Jim Montague is executive editor of Control magazine, and has served as executive editor of Control Design and Industrial Networking magazines. He's worked for Putman Media for more than 10 years, and has covered the process control and automation technologies and industries for almost 20 years. He holds a B.A. in English from Carleton College and lives in Skokie, Illinois. Just as kids in the higher grades know more than their younger classmates, business and mainstream computing have been digitized, networked and subject to cyber-threats longer than their plant-floor and industrial counterparts. Because they have more experience dealing with cybersecurity, information technology (IT) departments also have more knowledge than their operations technology (OT) counterparts about how to protect against probes, intrusions and attacks—even though compromised credit card numbers or stolen intellectual property aren't as serious as hijacked, damaged or destroyed process systems and injured or killed personnel. The good news is that OT is catching up by using more IT-style tools.
"In the age of pneumatics, there was less accuracy, limited access to data and few security risks, but in the age of electronics, we've had increased accuracy and data access along with increasing security risks," says Keith Dicharry, process control and automation director at BASF North America in Florham Park, N.J. "And now, with today's digital technology explosion, we have floods of available data and ever increasing accuracy and verification, but increasing risks to the security and safety of our assets and to our ability to limit access to mission-critical data.
"Remote access and remote control have become real, but this has meant open portals, limited restrictions and increased access. We have more accessibility for better collaboration, but this means everyone has a key. We've gained new ways to improve efficiencies, but now data floods across the Internet and intranets. We do a layered, defense-in-depth cybersecurity strategy, nothing is ever 100% secure, and so we need to take all our data sources and pathways, and use effective automation to make them more secure and reliable."
Mariam Coladonato, product marketing specialist for networking and security at Phoenix Contact, reports that, "Identifying vulnerabilities and performing risk assessments (RAs) to improve cybersecurity has never been easy, but they're essential for giving users and their organizations the context on which they can build a defense-in-depth cybersecurity strategy that follows standards. It's also hard for control engineers to understand the scope of their networks, but there's more awareness now of the need for protection, and the big companies are transitioning more IT people into handling their industrial control systems, networks and devices at the industrial control system (ICS) level. This is also a generational issue because more young graduates are taking IT-related classes, even if they're working toward industrial engineering degrees."
Security strategies and skills
Dicharry reports that BASF organizes and segments its networks into two main categories: IT/business that handles enterprise resource planning (ERP); and OT/engineering that includes its management execution system (MES), process control systems (PCS), communications and wireless. To protect these networks, it uses a four-part strategy:
- Prevent, including awareness and training, firewall rules, asset database and governance, risk-management and compliance (GRC) tools;
- Protect, including a business systems requirements analysis (BSRA) and optimization program, solutions catalog, detailed risk analysis, Level 3 server for patch management, and an HBI cell;
- Detect, including BSRA review, detailed RAs, threat intelligence, Level 3 server for vulnerability scans, and security monitoring; and
- Response, including incident response and incident handling programs.
"We had some friction setting up our cybersecurity program, but it's gotten much better in the past three years. There's much more understanding across the company now," says Dicharry. "To develop our cybersecurity roadmap, we do RAs at all plants, so we'll be ready if an incident does happen, and know our chain of command."
Dicharry adds that cybersecurity also depends on converging IT and OT departments, though this can pose some staffing problems. "We selected former IT guys to do cybersecurity, and the most important things for them to understand was they were no longer dealing just with PCs, and that everything we do in the process automation world is attached to physically doing chemistry in a plant and moving it through pipes. They had to acknowledge that IT processes and practices do not and will not fit in the industrial production world.
"For our part, we had to accept that some veteran engineers with 20-25 years of experience were never going to grasp the IT and Ethernet world, just as many IT people will never grasp the process production world. We also had to understand that technology will continue to increase vulnerability for our process control assets, which mandates continuous updating to our layers of protection. We also had to understand that security is directly linked to process safety, which required a further mindshift change at BASF. This means we don't use technology just because it's available. Instead, we establish use cases, their needs and specific values they'll deliver; evaluate and address added risk to maintain at least the same level of security; and implement the correct technology that will deliver value to the application."
Gary Williams, senior director of technology and cybersecurity at Schneider Electric, agrees that cybersecurity demands a mindset change because it isn't a project that can be finished, and reports his company has developed a 10-step cybersecurity methodology. Its main recommendations are:
Figure 1: The wastewater utility in Russellville, Ark., worked with system integrator Brown Engineers to remove a legacy PLC with pin-based backplane at its settled-sewage facility, and replace it with a Secure Communication Controller (SCC) industrial control system with five-slot, electromagnetic backplane and standard I/O modules from Bedrock Automation.
(Source: Bedrock Automation)
- Adopt a standard such as ISA99/IEC62443 to give participants a common vocabulary about cybersecurity between departments, divisions, companies and larger organizations;
- Gather controls to collect and account for all the components in each process control application and its workload.
- Complete gap analyses to check for vulnerabilities in existing equipment, systems and software, especially undocumented ports and network connections.
- Perform risk, threat assessment and prioritization that go beyond mitigating critical threats, and review the security status of all devices and system every quarter.
- Execute mitigation to put cybersecurity protections in place, and notify senior managers about how cybersecurity programs are progressing.
- Survey the complete system by collecting configuration files on firewalls and switches.
- Store configuration files securely onsite and offsite in safe locations, and practice recovery as often as possible.
- Inform all stakeholders, especially management.
- Verify security measures on a regular basis because threats and their vectors change regularly.
- Educate everyone because people are the first line of defense in isolating process applications, controls and networks, and then identifying probes, intrusions and attacks.
Sources of protection
While it's not easy to develop and implement cybersecurity strategies, there are a variety of system integrators and other resources that can help. For instance, as the nonprofit provider of water and wastewater services in Russellville, Ark., City Corp. recently worked with system integrator Brown Engineers of Little Rock, Ark., to remove a legacy PLC with pin-based backplane at its settled-sewage facility, and replace it with a Secure Communication Controller (SCC) industrial control system with five-slot, electromagnetic backplane and standard I/O modules from Bedrock Automation. The utility treats 6-7 million gallons of wastewater per day from 28,000 residential clients and businesses, including the Arkansas Nuclear One (ANO) power plant.
SCC runs a secure, military-grade, real-time operating system, which further embeds security into the sewage facility's software and firmware controls. Its electromagnetic backplane improves reliability by eliminating pin corrosion and breakage, and enables embedded security by preventing the use of counterfeit I/O modules (Figure 1). It also uses CoDeSys IEC 61131-3 PLC programming, and communicates via OPC-UA networking with its Ignition SCADA software from Inductive Automation.
“The PLCs running automatic control of our digestion blowers, clarifiers, sludge pumps and chlorination chemical feed pumps became obsolete, so when one of them failed, we wanted to replace it with something that would provide a path to the future," says Steve Mallett Jr., PE, general manager of City Corp. "With its increasingly built-in cybersecurity protection, Bedrock's system offers that, and it's been running without issue since installation last November."
Dee Brown, principal at Brown Engineers, adds that, "Typical PLCs have external vulnerabilities and internal access, so Russellville's water/wastewater board was looking to bolster its control system's programming and account security with an IT-type solution that would encode data as it comes in. SCC uses 256-bit encryption for secure communications, and maintains security certificates in Bedrock's Vault system. We're seeing increased interest in cybersecurity among municipal utility clients such as City Corp. Many want to control security functions from their tablets and control centers because
their networks are getting hammered every day by probes and attempted intrusions. Bedrock's controller gives them another layer of protection beyond firewalls and VPNs. It's unique because as it powers up, it checks to be sure that all hardware and software components are validated, which regular PLCs can’t do."
In the realm of IT-based networks, there are a number of longstanding protocols to help monitor the performance and security of network devices, such as managed Ethernet switches, and help manage data traffic. They’re usually components of the Internet Protocol Suite, which is defined by the Internet Engineering Task Force. Some of the more notable include:
- Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. It’s used mostly in network management systems to monitor network-attached devices for conditions that need administrative attention. It consists of a set of standards for network management, including an application layer protocol, a database schema and a set of data objects.
- Internet Group Management Protocol (IGMP) is employed by host devices and adjacent routers on IP networks to establish multicast group memberships, so IGMP is an integral part of IP multicast. IGMP runs between client PCs and a local multicast router. Switches with “IGMP snooping” capability can secure useful data by observing IGMP transactions.
- Dynamic Host Configuration Protocol (DHCP) is used to configure network devices so they can communicate on an IP network. A DHCP client uses the protocol to secure configuration data, such as an IP address, default route and one or more DNS server addresses from a DHCP server. Next, the client uses this information to configure its host, and once the configuration process is complete, the host can communicate on that IP network.
- Link Layer Discovery Protocol (LLDP) is a vendor-neutral link-layer protocol that network devices use to advertise their identity and capabilities to their neighbors on IEEE 802 local area networks (LANs), mostly wired Ethernet. In short, LLDP allows switches to tell neighboring devices about themselves, and management stations can use this information to build network topology programs.
Because developing and implementing a cybersecurity policy must occur above the operations level, Mallett and Brown add it’s crucial to involve any organization's leadership as well. "Utility operators and supervisors usually don't want to change from familiar equipment brands, so cybersecurity can't be an operations-level decision," says Brown. "Protecting a utility has to be a management-level decision, but they still have to appreciate each other's concerns. Utility operators are mainly concerned that their PLCs are working, so uptime is what gives them peace of mind. Utility managers and board members are more concerned about IT-based issues, and so cybersecurity is what gives them peace of mind."
Similarly, LogiLube recently partnered with Waterfall Security Solutions on developing its Platinum Level Data Security, which prevents hacking of operational data from LogiLube's oil and gas clients by using Waterfall's Unidirectional Security Gateways. Platinum Level works with LogiLube's SmartOil compressor package-mounted, real-time oil condition monitoring system that increases uptime and reliability by providing analytics on machine health indicators such as oil temperature, pressure, viscosity and dielectric strength.
Platinum Level offers multiple layers of data encryption and firewalls, while adding Unidirectional Security Gateways at LogiLube's data center also creates a unidirectional system that prevents attack propagation while preventing the communication path from exploitation by even the most sophisticated cyber-attacks. The two firms add that combining their products delivers actionable information from real-time data analytics to field engineers monitoring midstream natural gas facilities at often remote locations, while at the same time protecting that data from being compromised.
“By adopting Waterfall’s solutions, LogiLube can deliver to the midstream natural gas market actionable analytics that are both real-time and secure,” says Bill Gillette, Waterfall's president. “This represents a game-changing technology for the midstream oil-and-natural-gas industry. We can now provide real-time information without risking data integrity or compromising IT security.”
Tools for security
Beyond strategies and experts, there are a variety of new software and hardware tools and services for improving cybersecurity, especially as process control applications get closer and overlap with the Internet.
"There's increasing focus on securing network infrastructures and increasing need for tested security solutions due to the Internet of Things (IoT), which is why we recently partnered with Symantec," says Tony Baker, security leader at Rockwell Automation. "We're also cooperating with another partner, Cisco, because its Sourcefire network traffic monitoring and malware detection tool can act as a sensor, recognize OT-level protocols, and improve perimeter and internal security. IT tools such as these can really help the OT side."
Likewise, Underwriters Laboratories just started its Cybersecurity Assurance Program (UL CAP), which uses the new UL 2900 standards to offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness. UL CAP is for suppliers seeking trusted support in assessing security risks, and for buyers who want to mitigate risks by sourcing products validated by a trusted third party. UL CAP will also issue cybersecurity certificates for individual products, original product-development locations, and live production systems.