"Many users think if they do anomaly detection, then they don't need as many people addressing threats, but this isn't the case." Honeywell’s Eric Knapp discussed the subtleties of a properly operationalized approach to cybersecurity at Honeywell Users Group Americas 2019 this week in Dallas.
The best cybersecurity solutions in the world can't protect anything if they aren't installed, turned on and working in conjunction with each other. That's why Honeywell Process Solutions works with its customers to determine the right cybersecurity software, hardware and other tools for each application, and operationalize them to work in concert to provide the best threat monitoring, detection and response.
"This is similar to the $5 million home in Malibu, Calif., which survived recent wildfires there because the owner spent 20% of the construction budget on rooftop ember guards, 5,000-gallon water tanks, heat-resistant windows, concrete and steel walls, and roadways around it that could act as a fire barrier," said Eric Knapp, director of cybersecurity products and innovation at Honeywell Process Solutions.
"Of course, not everyone can spend this large a percentage of their budget on fire protection or on cybersecurity, so we at Honeywell are here to help,” Knapp said. “Operationalizing cybersecurity requires balancing protection and response."
Knapp presented "Advances in site-level and multi-site industrial cybersecurity" this week at Honeywell Users Group Americas 2019 in Dallas.
Protect, detect, respond
Knapp reported that Honeywell helps protect many process applications and facilities worldwide, but added that providing cybersecurity is more challenging than preparing for wildfires. "Wildfires are known to happen more often in certain weather and seasons, so they can be predicted more easily," said Knapp. "Plus, wildfires aren't actively trying to thwart defenses like malware that adapts to avoid detection, or threat-actor individuals that do the same. They do research and attend conferences to get better at it. This is a bad industry that's always working to develop new attacks and ways to compromise systems, and conducts R&D by testing malware and attacks against the world.
"This is why users must also have active threat detection and prevention programs in place, which include data, tools and people working together. Users must make sure they're not getting too much data to deal with, and they may need more or less help with each step. However, each step of this path must be addressed, or the overall cybersecurity effort will fail."
Mend and defend
To help its customers implement and maintain the most appropriate cybersecurity solution for them, Knapp reported that Honeywell's newly released Forge for Industrial software includes a cybersecurity platform that consists of four quadrants:
- Asset management that's about what equipment and processes a user is running, and what vulnerabilities they may face;
- Secure resource management that covers who's able to connect to the user's network, and verifies authorized participants;
- Risk appliance to audit the user's systems and gauge the load on it continuously; and
- Threat detection and management capabilities to identify threats and what they're trying to do.
Knapp added that users, system integrators and other developers seeking effective cybersecurity should also learn the difference between anomalies, threats and incidents. "Many users think if they do anomaly detection, then they don't need as many people addressing threats, but this isn't the case," explained Knapp. "The chance that you'll be attacked is 100% because everything from home to business systems to large organizations are being probed all time for possible intrusions. Most don't succeed, and so they're just noise. Incidents are different because they're cyber threats that have succeed."
Honeywell operates three R&D cybersecurity centers of excellence in Duluth, Minn., Dubai and Singapore, Knapp reminded his audience. "The centers recently ran a honeypot experiment that collected 100-gigabytes of zero-day attacks in about one week. We often detect threats in their early stages, but then they adapt, too."