You can be a cybersecurity badass - part 1

Users, system integrators and suppliers are striking back on cybersecurity intrusions and attacks by sharing best practices, tools and services like never before.

By Jim Montague

1 of 2 < 1 | 2 View on one page

No one wanted to talk about cybersecurity for years. Keeping your head down—preferably underground—was the go-to cybersecurity strategy. Unfortunately, for many process operations and their clients, "security by obscurity" remain their default positions, even though minimally networked systems with just one or a few undocumented Ethernet port or wireless connections are continually pelted just like larger systems by a constant barrage of unauthorized probes, malware intrusions and cyber attacks. Obscurity—and most air gaps, for that matter—are illusions because they don't really exist or make process applications secure.

"Too many people still bury their heads in the sand and ignore cybersecurity problems," says Sam Hoff, CEO of Patti Engineering, a CSIA-certified system integrator in Auburn Hills, Mich. "Unless their equipment goes down, they think they have no issues. However, they could have a cybersecurity breach and not even know it's happening, while unscrupulous competitors or other bad actors steal their data or cause other problems. This situation is slowly changing, but not nearly as fast as the industry needs."

Luckily, many process engineers and other system integrators like Huff are awake and aware of the need for asset vulnerability assessments; thorough cybersecurity policies and procedures; implementing basic security measures such as network segmentation and traffic evaluation; and training staff and contractors to maintain secure behaviors. Even better, they're also beginning to share their cybersecurity know-how with each other, which can undoubtedly make them and any who pays attention more secure than going it alone. At last, almost everyone is talking about how to achieve and improve cybersecurity, and that's good news for them and everyone.

"Even though cybersecurity can be a huge and costly problem, there are some pretty cool solutions out there like Secure-NOK's data table monitoring software that monitors for changes in the images of PLCs," adds Hoff. "I'm also encouraged because the U.S. Dept. of Homeland Security's Industrial Control Systems Cyber Emergency Response Team has been around for awhile, and it's putting out more and better cybersecurity updates, alerts and networking recommendations (Figure 1). Also, Control Systems Cyber Security Association International started about a year ago, and it already has chapters worldwide and reports it has 10,000 members. I was at its meeting in Detroit, and there were lots of OEMs sharing best practices."

Tom Lycans , senior consultant, Matrix Technologies Inc., a CSIA-certified system integrator in Maumee, Ohio, reports that, "Over the past two to four years, we're seeing more clients migrate toward more secure control systems that do what the ISA99 and IEC 62443 standards recommend, such as protecting manufacturing zones with firewalls and demilitarized zones (DMZ) between them. They're also using Microsoft's Active Directory Domain Services to manage users and groups with policies that restrict access, copy data and protect intellectual property. We've installed these secure controls at steel, pharmaceutical and food companies."

Download: Béla Lipták on safety: Cybersecurity and nuclear power

Greg Pfleghaar, department manager at Matrix, adds that, "More of our clients are also asking for us to proactively add firewalls, shutdown unnecessary functions and ports, and not allow publication of files into their systems."

Basics and buy-in...

One of several common threads that emerge as users share their cybersecurity efforts and procedures is: start by researching what equipment, assets and facilities they're running, how they're networked, how critical and potentially dangerous their applications could be, and what added protections they require.  

"Our worldwide automation strategy at BASF begins with a pyramid of doing the basics before adding new functions and new technologies,” says Keith Dicharry, director of process control and automation for BASF in North America, who spoke at ABB Customer World 2017 in Houston. “The fundamental tasks at the base of that pyramid include safety and security. The first devices that did machine-to-machine communications were pneumatics, and the strategies used by today's controls aren't a lot different. The change now is that digital devices can be hacked into, and there are people trying to get in."

Dicharry cautions that cybersecurity projects need to avoid getting distracted by "shiny things disorder," which is adopting tablet PCs and smart phones before making sure they'll add value. He stresses they should also avoid "everything, everywhere syndrome," which seeks to make all data available, everywhere, all of the time, but often neglects to contextualize data, vet it, and get it in front of the right person at the right level for the best decisions.

In addition, Dicharry states it's important to beware of the two words "it's secure" because most static security measures will only be effective for a short time. "If they're not set up correctly, smart devices are very accessible, vulnerable and hackable," he explains. "Most vulnerability testing firms are very successful at breaking into process industry companies and applications, which are also affected by human factors, too." These include physical security breaches as well as purely cyber intrusions, he adds.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • BASF Dicharry, "For example, we wanted to allow ABB to have remote access to some equipment to assist troubleshooting, but ran into a brick wall with cybersecurity experts".....When I was working on the Rayong Refinery Control System we had the same concerns back in the 90s and the answer then was not to allow anyone (Bruel and Kjaer at the time wanted to connect for large compressor condition monitoring) direct access. We separated the B&K system from the Foxboro IA and had it stand alone in the control room. It was just another screen as far as the operators were concerned. I cannot see why anyone would connect a DCS or PLC, far less a safety PLC to the internet, by any means, back door through the DCS or anywhere else. The benefits of remote access just were not worth it in the 90s and I see no reason why they are worth it now. I do see a vast industry where money is to be made though in protecting against an unnecessary risk. The air gap is only illusionary if you have a sloppy control system architecture design.

    Reply

RSS feed for comments on this page | RSS feed for all comments