Because all of today’s multiplying cyber-threats, solutions, standards and mandates are understandably confusing, users need expert advice and assistance to decide which will be the most effective for their operations and organization, according to Alexandre Peixoto, cybersecurity business director at Emerson’s process systems and solutions business.
“Our job is to collaborate with customers, help them define their story, and get into the right posture for their cybersecurity journeys,” says Peixoto. “So, we conduct assessments and vulnerability checks with an OT focus, define their goals and appetites, and find ways to get from A to B. Assessments and front-end engineering design (FEED) studies for cybersecurity enable each user to plot a way forward that makes sense.”
Following assessments and studies, Peixoto reports that users can align their cybersecurity plans, and turn them into budget requests for developing defense-in-depth architectures, threat-monitoring procedures, and zero-trust compliance policies. “Previously, cybersecurity was mostly blocking and tackling with isolated solutions, such as firewalls and network segmentation, but now we’ve got more solutions working together,” explains Peixoto. “For example, threat monitoring software, can connect passively to switches, and compare OT-specific data flows to existing threat intelligence. These capabilities can also be aided by machine learning (ML) and artificial intelligence (AI) to tell more about what input is good or bad.”
Peixoto adds the increase of connectivity between OT and IT systems comes with a price. Last year, security companies shared an important finding about an industrial control system (ICS) attack framework called Pipedream that uses standard industrial protocol functions, not vulnerabilities, to potentially enable attacks on critical infrastructure. Pipedream took advantage of the widespread use of OPC UA or Modbus-TCP protocols to gain traction in the hacker community.
“Since Pipedream doesn’t exploit a vulnerability, but uses protocols as intended, the most effective protection is to monitor ICS communications,” says Peixoto. “Emerson partnered with Dragos and Nozomi Networks to provide software based on knowledge packs from the field and suppliers. These sources may be aware of common vulnerabilities and exposures (CVE), which can be used to determine future security risks.
“Threat monitoring runs on top of the controls, does passive monitoring of data coming from OT components, and compares information those components push out to the installed database. This requires collaboration by the threat-monitoring supplier and automation vendor, so we can interpret data from systems like our DeltaV control systems, make sure normal traffic is OK, and flag it when it’s abnormal.”
In addition, Peixoto reports cybersecurity is moving from the barrier and isolation methods of the past to procedures that rely on greater monitoring, connecting and collaborating such as zero-trust.
“Because of all these new connections, how can you tell what’s legit when you connect a controller to a network? Consequently, the zero-trust concept could add policies to switches that require participants to show credentials or digital certificates before they can join the network,” explains Peixoto. “Digital certificates have been available for a long time in IT, but many OT teams haven’t embraced them yet. These credentials and certificates can also take different forms. Passwords are being replaced by smart cards, which are inserted and allow users to type in a PIN number as one method to perform two-factor authentication. We’ve been working with California Resources Corp. (CRC) to implement a two-factor authentication solution for their DeltaV system that manages their oil and natural gas facilities.”
To use zero-trust to secure communications and authenticate devices, Peixoto advises potential users to take five steps recommended by the U.S. Dept. of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA):
- Establish a basic framework that starts with multi-factor, identity authentication using a standard, integrated methodology.
- Authenticate devices including PCs by using certificates, secure keys, and secure-boot techniques.
- Secure communications, but don’t just rely on switches. Design networks that are secure out-of-the-box by implementing exchange of certificates, so devices and users know who they’re talking to, and what information is being exchanged.
- Follow secure development lifecycle procedures that steer users to a least privilege approach. This will help prevent impersonations, and if a breach occurs, the intruder will only have access to a minimized area, so its impact will be reduced.
- Save and secure data in the same way that passwords, recipes, and other information are stored—in a password-protected location where they can’t be easily accessed.
“Many users do one or two of these five steps, but all of them need to be done,” says Peixoto. “The main question is how to bring these cybersecurity procedures into the OT space, where they aren’t defined yet, even though we’re trying.”