The growing need for ICS cybersecurity

A company's potential for being hacked is growing and companies need to take steps to protect their industrial control system (ICS), which requires taking a long look at all aspects of a facility and identifying what is most vulnerable.

10/25/2017


Courtesy: Cross CompanyWe treat cybersecurity in our plants much like the way many treat their personal future health. Management and engineers usually realize that there are threats, but capital expenditure requests continue to be denied and delayed due to the fact that those requests are a low priority in the eyes of all involved.

Over time, these items become even more passive thoughts and the threats continue to grow right under everyone's nose. Although most integrators are diligent and careful in their actions, the fact remains that using 3rd party integrators can increase a facility's security risks more than internal resources. It is rare, in initial project conversations, that any company expresses concern or actively attempts to hold integrators accountable by monitoring their work. Although employees really do care about the product, cybersecurity threats are treated with less interest and probability than natural disasters. Then, it strikes. And no one knows where it came from or how long the repercussions will last. We in the industry have a responsibility to consider any new product or process that might reduce the risk of damage to our system. Not just for profits or reputation, but for the customers.

Threats are growing

Those who work in the industry, may have already been pressured to consider some type of security solution. Most solutions are basic and only partially address the hot topic issues that create easy and quick sales. They are sold as "complete" solutions while they tend to be platform and/or action specific and can often only stop one type of security threat or can interfere with the online operation of the control system.

Be wary of any one-stop solution to handle all threats because most of the time it requires a complete action plan. Security in any form takes active engagement by something and/or someone because the nature of the problem is highly variable. The growing rate of technology has an equally growing rate of security threats. Very few security products have advanced enough to create cost effective and efficient solutions.

ICS vulnerabilities are widely diversified

In 2015, new vulnerabilities were found in 55 different manufacturers which included all types of components: programmable logic controller/distributed control system (PLC/DCS), human-machine interface (HMI), electronic devices, supervisory control and data acquisition (SCADA), industrial network devices, and many others. The vulnerabilities in industrial control system (ICS) components are so different in nature from traditional information technology (IT) threats that they should be treated differently and with the control engineering team fully participating. Adding firewalls/DMZ, turning off ports, and creating air gaps are good practices, but are not enough and the control layer should always be monitored by equipment/processes designed for the entire control system infrastructure.

Many manufacturers have a solution for this; they sell a product to monitor the control system and help to mitigate the risk. The problem with this method is that they do not have dedicated staff to support the ever growing vulnerabilities and are usually last to the table to mitigate the threat via a patch. These manufacturers also do not play well with other brands. If a facility has multiple types of controllers for example, then they will not get security coverage to some and will have to create multiple solutions that all need to be monitored.

If a process facility relied on conventional security methods—and on security product manufacturers to create patches for security breaches—it would only be partially protected. Firewalls and air gaps are good security precautions but are only part of a complete security solution.

Most ICS components are susceptible

It is probably not surprising that the HMI, SCADA, and controller are the top components that are susceptible to intrusion as these are the main parts of a control system. They are also touched by many different people and systems, all of which bring an element of risk. Whether internal engineers, multiple networks, IT, 3rd party integrators, etc., the risk grows and most companies have no way to track who was on the system and what was done.

Hopefully, the 3rd party integrator doesn't accidentally pass a security threat to the system because of a sketchy driver download. Unfortunately, most companies would have no way of knowing until the problem surfaces and with a growing number of vulnerabilities, the risk of catastrophic damage is ever increasing.

Although automation components are designed for critical infrastructures, industrial-sector devices are not secure by default. The capabilities, motivations, and number of threat actors focusing on ICS environments are increasing. From infected hard drives or USB sticks to unauthorized connections from ICS networks to the Internet through personal smart phones or modems, and from infected distributive kits obtained from vendors, to a hired insider.

With the Industrial Internet of Things (IIoT) growing, these security threats are not going to go away or even slow. Fortunately, this boom has created a movement in the software industry and dozens of startup cybersecurity companies have emerged. Most are trying to make a quick buck on the rising tide; others are inventing technology that our industry has never seen and are taking huge leaps forward in cybersecurity.

When doing research, look for platform diversity, comprehensive audits, a guarantee of seeing every logic/controller action (audit), real-time alerts, and a qualified, respected team at their foundation. This is uncharted territory and perhaps the internal engineer, vendor, or local integrator may not have necessary cybersecurity experience. Reach out to the community. Challenge cybersecurity companies to provide complete solutions, onsite proof of concepts, and a well-respected engineering/security foundation. No matter what company walks through the door, be sure to deep dive into their solution and ability to support the company for the foreseeable future.

Eli Jenkins is an account manager with Cross Company. He has a background in chemical manufacturing, control system integration, and consultant sales. This article originally appeared on Cross Company's Innovative Controls blog. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me