To help other end users show their managers, accountants and corporate leaders about the value of cybersecurity, Keith Dicharry, director of process control and automation for BASF in North America, presented "Making the Case for Cybersecurity Investment" this week at ABB Customer World 2017 in Houston.
"Our worldwide automation strategy at BASF begins with a pyramid of doing the basics before adding new functions and new technologies,” began Dicharry. “The fundamental tasks at the base of that pyramid include safety and security. The first devices that did machine-to-machine communications were pneumatics, and the strategies used by today's controls aren't a lot different. The change now is that digital devices can be hacked into, and there are people trying to get in."
Unfortunately, instead of dealing with cyber probes, intrusions and attacks in a logical way, Dicharry reported that many process industry users are suffering from "shiny things disorder" (STD). This is the desire to get smart phones, tablet PCs and other new technologies into the hands of staffers, and attract new employees, without first considering whether those new technologies will justify investment in them and if they can be applied securely.
"A lot of STD things are making their way to smart devices at BASF, so we try to slow them down some, and first find out if they're really going to add value," explained Dicharry. "There's an attitude of 'if you build it they will come,' but I think that's the reverse of what should be happening. We'd started implementing mobility devices at one of our sites, but we haven't seen a lot of value in them yet. Our BASF4.0 team was established looking at these new smart devices, and they're looking at applications that will bring value moving forward. We will need to address the challenges and obstacles to implement, but there is value in the technology."
Data context needed
Dicharry added that BASF and other process industry players are suffering from an "everything, everywhere syndrome," which seeks to make all data available at all levels, and do it everywhere, all of the time. "We've been collecting data for years, and we have huge volumes of it. It's great to get it to the right hands, but I don't think my COO is going to want all of it, or would even know what to do with all of it," said Dicharry. "Each user needs data that relates their role. We also struggle with contextualizing data, vetting information, and getting it in front of the right person at the right level for the best decisions."
Because of industry's misplaced focus on STDs and everything/everywhere, Dicharry worries that some users may be making the foundations of their own automation pyramids less solid. "If we look at our distributed control system now, it's apparent that we're not fully utilizing what we already have,” explained Dicharry. “Yet we want more data, and we want to pay less for it. We've got plenty of data already, but it isn't in context—it’s not valid for the guys in the trenches or for upper management."
Seek smart security
Dicharry reported that it's important to beware of the two words "it's secure" because most static security measures will only be effective for a short time. "If they're not set up correctly, smart devices are very accessible, vulnerable and hackable," he said. "Most vulnerability testing firms are very successful at breaking into process industry companies and applications, which are also affected by human factors, too." Often as not, these include physical security breaches as well as purely cyber intrusions, he said.
From a big picture perspective, cybersecurity at BASF is handled much like it is at other process industry companies: by IT at Layers 3 and 4 of the Purdue Control Hierarchy Reference Model, which include manufacturing execution systems (MES) and enterprise resource planning (ERP) systems. Layers 1 and 2 are outside of IT's scope, and are typically handled by proprietary systems. "Layer 3 is a gray area, so we want some kind of cybersecurity middle ground from there on down. There are very diverse solutions below Layer 3, but we can use some IT methods," explained Dicharry.
"We wanted a better plan, so we set up our Automation Security Team and a Global Technical Engineering Automation Security (GTEAS) team. We also got our IT security side involved to see what they could add to the process side. We found there were a lot of holes in that approach at first, so we also developed a combined operations technology (OT)/information technology (IT) Security Operations Center, which is up and running and meets monthly.
"We've also been developing a cybersecurity solutions catalog, so when we find vulnerabilities happening, we can pull a solution from the catalog that includes input from other sites, or we can develop a new solution with help from partners like ABB."
Business case for protection
Dicharry reported that one way he and his BASF colleagues get their company to pay closer attention to cybersecurity is by getting them to understand that it's very similar to process safety. "If people can understand that there's a problem, it's easier to justify funding for it," he said. "There's just no magic bullet. We can't show return on investment on preventing cyber attacks, but if we do a good business case and risk assessment for cybersecurity, we're usually able to get funding. We've even been able to add cybersecurity to BASF's overall automation roadmap, and we're benchmarking where BASF is on cybersecurity compared to how other companies are doing.”
"Once a cybersecurity risk assessment is done, it goes to the Automation Security Team, and then to senior management for funding. In our process, we don't try to use scare tactics. We've had to deal with some issues but have been able to keep them from impacting production thus far."
Dicharry added there were some early disputes within BASF over cybersecurity policy. "For example, we wanted to allow ABB to have remote access to some equipment to assist troubleshooting, but ran into a brick wall with cybersecurity experts. “Now, they're getting more OK with managed remote access," he said. "My advice is be realistic, not pessimistic. We want to make chemicals and profits, and we have to use technology that's secure to do it."