Catch-22s are always tricky, and few more so than the one about cybersecurity and digital transformation. The simplest of these self-contradictory situations is: you can't apply for a job without experience, but you need a job to gain that experience. Well, cybersecurity fell into a similar paradox because digital transformation pushed it. Essentially, Ethernet-based networking, software solutions and the Internet can greatly advance cybersecurity, but at the same time, all the extra connections they add can greatly increase susceptibility to cyber probes, intrusions and potential attacks.
"We've managed cybersecurity risk in our ICS environment for probably 15 years, but there are still many challenges we continue to experience such as manpower. We have many assets across Shell, so it's also a challenge to develop the competencies to perform basic cybersecurity hygiene," says Mark Duck, ICS security engineer at Shell, who presented at ARC Advisory Group's Industry Forum 2020 earlier this year in Orlando. "This is part of handling sophisticated attacks, but it requires a lot of manpower in our ICS environments because they're so heterogeneous that we can't automate everything."
Duck reports that Shell takes a risk-based approach to assess and prioritize the cybersecurity needs of its critical and less-critical equipment and systems by organizing them into zones and conduits, assigning a security target level to each zone, and applying added resources to higher-risk zones. "We're also integrating event log management and basic anomaly and breach-detection tools with our cyber-defense team, which protects both the operations technology (OT) and information technology (IT) environments," adds Duck. "Digitalization and the Industrial Internet of Things (IIoT), as well as multivariable, dynamic simulations and digital twins that include everything about a plant—each represent a lot of data that needs to be secured, so it doesn't potentially enable a targeted attack."
Throughout the years, Duck adds that Shell has developed technology that it stages in a demilitarized zone (DMZ) between its process control and corporate systems to automate tasks like software patch distribution, antivirus signature file distribution and remote access management, which can help it manage cybersecurity risk despite having less staff. "In terms of implementation, there's a risk management process that's been out there a long time called asset integrity management (AIM), and it recently added cybersecurity as a risk that could be added to the mix, though it had to decide if IT or OT was responsible," explains Duck. "We tried making IT responsible for it, but today we're placing the responsibility for cybersecurity at the asset, which is the same as it is for other AIM processes. Cybersecurity isn't just IT's problem; it's something the asset is accountable for. So, just as we do maintenance for safety-critical systems, we'll do the same for cybersecurity by rolling it into AIM processes."
Diffuse the digitalized dichotomy
To help unravel and resolve the digitalization/security paradox, Sid Snitkin, VP of cybersecurity services at ARC Advisory Group, who presented and moderated the cybersecurity sessions at the ARC event, explains that cyber vulnerabilities accompany digital transformation because it:
- Involves business processes that cross OT and IT domains;
- Brings in data from different and new sources; allows access by more users on more varied devices;
- Runs and redeploys software apps in new platforms from edge devices to cloud-computing services;
- Adds new sensors and equipment in processes and facilities managed by third parties; and
- Allows more remote monitoring and control of equipment in more widespread locations.
"IIoT means adding inexpensive devices and getting more data, just as digital transformation is just people using technology to do things better, whether it's digital twins, drones or other mobile devices for engineering and maintenance, or new sensors and employee tracking for health, safety and environment issues," says Snitkin. "There's a lot of encouragement for digitalization because leaders want the same capabilities in their process applications as they have on their smart phones.
To initiate a cybersecurity program in a typical process application, Grant Vandebrake, lead solution engineer for networking and cybersecurity at Phoenix Contact, reports that users must:
- "Know thy system" by conducting a thorough asset inventory and assessment, including all devices, how they're connected, what communications they can perform, firmware levels and what suppliers they come from.
- Establish defense-in-depth by breaking up the process application and its network into smaller risk sections with managed Ethernet switches used as firewalls because fewer pathways mean less vulnerabilities. Only allow devices to talk to each other that need to, and monitor the authorized network traffic for anomalies.
- Employ a publish-subscribe protocol such as OPC-UA for communicating between local control components and the SCADA system because it has security capabilities such as encryption and authentication built in.
- Examine whether data modeling methods such as a digital twin of authorized data might be useful as a benchmark for identifying potentially bogus data or activity.
"Unfortunately, traditional ways of controlling security, such as developing use cases and adding cybersecurity, aren't working because the usual, mandatory security reviews are too slow and traditional standards are too hard to enforce in digitalized situations. For example, if a software app is running on an iPad and connecting to the cloud, it's difficult to know when to switch on which security functions to maintain security. This is why we need to rethink how to build cybersecurity strategies that are more resilient. So, where IT used to be separate from OT, we're seeing broadband links over a fabric of connectivity that includes managed endpoints and deals with fast, dynamic links."
Ricky Eckhart, IT/OT enterprise architect at ExxonMobil, who also presented at ARC forum, adds that, "When we ask how to achieve secure digital transformation, I think we have to look at it from a theme of balance. We have to enable top-line to bottom-line business benefits, but balance them with ensuring our license to operate, which means providing cybersecurity along with digital technology integration. We have a number of efforts focused on digital transformation, but also cybersecurity, at Exxon, and bringing their people and processes together is critical. They can't be in silos because they may have key impacts on each other, so we need to engineer cybersecurity into these processes and solutions from the beginning."
Likewise, Eckhart reports third-party collaboration on cybersecurity is key because digital transformation relies on so many outside resources. "Everyone is still in the learning phase when it comes to digital transformation, so we have to leverage existing expertise and third-parties that we can learn from," explains Eckhart. "We've typically used network zones and conduits for cybersecurity, but today's increasing connectivity and the need for OT and IT to collaborate securely mean we have to revise our network designs, and reexamine the seven-layer Purdue Open System Interconnect (OSI) model. We need a redesigned approach to zones and conduits, so we can enable broad-based connectivity, but do it in a more secure way that improves our detection and response capabilities."
Eckhart adds that engaging the right OT and IT subject matter experts remains the foundation of any effective digital transformation and cybersecurity strategy. For example, ExxonMobil's refining and chemicals business has organized individual Digital Manufacturing Governance Teams that use global, company-wide toolsets to look at the KPIs for each facility, and deploy whichever solutions will be the most valuable to them. "We've also established a manufacturing cybersecurity advisor at each site over the past three years, and many of our engineers are learning cybersecurity skills, too," adds Eckhart. "These advisors work with the governance teams that have been in place for about four years."
Getting physical
In the rush to establish network, Ethernet and Internet-centric security, many experienced end users, systems integrators and other experts caution that equipment access, onsite perimeters and other forms of physical security must not be neglected.
For instance, system integrator IndustrialEnet in Wilsonville, Ore., recently worked with Phoenix Contact to help SpotterRF of Orem, Utah, develop its patented, hand-sized Compact Surveillance Radar (CSR) system to provide perimeter protection for electric utility substations, bridges and tunnels. The three developed a small, flexible, extended-temperature interface panel to help users improve surveillance at remote locations, and comply with new rules such as NERC-CIP-014-01 that require utilities to protect against attacks on bulk electric power systems. Perimeter video cameras are already routinely used for protection, but variables such as weather, congested environments and wildlife can lead to false positives and reduce the camera system's effectiveness. IndustrialEnet and SpotterRF had collaborated on an earlier surveillance system, but they also sought to improve the reliability of the interface panel to help users meet NERC-CIP-014-01's requirements.
To better shield its radar components from outdoor temperature extremes, onsite electromagnetic interference (EMI) and power disruptions, IndustrialEnet integrated Phoenix Contact's interface panel in SpotterRF's C20D and C40D models. These units have fiber-optic interfaces for network connectivity, and provide isolation between individual panels and control houses. The camera and radar systems are powered from the interface cabinet via Power over Ethernet (PoE), which reduces cables and simplifies installation. Adding short-circuit, over-voltage and reverse-voltage protection against surges on power and communication lines during setup or bad weather ensures reliability and resilience. The new panel also integrates IndustrialEnet's devices and Spotter RF's radar with more rugged cameras from Bosch Rexroth to protect facilities. The radar system can detect and track objects reliably, day or night, and in any visibility or environmental conditions, and use the camera’s optics and analytics to provide visual evidence for operators. The cameras also support optional infrared (IR) illumination, which can provide clear visual indications at up to 1,200 ft in low-light environments.
Because hackers start with the simplest vulnerabilities and work their way up until a probe or intrusion succeeds, they should be described as "persistent" instead of "sophisticated," according to Mark Johnson-Barbier, senior principal analyst at the Salt River Project electric utility in Pheonix, Ariz., during his presentation at ARC Advisory Group's Industry Forum 2020 in Orlando.
"They're similar to my 11-year-old, who asks to go to In-N-Out burger every 15 minutes until we just give up and agree to go," says Johnson-Barbier. "However, for many hackers, finding weaknesses and gaining access is also like solving a puzzle, so they read manuals until they know our technology better than we do. This means we have to work to understand our systems and overall technologies better than our adversaries."
Plus, as process control environments and their networks add connections and grow more complex and interdependent, Johnson-Barbier advises their users to employ third-party software that can make their cybersecurity monitoring and protection more efficient. "We often design these functions in silos, and defend our piece of the puzzle, but who's looking at the big picture?" he asks. "This is what hackers are doing as they search for weaknesses. People in different facilities or organizations often don't want to share cybersecurity practices with each other due to embarrassment, but we have to get over it. We have to open the kimono and share because the benefits are too great to ignore. We also have to integrate our IT and OT cyber defense teams, so we have one team."
Likewise, Shell's early production facility opened in April 2017 in Sierras Blancas, Neuquén province, Argentina, to process 10,000 barrels per day of shale oil from its wells in Sierras Blances, Cruz de Lorena and Coiron Amargo sur Oeste. Honeywell Process Solutions supplied its process control and automation system, so Shell also asked it to provide tightly integrated closed circuit television (CCTV), access control, and fire and gas systems. Shell wanted CCTV not only for perimeter surveillance, but also for monitoring key assets, recording operator actions, and enabling security, access control and intrusion detection.
More than 30 dome and other types of cameras were needed for day-and-night coverage of the perimeter, entrances and exits, and widespread applications onsite such as flare monitoring. Honeywell based its solution on its Digital Video Manager (DVM) software and Honeywell XLS3000 intelligent fire detection, supression and mass notification control system. Both integrate closely with the Sierra Blancas facility's Experion PKS distributed controls and its Safety Manager software to provide a comprehensive platform that seamlessly adds video to its control, safety and security functions. DVM handles all the CCTV units, supports Internet protocol (IP) and analog cameras from multiple suppliers, and lets operators access cameras and call up relevant video with their HMI screens, while an integrated workflow lets them navigate alarms.
Managing security services
Because cybersecurity threats and responses continue to evolve quickly, and because digitalization can increase the players and widen the scope of responsibility for many users, some are enlisting help from third-parry providers that help them monitor cyber threats and respond more effectively.
For example, Binh Son Refining and Petrochemical Co. is a member of the Vietnam Oil and Gas Group (PetroVietnam) that handles receiving, and manages and operates the Dung Quat oil refinery in Quang Ngãi province (Figure 1). Beyond its distinction as Vietnam's first oil refinery, BSR's processing capacity has reached 6.5 million tons of crude oil per year, and it has plans to upgrade and expand to 8.5 million tons per year.
However, BSR reports its production goals have been hindered by five years of ongoing cyber-attacks, which were especially intense on its industrial automation facilities. It added these incidents ranged from theft and industrial espionage to terrorism and hostile state actions. As a long-time user of Honeywell's process control systems, BSR has employed its Managed Industrial Security Services (MSS) since 2010, which helped reduce the risk of security breaches in BSR’s plant by providing ongoing monitoring of the refinery's process control networks (PCNs). To further fortify its cybersecurity protections, BSR also sought to align its PCNs with global industry cybersecurity standards in 2016. It added MSS's Secure Connection authenticated, encrypted virtual private network (VPN), so Honeywell's support engineers and subject matter specialists could remotely troubleshoot security and maintenance issues, which improved responsiveness to issues and reduced downtime.
“Our security updates are better managed and updated with Honeywell Managed Security Services," says Loung Thái Hà, deputy general manager for R&D at BSR. "We'd also like to attain next higher level of cyber-assurance, and we're looking for Honeywell’s support to drive towards this objective.”
