No one wanted to talk about cybersecurity for years. Keeping your head down—preferably underground—was the go-to cybersecurity strategy. Unfortunately, for many process operations and their clients, "security by obscurity" remain their default positions, even though minimally networked systems with just one or a few undocumented Ethernet port or wireless connections are continually pelted just like larger systems by a constant barrage of unauthorized probes, malware intrusions and cyber attacks. Obscurity—and most air gaps, for that matter—are illusions because they don't really exist or make process applications secure.
"Too many people still bury their heads in the sand and ignore cybersecurity problems," says Sam Hoff, CEO of Patti Engineering, a CSIA-certified system integrator in Auburn Hills, Mich. "Unless their equipment goes down, they think they have no issues. However, they could have a cybersecurity breach and not even know it's happening, while unscrupulous competitors or other bad actors steal their data or cause other problems. This situation is slowly changing, but not nearly as fast as the industry needs."
Luckily, many process engineers and other system integrators like Huff are awake and aware of the need for asset vulnerability assessments; thorough cybersecurity policies and procedures; implementing basic security measures such as network segmentation and traffic evaluation; and training staff and contractors to maintain secure behaviors. Even better, they're also beginning to share their cybersecurity know-how with each other, which can undoubtedly make them and any who pays attention more secure than going it alone. At last, almost everyone is talking about how to achieve and improve cybersecurity, and that's good news for them and everyone.
"Even though cybersecurity can be a huge and costly problem, there are some pretty cool solutions out there like Secure-NOK's data table monitoring software that monitors for changes in the images of PLCs," adds Hoff. "I'm also encouraged because the U.S. Dept. of Homeland Security's Industrial Control Systems Cyber Emergency Response Team has been around for awhile, and it's putting out more and better cybersecurity updates, alerts and networking recommendations (Figure 1). Also, Control Systems Cyber Security Association International started about a year ago, and it already has chapters worldwide and reports it has 10,000 members. I was at its meeting in Detroit, and there were lots of OEMs sharing best practices."
Tom Lycans , senior consultant, Matrix Technologies Inc., a CSIA-certified system integrator in Maumee, Ohio, reports that, "Over the past two to four years, we're seeing more clients migrate toward more secure control systems that do what the ISA99 and IEC 62443 standards recommend, such as protecting manufacturing zones with firewalls and demilitarized zones (DMZ) between them. They're also using Microsoft's Active Directory Domain Services to manage users and groups with policies that restrict access, copy data and protect intellectual property. We've installed these secure controls at steel, pharmaceutical and food companies."
Greg Pfleghaar, department manager at Matrix, adds that, "More of our clients are also asking for us to proactively add firewalls, shutdown unnecessary functions and ports, and not allow publication of files into their systems."
Basics and buy-in...
One of several common threads that emerge as users share their cybersecurity efforts and procedures is: start by researching what equipment, assets and facilities they're running, how they're networked, how critical and potentially dangerous their applications could be, and what added protections they require.
"Our worldwide automation strategy at BASF begins with a pyramid of doing the basics before adding new functions and new technologies,” says Keith Dicharry, director of process control and automation for BASF in North America, who spoke at ABB Customer World 2017 in Houston. “The fundamental tasks at the base of that pyramid include safety and security. The first devices that did machine-to-machine communications were pneumatics, and the strategies used by today's controls aren't a lot different. The change now is that digital devices can be hacked into, and there are people trying to get in."
Dicharry cautions that cybersecurity projects need to avoid getting distracted by "shiny things disorder," which is adopting tablet PCs and smart phones before making sure they'll add value. He stresses they should also avoid "everything, everywhere syndrome," which seeks to make all data available, everywhere, all of the time, but often neglects to contextualize data, vet it, and get it in front of the right person at the right level for the best decisions.
In addition, Dicharry states it's important to beware of the two words "it's secure" because most static security measures will only be effective for a short time. "If they're not set up correctly, smart devices are very accessible, vulnerable and hackable," he explains. "Most vulnerability testing firms are very successful at breaking into process industry companies and applications, which are also affected by human factors, too." These include physical security breaches as well as purely cyber intrusions, he adds.