ABB
Rajesh Ramachandran, global chief digital officer at ABB, reports it focuses on three cybersecurity buckets, which starts with its own, internal security, continues with building cybersecurity into its products, and concludes with adding security and other support services for its users.
“Over the last three years, the industrial world has seen increasing data breaches in manufacturing and transportation, along with more ransomware and phishing attacks,” says Ramachandran. “Many of these were most numerous during the COVID-19 pandemic, but they’ve also accelerated because of a 30-40% increase in digitalization. We’re on the cusp of maximizing Industry 4.0 because users want greater digital transformation. In fact, we’ve almost reached Industry 5.0 for many cyber-physical systems, which means there are more vulnerabilities, even as the value of operations data is driven up.”
To acquire valuable process information, but do it securely, Ramachandran reports that users can’t assume their operations technology (OT) networks are safe, and must apply cybersecurity basics correctly and consistently. This means implementing a zero-trust framework for all devices and networks, and using a trust platform model (TPM) to secure communications and data. Well-known TPMs include the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and the IEC/ISA 62443 cybersecurity standard.
“Zero-trust and TPMs advise that anything connected to a network needs to be authorized, so data can move through a secure, edge-computing infrastructure,” explains Ramachandran. “Especially as OT and IT converge, zero-trust principles must also be used to manage people’s access, such as allowing minimal privileges for users of every application, and performing continuous monitoring with security information and event management (SIEM) software.”
Ramachandran adds that an effective cybersecurity program can’t be a one-point solution. It must instead have multiple layers, including at the operations and control levels, edge and manufacturing processes, converged OT and IT network, and also at cloud-computing and enterprise levels. “Essential security requires learning what’s going on, so users can, then, protect, detect, respond, and recover,” says Ramachandran. “I’m excited that IT cybersecurity technology is being added to industrial control applications. Previously, we had mostly passive defenses.”
Honeywell
Because it recommends treating cybersecurity like other process alert and alarm functions, Honeywell recently purchased SCADAfence to integrate its anomaly-detection software with its overall cybersecurity program. It plans to build SCADAfence into its Experion control system and other platforms in the near future, which will enable it to start certifying products and their add-ons as cyber-secure.
“However, cybersecurity assessments still have to start out with the user, so they can make sure what they’ve got. This is especially important because so many more remote links (and vulnerabilities) were created during COVID-19, and they may not have been fully reviewed for security,” says Paul Griswold, chief product officer for cybersecurity at Honeywell. “There’s still a lot of equipment out there that relies on air gaps, which isn’t enough. We also still see a lot of cellular, and other connections that aren’t supported with adequate cybersecurity. Users must identify what’s on their network, see what data they’re exchanging, benchmark normal distributed control system (DCS) and other traffic, and monitor it regularly.”
Griswold reports that other cybersecurity necessities include filling staff skill gaps, finding and developing OT and IT cybersecurity experts even though it’s very difficult, and contracting for managed services to assist personnel. For example, Honeywell offers its Advanced Monitoring and Incident Response (AMIR) service, which includes a security operation center (SOC) that performs 24/7 monitoring.
“Starting in the late 1990s, firewalls and intrusion detection began to seek vulnerabilities and protect against them with antivirus software that could be reevaluated yearly,” explains Griswold. “However, this is no longer the final answer. A whole other layer of cybersecurity is needed now, which involves logic and rules for examining threats on an hourly basis, so rules can be updated daily because cyber-probes, -intrusions and -attacks are updated daily.
Mission Secure
Jens Meggers, CEO at Mission Secure, reports the two biggest cybersecurity risks for OT are ransomware and hacks of Ethernet networks, resulting in potential sabotage that can cause damage and physical harm. “This is what keeps OT personnel awake at night, so they try to identify vulnerabilities and cyber-attacks, and put in single-point protections,” says Meggers. “Each of these is important, but cybersecurity efforts must also work together to protect against hacking and ransomware.”
Meggers reports there are three primary steps to implementing more comprehensive protections. First, networks must be segmented because, even though all attacks start at one point of entry, they move horizontally once they’re inside. For example, he adds 60% of cyber-intrusions occur via remote desktop protocols (RDP), and segmenting can help prevent these probes from reaching production equipment, while monitoring network traffic can show where segmenting is needed.
Once initial segmenting is accomplished, users can identify and resolve exploitable vulnerabilities with Mission Secure’s hardware- and software-based OT ransomware defense solution for industrial control systems (ICS) and networks. Designed for rapid implementation and risk reduction, the solution provides a toolset that organizations can use to close security gaps and prevent the spread of malicious code within industrial environments.
“Users need to find and patch vulnerabilities, but since an average of 22,000 new vulnerabilities identified each year, they also need to prioritize and automate,” explains Meggers. “While traditional firewalls are manually configured, and don’t address vulnerabilities and lower-level OT signals, we take vulnerabilities from all vectors into account in the policy engineering that steers our network devices. This enables us to separate good and bad connections. This lets our passive-listening hardware monitor traffic and identify high-risk areas, and turn into a firewall and block traffic if needed.”
The third step towards comprehensive cybersecurity is understanding the state of each process application’s endpoints, such as historians, human machine interfaces (HMI) and engineering workstations, which are often at the intersection of OT and IT. “Some may have antivirus software, but some may also be running obsolete Windows XP that’s no longer supported, so it’s crucial to identify the individual postures of each endpoint and mitigate their risks,” explains Meggers. “Again, this means verifying what specific technologies are in place, identifying their vulnerabilities and what security they lack, and addressing poor configurations. If these endpoints don’t have the right posture, they won’t be able to access a well-segmented network, and they’ll also be blocked by our policy engine.”
Phoenix Contact
Even though the rocky marriage between operations technology (OT) and information technology (IT) creates added challenges for ongoing cybersecurity tasks, longtime best practices like those contained in the IEC 62443 standards still provide a complete framework for evaluating networks and analyzing cybersecurity risks, according to George Reed, cybersecurity solutions engineer at Phoenix Contact.
“Once we have a baseline network map, we can begin to decide what added connections, zones and conduits are needed or not, what devices should be able to talk to which others, and what other areas need to be looked at. Following IEC 62443 can help us set these policies and procedures,” says Reed. “Once this is done, we can start checking on network traffic. Again, this is what’s talking to what, but it’s also what data are they passing, and how secure are those communications?”
Answering these questions enables:
• Configuration management that checks the static configuration of each device, how it’s stored, and what changes can be made.
• Remote access via a virtual private network (VPN) or other remote access strategies;
• Incident management that plans for and predetermines how to approach and recover from cyber-probes, -intrusions and -attacks;
• Account management for performing role-based authentication, enforcing least-privilege policies, and requiring log-ins for even low-level devices; and
• Patch management policies for either eliminating vulnerabilities automatically, or sequestering fixes until they can be tested to make sure they won’t break anything, and applied when they’re less likely to cause unplanned downtime.
“These steps are needed to structure networks correctly, which is important because intrusion detection and traffic evaluation software are collecting information from lower and lower levels, and sending it to databases, where it can be monitored,” explains Reed.
Once initial cybersecurity procedures, monitoring and safeguards are in place, Reed reports that users can focus on resecuring and recovery after probes, intrusions and attacks. “This is incident recovery that depends on finding out exactly what happened, and if such a breach was covered in previous risk analyses,” adds Reed. “These tasks are costly, and can reveal more vulnerabilities that need to be mitigated going forward. How intrusions and breaches occur shows whether passwords or other authentications need to be changed, or if conduits, firewalls or other access points need to be changed. This may also be a good time to repeat and update a prior cybersecurity hazardous operations (cyber HazOp) study to learn more about what happened and why, and rethink existing cybersecurity measures based on new lessons learned. For example, device hardening by locking down some added ports and Internet protocol (IP) addresses may needed be to see if doing it has a positive effect.”