems."  

To help rally OT and IT together around cybersecurity, Weiss reports senior management must recognize that it's a priority, establish procedures and governance, and dedicate resources it. However, he adds that management must also clearly define who's in charge of control system cybersecurity devices and software. "Management has to tell engineering 'this is your equipment and you're responsible for it.' Engineers don't usually attend cybersecurity meetings, but if a new device has been added to a turbine, then engineering needs to be involved. With the cybersecurity team telling engineering the cyber-implications of using new devices, this coordination can be started by bringing engineering and networking people together, and developing key performance indicators that demonstrate how they're working together."

About the author: Jim Montague
About the Author

Jim Montague | Executive Editor

Jim Montague is executive editor of Control.