Sure footing on shifting security sands

It’s well known that cyber-threats and challenges continually shift and change, which requires protections to constantly evolve and innovate to keep up and remain effective. However, new cybersecurity capabilities typically rely on having an existing infrastructure of authentication, standardized network segmentation and updated traffic evaluation to which innovative functions can be added. Here’s how suppliers like Phoenix Contact, Softing and Mitsubishi/Iconics recommend implementing cybersecurity.

Phoenix Contact

The first and most important element in implementing an effective cybersecurity program isn’t putting some super-advanced protection in place. It’s taking stock of where a process application is at, what assets it has, and what network structure it uses. This lets users scan for vulnerabilities, and assess potential points of attack, according to George Reed, GICSP, solutions engineer in the Network and Automation division at Phoenix Contact.

“Many end users want to throw advanced cybersecurity solutions at OT networks and processes, but they must first be looked at using a risk-based model to see which vulnerabilities will affect their critical devices,  to gauge the severity of the vulnerabilities,” says Reed. “This will show which protections should be built for those high-risk components, and indicate the appropriate network architectures for them. For example, segmenting equipment based on functionality and criticality, and allowing for control of communication paths.”

Once vulnerabilities are identified, and cybersecurity priorities, policies and procedures are established, users can harden their existing devices and add new ones if and where needed. Reed reports that basic hardening typically involves:

• Changing passwords and other defaults, so they’re unique for each user.
• Establishing role-based access control (RBAC), so only users that genuinely need it can access devices and networks.
• Turning off unnecessary functions and/or those related to access or configuration.
• Disabling remote access, as well as secure shell (SSH) or transport layer security (TLS) access.

“Many of these protections are already baked into many devices, so it’s possible to simply turn them on,” adds Reed.

Hayley Lichtenfels, solutions architect in the Network and Automation division at Phoenix Contact, adds that identifying vulnerabilities and hardening devices are two parts of the larger, layered defense-in-depth strategies recommended by IEC/ISA 62443, NIST Cybersecurity Framework (CSF) 2.0 and other cybersecurity standards, which also recommend reevaluating and updating existing cybersecurity elements.

“Firewalls, access control lists, secure remote access using virtual private networks (VPN) and other protections are initially configured. However, with emerging cybersecurity trends and practices, they need to be reexamined to ensure they still apply ideal security mechanisms,” explains Lichtenfels. “With zero trust, devices are required to authorize themselves every time they seek access. If zero trust is a new protection being applied, configurations must be reviewed and changed to adhere to it.

“Another major problem is most plant-floor operations and facilities don’t have the staff, money and other resources needed to enforce cybersecurity policies. Consequently, when cybersecurity capabilities are installed, it’s hard to decide who will run and monitor them, so controls personnel often get stuck doing them.”

Once initial cybersecurity measured are in place for devices and networks, Lichtenfels reports users can begin to protect their software and related services with intrusion-detection and prevention tools. These tools monitor network traffic and data, and issue alerts. She adds that artificial intelligence (AI) can help with some of these tasks, but only to a certain level at present, which still requires humans to make some definitive choices.

“AI is good for education, finding resources, and helping within software packages to aid decisions. For example, it can show users how to deal with the recent FrostyGoop malware that functions as a Modbus TCP client, and lets intruders read from and write data to registers on industrial control systems (ICS),” explains Lichtenfels. “AI is also good at non-technical tasks, such as developing incident response plans, determining what devices to isolate or turn off, and training personnel not to leave network back doors open.”

Beyond providing secure-by-design, ISA/IEC62443-compliant devices and its mGuard secure, cloud-computing service, Phoenix Contact also guides users in designing and implementing secure solutions for their individual operations. This is done by evaluating and hardening existing assets against cyber-probes and -attacks, and checking the security capabilities of managed switches and other new components.

Softing

While it’s clear that the process industries can’t go back to unconnected monitoring and operations, going forward means complying with some added networking standards and regulations. This is especially true in Europe, where the European Union’s Cyber Resilience Act (CRA) requires that by December 2027 suppliers can only sell digitalized hardware and software products in Europe that are cyber-secure at the component level. These rules join the EU’s Network and Information Systems 2 (NIS2) directive requiring cybersecurity for critical infrastructures and digital services in multiple industries. These requirements went into effect in January 2023, and cover incident reporting, access control, incident handling and training.

“CRA and NIS2 affect all kinds of products, and require vendors to design and develop products that have built-in cybersecurity, so they won’t cause data leaks or other vulnerabilities, can help identifying minimize cyber-attack vectors ahead of time, and give users all the capabilities they need to use those devices securely,” says Thomas Rummel, managing director of Softing Industrial Automation. “In fact, many users are already selecting products based on their cybersecurity levels, so there will be more in the future.”

Because humans must be involved in implementing networking and cybersecurity functions, Rummel reports that CRA-compliant devices include documentation that shows users the impact of opening particular network ports, and guides them in installing and using those ports securely. This includes only opening ports when needed, employing secure communication protocols, and showing users how to develop their own cybersecurity lifecycles and documentation.

“Communication is the first potential cyber-intrusion vector, so it’s crucial to make sure available authentication and encryption functions are turned on and running for Ethernet variants, such as Profinet, EtherNet/IP and HART IP,” explains Rummel. “They each have cybersecurity capabilities and best practices, and most network communications would be more secure if all participants used them. This would be a big step, but many still aren’t widely implemented yet, which makes it even more important to continue segmenting networks.”

Another primary obstacle is that, even though CRA is the law, many nations, companies and users are experiencing delays in transitioning to compliance and implementation. Beyond practical and logistics challenges, suppliers and other developers must also overcome psychological impediments to accomplishing successful cybersecurity.

“Hackers are very creative at getting around protections, so users and suppliers must also change their mindsets, and get into the habit of routinely updating them,” adds Rummel. “This altered perspective is also needed on plant-floors, so users will adopt cybersecurity procedures such as routine software patching, and safely conduct updates, data sequestration and testing. This is not an option about whether to carry out these tasks. Vulnerabilities will grow over time if updates aren’t performed to resolve them. Government rules and pressure can help encourage users to improve their cybersecurity, but it’s still up to users and their suppliers to gain the perspective and motivation to tackle them. 

“For example, the water/wastewater and energy industries have cybersecurity requirements, but users sometimes feel like they can live with risks if they haven’t experienced an incident, but they must strive not to accept these situations. Fortunately, artificial intelligence (AI) can help some of these efforts by improving anomaly detection, helping to specify more capable network devices, and showing users potential problems they haven’t observed before by detecting deviations in network traffic and analyzing subtler differences.”

Get your subscription to Control's tri-weekly newsletter.

Mitsubishi/Iconics

Because there are so many examples of cyber-threats, cybersecurity is always on the minds of business owners. In fact, smaller enterprises with fewer resources may choose not to adopt new technologies that might open them to threats, according to Roy Kok, digital product marketing manager at Mitsubishi Electric Iconics Digital Solutions.

“The challenge is still to balance new beneficial technologies with the cost and risk of adopting them,” says Kok. “Since the pandemic, Iconics renewed its focus in cybersecurity. Our Moving Target Defense (MTD) program provides remote, integrated access for industrial automation systems. What this means to users is this cyber-resilient and fault-tolerant standard can be employed in less than 30 seconds, rather than the 15 minutes these functions previously required. This extends to operations technology (OT) outside Iconics and Mitsubishi Electric’s (MEAU) ecosystem through an embedded installation structure.”

Kok reports that third-party solutions exist for access security as well as operational security. Contracting with companies, such as Dispel and Nozomi Networks, can help ensure an ongoing focus on security. Dispel helped develop Iconics’ MTD program.

“It’s important to consider security a process and not an event,” explains Kok. “Companies can secure their control and automation networks, while maintaining necessary access to data and systems by adopting a practical, layered security approach. One of the most effective strategies is to move away from static defenses, and implement an MTD mindset. This involves using dynamic, software-defined networking and ephemeral virtual nodes built from hardened ‘golden images,’ which are destroyed and rebuilt regularly to minimize exposure.”

At the same time, Kok adds that strong network segmentation is essential. Users and their organizations should avoid flat networks by creating well-defined zones separated by demilitarized zones (DMZ), which strictly control data flows between operational technology (OT) and IT environments by using hardware-based gateways, firewalls and proxy layers. Access to these networks must follow the principle of least privilege, and employ strong, multi-factor authentication, strict role-based permissions, detailed audit logging, and time-limited access for internal users and outside contractors.

In addition. remote connectivity should be controlled by secure, OT-specific platforms, rather than generic, virtual private networks (VPN) or shadow IT tools that expose surfaces to persistent cyber-attacks, according to Kok. Secure, remote access should rely on bastion hosts, jump servers or proxy layers that mediate connections, coupled with end-to-end encryption and traffic obfuscation to protect data in transit. Systems themselves should be hardened and immutable—using standardized, patched and regularly refreshed images to reduce vulnerabilities and prevent configuration drift. Data egress should be tightly managed by whitelisting, one-way data diodes where feasible, and continuous monitoring of traffic patterns for anomalies that may indicate breaches or exfiltration attempts. Vendor and third-party access should never be uncontrolled or hidden; instead, it must follow the same strict, auditable, time-bound protocols as internal access.

“It’s equally important to ensure that security measures don’t compromise operational efficiency. Security architectures should be designed to support fast, reliable access for legitimate users, avoiding overly complex or slow procedures that impede daily operations,” says Kok. “A secure yet accessible control network is achieved by combining dynamic defense techniques, strict segmentation, secure remote access solutions, strong governance, continuous monitoring, and vendor oversight—all while aligning security practices with the latency and availability demands of industrial environments. This balanced approach lets companies to protect their critical systems without sacrificing the operational agility required to keep production running smoothly.”

To get an effective cybersecurity program and solution up and running, Kok advises first focusing on security as a company directive that involves all employees. Next steps include:

• Define processes for continuous training and improvement. 
• Identify areas of vulnerability and prioritize them by value to the business.
• Develop plans to tackle each vulnerability, such as required redundancy, automated backups, controlled access, etc.
• Review needs for remote access, including who has it and how.
• Identify solutions for managing access risks.

Likewise, Kok adds that security for sensors and other components at the lowest device levels falls into the area of OT security, with agents to monitor networks and communications on an ongoing basis. Many solutions exist for OT network monitoring to identify anomalous activities and mitigate them. 

“Nozomi Networks is an excellent example, and works with automation vendors to embed sensing technologies into field devices and controllers,” concludes Kok. “More and more, companies are integrating cybersecurity technology into their products. Engineering development practices are changing to reflect the ability to react quickly to mitigate vulnerabilities in software products.  Agile development practices, combined with automated testing, enable product update cycles in weeks, instead of months or years. However, it still falls on the end user to select the products and technologies that show the adoption of modern architectures and best practices. This is still a major differentiator with respect to vendor practices.”