Three reasons to perform an industrial control system assessment

Industrial control systems (ICSs) are under attack as frequently as corporate administration systems and users can prevent these attacks with an assessment that takes stock of what a company has, who has access, and what changes have been made.

01/16/2018


Courtesy: Cross CompanyHow often does an information technology (IT) group inform your company about the latest hacking trends affecting company email and systems? The hackers, or "bad actors" in the corporate and industrial world, have moved beyond poorly-worded email guaranteeing millions of dollars you inherited from an unknown and deceased relative. They're moving beyond the corporate level and taking aim at a company's control systems.

Industrial control systems (ICSs) are under attack as frequently as corporate administration systems. The problem, however, is that many industrial operational technology (OT) departments have lagged behind their IT counterparts in managing new threats. This is often for valid reasons, such as: 

  • Properly designed OT systems are often isolated to intranet systems with no access outside the plant.
  • The routine security software on administrative computers often crashes industrial control systems, requiring other measures to ensure the security of the system.
  • OT systems with limited access and user-defined roles may already prevent these systems from having unwanted user activity.
  • Older OT systems might not have the capabilities to see the level of network and control-layer activity that is available in newer systems today and personnel may be unaware of how the new developments affect them.

While those reasons still characterize some the realities in today's OT system, other factors have changed, providing the OT departments with more options than previously available to them. With technology developing faster than ever and more areas of the plant improving with smart devices, the plant is more capable than ever to increase production from its ICS and, concurrently, more vulnerable to unauthorized users. If movies, headlines, and personal experiences can teach us anything, it is that the bad actors will target OT systems for any motive and by all means necessary.

Responsible ICS management

The proper reaction to the risk of improved technology is not to stay in the dark ages and think, "If we maintain this 20-plus-year-old stand-alone system, then at least we'll be safer than connecting everything together." Rather, forward-thinking OT decision-makers should embrace the often quoted Spider-Man line, "With great power, comes great responsibility."

If the responsibility in an industrial facility is being shirked by everyone as "someone else's job,' then think of this bit of cliché wisdom, "Friends don't let friends have unsecured, undocumented, and unplanned industrial control systems." Now, speaking as a friend, if you know your ICS is at risk, it becomes your responsibility to explore ways to protect and educate the company on these issues, because eventually, it will affect your job.

The task to communicate this vulnerability, while potentially daunting, does not have to be entirely doom-and-gloom. After all, if the benefits of a well-designed OT infrastructure can improve quality, production, health and safety, and overall system security, the benefits of such a system to the company will far outweigh the potential inherent risks.

To prepare for the objections from the status-quo peanut gallery, remember: older systems are not impenetrable from outsiders. There's often a false sense of security that may be present because newer industrial control systems and complementary systems can identify risks that were not previously visible to plant engineers. In overly vulnerable systems, bad actors, disgruntled employees, or errant programmers can do a lot of damage to the ICS without being detected or under the guise of alternate explanations.

Advances in OT resources and philosophies today allow for the Scooby-Doo resolution to ICS issues. When the obvious culprit is caught, do not accept the surface-level explanation. Instead, use the new tools to unmask the scapegoat and reveal the real culprit. In doing so, a company embracing the modernized ICS resources could discover the true culprits behind the following issues: 

  • Unexpected and unexplainable shutdowns
  • Loss of production time
  • Loss of raw materials
  • Missed deadlines
  • Poor quality resulting from unidentified changes to the process
  • Safety breaches and injuries from machines being started at the wrong times.

Lack of accurate insight into the ICS's users, networks, processes, and changes may account for part of the misdiagnosis. For example, a batch system that often experiences unplanned shutdowns on weekends may be attributed to old hardware or operator error. In reality, it could be a bit of bad-actor programming that causes a process shutdown at defined intervals, but no one in the plant is aware of the malicious code buried in an obscure controller by an unknown entity.

How to assess an ICS

Image courtesy: Bob Vavra, CFE MediaAn ICS assessment may start with an industrial-cybersecurity focus, but it is more than just cybersecurity. It documents the system, creates a roadmap for secure growth and navigation, provides action items when breaches or errors occur, and educates and trains a culture of industry best-practices.

1. Know what you have

An ICS assessment allows the user to know what they have in your plant so they can manage the risk. Each controller could be a vulnerability depending on the overall network architecture and system settings for the devices. In some facilities, everything is all on one network. While that's probably less of a reality today than 1-2 years ago, that network layout means that someone downloading a simple file via email could shut down the whole production process.

While most industrial facilities probably have at least some separation between administration and operation networks, there can be plenty of vulnerabilities if the network has grown by sprawling switches and routers opposed to a well-defined architecture with demilitarized zones (DMZ) between IT and OT domains. Creating a DMZ allows teams on both sides of the zone share important data without jeopardizing production or sensitive information.

2. Know who has access

An ICS assessment can also identify who should have access to the various systems. If you know who should have access, then it is easier to identify who shouldn't have access. By using tools available for ICS systems now, bad actors can be identified by:

  • Unknown IP addresses showing up on a network scan.
  • Changes made by a smart device or human-machine interface (HMI) connected to a controller.
  • Changes made by bypassing the control network and using a USB port to upload changes.

3. Know what's been changed

Once you know what you have, and who should have access, it is much easier to know what has been changed. By watching the well-documented network, you can find out where the changes are made, who has been performing them, and what has changed. Not every change to a system is malicious or done by the faceless villains. Sometimes it is an honest mistake. Regardless of the source, any change that is not intended for the optimal production process can cause untold losses in labor, production, dollars, and sometimes life or limb.

Next steps

Every ICS solution is custom and needs to be tailored to the needs of a facility and the life cycle of the current IT and OT infrastructure. If your facility is due for an ICS assessment, seek out a trusted industry partner to explore what it will take to document what you have and plan for the risks that you will likely see. You may not be able to stop every risk, but you can improve the time it takes to correct any unwanted activity. Each step forward in securing and monitoring your system is better than taking none at all.

Brendan Quigley graduated from Millsaps College in 2003 and joined Cross Company in early 2012 as an inside sales representative. This article originally appeared on Cross Company's Innovative Controls' blog. Cross Company Integrated Systems Group is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me