Just as kids in the higher grades know more than their younger classmates, business and mainstream computing have been digitized, networked and subject to cyber-threats longer than their plant-floor and industrial counterparts. Because they have more experience dealing with cybersecurity, information technology (IT) departments also have more knowledge than their operations technology (OT) counterparts about how to protect against probes, intrusions and attacks—even though compromised credit card numbers or stolen intellectual property aren't as serious as hijacked, damaged or destroyed process systems and injured or killed personnel. The good news is that OT is catching up by using more IT-style tools.
"In the age of pneumatics, there was less accuracy, limited access to data and few security risks, but in the age of electronics, we've had increased accuracy and data access along with increasing security risks," says Keith Dicharry, process control and automation director at BASF North America in Florham Park, N.J. "And now, with today's digital technology explosion, we have floods of available data and ever increasing accuracy and verification, but increasing risks to the security and safety of our assets and to our ability to limit access to mission-critical data.
"Remote access and remote control have become real, but this has meant open portals, limited restrictions and increased access. We have more accessibility for better collaboration, but this means everyone has a key. We've gained new ways to improve efficiencies, but now data floods across the Internet and intranets. We do a layered, defense-in-depth cybersecurity strategy, nothing is ever 100% secure, and so we need to take all our data sources and pathways, and use effective automation to make them more secure and reliable."
Mariam Coladonato, product marketing specialist for networking and security at Phoenix Contact, reports that, "Identifying vulnerabilities and performing risk assessments (RAs) to improve cybersecurity has never been easy, but they're essential for giving users and their organizations the context on which they can build a defense-in-depth cybersecurity strategy that follows standards. It's also hard for control engineers to understand the scope of their networks, but there's more awareness now of the need for protection, and the big companies are transitioning more IT people into handling their industrial control systems, networks and devices at the industrial control system (ICS) level. This is also a generational issue because more young graduates are taking IT-related classes, even if they're working toward industrial engineering degrees."
Security strategies and skills
Dicharry reports that BASF organizes and segments its networks into two main categories: IT/business that handles enterprise resource planning (ERP); and OT/engineering that includes its management execution system (MES), process control systems (PCS), communications and wireless. To protect these networks, it uses a four-part strategy:
- Prevent, including awareness and training, firewall rules, asset database and governance, risk-management and compliance (GRC) tools;
- Protect, including a business systems requirements analysis (BSRA) and optimization program, solutions catalog, detailed risk analysis, Level 3 server for patch management, and an HBI cell;
- Detect, including BSRA review, detailed RAs, threat intelligence, Level 3 server for vulnerability scans, and security monitoring; and
- Response, including incident response and incident handling programs.
"We had some friction setting up our cybersecurity program, but it's gotten much better in the past three years. There's much more understanding across the company now," says Dicharry. "To develop our cybersecurity roadmap, we do RAs at all plants, so we'll be ready if an incident does happen, and know our chain of command."
Dicharry adds that cybersecurity also depends on converging IT and OT departments, though this can pose some staffing problems. "We selected former IT guys to do cybersecurity, and the most important things for them to understand was they were no longer dealing just with PCs, and that everything we do in the process automation world is attached to physically doing chemistry in a plant and moving it through pipes. They had to acknowledge that IT processes and practices do not and will not fit in the industrial production world.
"For our part, we had to accept that some veteran engineers with 20-25 years of experience were never going to grasp the IT and Ethernet world, just as many IT people will never grasp the process production world. We also had to understand that technology will continue to increase vulnerability for our process control assets, which mandates continuous updating to our layers of protection. We also had to understand that security is directly linked to process safety, which required a further mindshift change at BASF. This means we don't use technology just because it's available. Instead, we establish use cases, their needs and specific values they'll deliver; evaluate and address added risk to maintain at least the same level of security; and implement the correct technology that will deliver value to the application."
Gary Williams, senior director of technology and cybersecurity at Schneider Electric, agrees that cybersecurity demands a mindset change because it isn't a project that can be finished, and reports his company has developed a 10-step cybersecurity methodology. Its main recommendations are:
- Adopt a standard such as ISA99/IEC62443 to give participants a common vocabulary about cybersecurity between departments, divisions, companies and larger organizations;
- Gather controls to collect and account for all the components in each process control application and its workload.
- Complete gap analyses to check for vulnerabilities in existing equipment, systems and software, especially undocumented ports and network connections.
- Perform risk, threat assessment and prioritization that go beyond mitigating critical threats, and review the security status of all devices and system every quarter.
- Execute mitigation to put cybersecurity protections in place, and notify senior managers about how cybersecurity programs are progressing.
- Survey the complete system by collecting configuration files on firewalls and switches.
- Store configuration files securely onsite and offsite in safe locations, and practice recovery as often as possible.
- Inform all stakeholders, especially management.
- Verify security measures on a regular basis because threats and their vectors change regularly.
- Educate everyone because people are the first line of defense in isolating process applications, controls and networks, and then identifying probes, intrusions and attacks.
Sources of protection
While it's not easy to develop and implement cybersecurity strategies, there are a variety of system integrators and other resources that can help. For instance, as the nonprofit provider of water and wastewater services in Russellville, Ark., City Corp. recently worked with system integrator Brown Engineers of Little Rock, Ark., to remove a legacy PLC with pin-based backplane at its settled-sewage facility, and replace it with a Secure Communication Controller (SCC) industrial control system with five-slot, electromagnetic backplane and standard I/O modules from Bedrock Automation. The utility treats 6-7 million gallons of wastewater per day from 28,000 residential clients and businesses, including the Arkansas Nuclear One (ANO) power plant.
SCC runs a secure, military-grade, real-time operating system, which further embeds security into the sewage facility's software and firmware controls. Its electromagnetic backplane improves reliability by eliminating pin corrosion and breakage, and enables embedded security by preventing the use of counterfeit I/O modules (Figure 1). It also uses CoDeSys IEC 61131-3 PLC programming, and communicates via OPC-UA networking with its Ignition SCADA software from Inductive Automation.
“The PLCs running automatic control of our digestion blowers, clarifiers, sludge pumps and chlorination chemical feed pumps became obsolete, so when one of them failed, we wanted to replace it with something that would provide a path to the future," says Steve Mallett Jr., PE, general manager of City Corp. "With its increasingly built-in cybersecurity protection, Bedrock's system offers that, and it's been running without issue since installation last November."
Dee Brown, principal at Brown Engineers, adds that, "Typical PLCs have external vulnerabilities and internal access, so Russellville's water/wastewater board was looking to bolster its control system's programming and account security with an IT-type solution that would encode data as it comes in. SCC uses 256-bit encryption for secure communications, and maintains security certificates in Bedrock's Vault system. We're seeing increased interest in cybersecurity among municipal utility clients such as City Corp. Many want to control security functions from their tablets and control centers because
their networks are getting hammered every day by probes and attempted intrusions. Bedrock's controller gives them another layer of protection beyond firewalls and VPNs. It's unique because as it powers up, it checks to be sure that all hardware and software components are validated, which regular PLCs can’t do."
Besides adding secure hardware, Mallett adds that Russellville's water/wastewater managers are also educating themselves and their staffs on good cybersecurity practices. "We're educating ourselves on the risks we face daily," says Mallett. "We can't assume that we won't be a target, and we don't want to be vulnerable. So, we're letting folks know that we're being proactive, beefing up security, and making sure we're not on the list of those seeking vulnerable systems."
Because developing and implementing a cybersecurity policy must occur above the operations level, Mallett and Brown add it’s crucial to involve any organization's leadership as well. "Utility operators and supervisors usually don't want to change from familiar equipment brands, so cybersecurity can't be an operations-level decision," says Brown. "Protecting a utility has to be a management-level decision, but they still have to appreciate each other's concerns. Utility operators are mainly concerned that their PLCs are working, so uptime is what gives them peace of mind. Utility managers and board members are more concerned about IT-based issues, and so cybersecurity is what gives them peace of mind."
Similarly, LogiLube recently partnered with Waterfall Security Solutions on developing its Platinum Level Data Security, which prevents hacking of operational data from LogiLube's oil and gas clients by using Waterfall's Unidirectional Security Gateways. Platinum Level works with LogiLube's SmartOil compressor package-mounted, real-time oil condition monitoring system that increases uptime and reliability by providing analytics on machine health indicators such as oil temperature, pressure, viscosity and dielectric strength.
Platinum Level offers multiple layers of data encryption and firewalls, while adding Unidirectional Security Gateways at LogiLube's data center also creates a unidirectional system that prevents attack propagation while preventing the communication path from exploitation by even the most sophisticated cyber-attacks. The two firms add that combining their products delivers actionable information from real-time data analytics to field engineers monitoring midstream natural gas facilities at often remote locations, while at the same time protecting that data from being compromised.
“By adopting Waterfall’s solutions, LogiLube can deliver to the midstream natural gas market actionable analytics that are both real-time and secure,” says Bill Gillette, Waterfall's president. “This represents a game-changing technology for the midstream oil-and-natural-gas industry. We can now provide real-time information without risking data integrity or compromising IT security.”
Tools for security
Beyond strategies and experts, there are a variety of new software and hardware tools and services for improving cybersecurity, especially as process control applications get closer and overlap with the Internet.
"There's increasing focus on securing network infrastructures and increasing need for tested security solutions due to the Internet of Things (IoT), which is why we recently partnered with Symantec," says Tony Baker, security leader at Rockwell Automation. "We're also cooperating with another partner, Cisco, because its Sourcefire network traffic monitoring and malware detection tool can act as a sensor, recognize OT-level protocols, and improve perimeter and internal security. IT tools such as these can really help the OT side."
Likewise, Underwriters Laboratories just started its Cybersecurity Assurance Program (UL CAP), which uses the new UL 2900 standards to offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness. UL CAP is for suppliers seeking trusted support in assessing security risks, and for buyers who want to mitigate risks by sourcing products validated by a trusted third party. UL CAP will also issue cybersecurity certificates for individual products, original product-development locations, and live production systems.