Truly useful cybersecurity means getting beyond the fear, panic, and hype, and allowing process control users to take some practical steps to protect their applications, facilities, and larger organizations. This pragmatic approach is the strategy long advocated by process safety and security consultant exida, which provides product and professional certifications, training services, and tools such as its exSILentia integrated safety lifecycle software.
NovaTech reports that it too is aware of the cybersecurity challenges faced by its customers, and is embedding cybersecurity in its latest process controllers and substation automation products.
"IEC 61508 is the umbrella safety standard, and IEC 61511 is the process safety standard for end users, but the IEC 62443 standard also includes performance-based safety requirements for manufacturers and end users," said Steve Gandy, global business development vice president at exida. "It depends on what business users are trying to do and how vulnerable this makes them."
Gandy presented "Pragmatic approach to cybersecurity" on Sept. 20, the third day of NovaTech Automation Summit 2017 in Baltimore, Md. He added that exida typically conducts two-day, facilitated, onsite, work-process-driven discussions on cost-reduction principles for cybersecurity. Similar to the strategy and tactics used for process safety assessments, exida's counterparts for security cover cyber-secure design, obsolescence, soft-touch hardening, program management, enterprise programs and actionable security. Subsequently, exida delivers a report on cost-reduction opportunities compared to a prioritized security solution.
"Process safety, cybersecurity, and alarm management are similar because they all need risk assessments (RA), and we're also trying to develop a cyber-alarm function for suppliers doing deep-packet inspections," added Gandy. "Because intrusions can get beyond the usual network barriers—we've seen onsite cabinets open and Post-It notes with passwords written on them—we also need to identify hazards, analyze threats, rationalize alarms, and look at other process, cybersecurity, and abnormal situation management event responses."
After managed Ethernet switches are used as firewalls to separate plant-floor networks from the business/enterprise level and set up other subzones, Gandy reported that other technologies such as data diodes can be used as conduits that only let data go out from the plant-floor, but don't allow communication back down to it.
Because one set of stolen credentials from an authorized user can jump past all firewalls rules, Gandy added it's vital for every member of an organization to be aware of its cybersecurity policies and procedures, and participate in making sure they're carried out. Also, beyond applying standards and RA principles, and addressing user and physical access, he added that organizations must also examine how partners and contractors in their supply chain are addressing security because any vulnerable associates could put their partners at risk by providing a pathway for intrusions and attacks.
If users aren't sure if a piece of equipment or another asset is designated as a cybersecurity asset, Gandy added that labels can be applied as reminders of what's within an organization's cybersecurity jurisdiction, what devices need to be monitored and reviewed, and where users must follow cybersecurity procedures. Similarly, he said that posters can be used to drive home and remind staffers about good security practices and required procedures.
Finally, because newer networking technologies like cloud-based services and the Internet of Things (IoT) support more network connections, Gandy concluded that added security measures are needed to protect them.
"People sometimes ask whose job is cybersecurity? We say it's everyone's job," said Gandy.