The world of industrial control systems has been changing rapidly in recent years with digital convergence and the industrial internet of things placing almost everything on networks. While this can be good for productivity, it also opens up a whole new universe of cybersecurity risk. While most of the recent attacks have entered through information technology (IT) systems, Albert Rooyakkers, founder, CEO and CTO of Bedrock Automation, said operational technology (OT) systems are also very much at risk. In fact, it might be time for entirely new industrial control systems.
In early August, Rooyakkers shared some of his expert advice and knowledge with us on cybersecurity for critical infrastructure. This transcript of Rooyakkers’ Expert Interview Series with Industrial Cybersecurity Pulse has been edited for clarity.
ICS Pulse: Bedrock Automation has some experience working with water plants. The risks to these critical plants were put on stark display thanks to the breach in Oldsmar, Florida, not too long ago. Critical infrastructure has been increasingly under attack. Why are some of these OT systems so vulnerable right now?
Albert Rooyakkers: Well, the problem is that the systems, for the most part, of the installed base are kind of old. They’ve been installed, some of them even as far back as the late ’70s and early ’80s, at the dawn of the digital systems, going back to the early PLCs (programmable logic controllers) and RTUs (remote terminal units) and SCADA (supervisory control and data acquisition) systems. So they simply weren’t designed to exist in this modern digital phenomenon where cybersecurity became an issue, and so there’s no real thought to the architecture. There’s no sense of understanding the sophistication.
It’s kind of like they’re taking a stick to a gunfight. Through the exponential acceleration, Moore’s law, of software development, the capabilities for cyber offense far, far exceed what is in the install base for cyber defense. They’re really highly vulnerable in so many ways that it’s almost impossible to describe or to create a reasonable impenetrable defense mechanism for many of these sites.
“If it transitions, as a lot of people fear and concern for, from criminals to terrorists, where their intents are different, the damages will be far more severe.”
ICSP: You mentioned one of the problems with protecting OT systems is that they’re older. We also have a situation where OT has many more endpoints than there are in IT. How difficult does that make it to protect those systems?
Rooyakkers: It is difficult, but a real sophisticated attack on the OT systems is actually more difficult to orchestrate because these cyberattacks — for instance, ransomware attacks that are IT based — those are cyber criminals, and they’re really after your money. They come from the IT environment. To do a sophisticated attack on an OT system, you have to have an understanding of the process. Like this attack in Florida, this operator or this person that was guilty of it, they understood what valve to tweak and what thing to do to the process to upset it. You see a lot of cyber vulnerabilities and cyberattacks, so many of them are IT-centric because so many of them are basically criminal actors.
If it transitions, as a lot of people fear and concern for, from criminals to terrorists, where their intents are different, the damages will be far more severe because they’re not after the money. And they’re not going to get any money, either. If you create an OT attack or an OT event, virtually without exception, these processes, these infrastructures, whether it’s a chemical plant, water or wastewater treatment plant, you will damage infrastructure. You will damage the process. People could get hurt, and the damages, downtime and other things will be far in excess of what they typically get in a ransomware attack.
You’re not going to get their money because they’re going to be spending all their money fixing what you broke, and they’re not going to be wanting the money. So the threat is and the consequences are more severe in the OT space, but the method to do a sophisticated, consequential attack is actually more complicated. Therein are both of the sides of that equation. There’s a little bit of a safety intrinsic to that.
Having said all that … sensors are on networks that are ethernet networks or even twisted pair, frequency shifts. HART is a signal that can be corrupted. It has been proven, and it’s in the public domain how to corrupt the system via a HART transducer and a HART handheld terminal, so the vulnerabilities are just unbelievably widespread. It’s a monumental task, but there are certain things, common sense things, that you can do to isolate these networks and/or proxy the networks.
We even have some of those capabilities intrinsic to our system, so you can put on one side of a network, of a device, you can have a legacy network, a legacy protocol. And on the other side of that device, you have a more modern open protocol — say, MQTT or CUA or something to that effect, or even ethernet — and you create a firewall or a hardened interface. Simple things like that will create bubbles of protection around the devices, around the systems, and then the attack needs to be coming more from the inside out.
Then you start to limit the attack surface and various forms of that. That’s what owners and operators are doing to develop a cyber defense posture. And so far, God bless them, they’re all doing their best and doing a pretty good job of it, to be honest with you.
ICSP: Most ransomware attackers are going after IT, but even those attacks often end up shutting down OT systems. Who should own the responsibility for cybersecurity on these systems? Is it the IT side, the OT side or does it need to be a conversation between the two?
Rooyakkers: There’s no successful plan, there’s no successful thing, that can be done in a process without full collaboration between operators, engineers, the people that are inside the process, along with the people that own the business systems and responsibilities for those. They cannot operate in isolation. Now, we see it in our customers: There’s lots of convergence where OT organizations are now reporting to IT, especially where they become more cyber sensitive because IT has some intrinsic knowledge of even the most fundamental terms and technologies and so on.
“You must have a coordinated effort, and always, always trust the people closest to the process. Trust the operations.”
But then you also see conflicts within the organization because an operator or an engineer or an applications person is saying, “These guys don’t know anything about the real-time world. They don’t understand real-time process control. Blah, blah, blah.” That’s not going to work. You must have a coordinated effort, and always, always trust the people closest to the process. Trust the operations. They understand the intrinsic risk that you’re not going to get in the textbook. You’re not going to get with a computer degree. They understand where the ghosts are in the machine. It’s like any organization, you have to have good communication and collaboration or else you’ll fail.
ICSP: Let’s talk industrial control systems. You said the world needs a different kind of control system. Why is that, and what does it look like?
Rooyakkers: They do because time is moving forward. We are in a digital age, and this process of digitization is accelerating, so you need more advanced cyber tools and more advanced cyber technologies. And I say “cyber” as in computation. So control systems are a victim of the legacy and the infrastructure and the companies that have provided them for years and years and years. You now have five or six behemoth companies that fundamentally own the market, and they’re very, very vertically integrated.
Solution is vertically integrated, and that would make good business sense as the companies and the technologies evolve, but it doesn’t necessarily make good sense anymore. You have to be able to fragment the stovepipe, as we say, so that you can get best-in-breed technologies from the sensor and actuation to the IO (input/output) all the way through, say, the Purdue model or all the way through the stovepipe. You want to ensure that you have interoperability across the suite.
That’s not as hard to do anymore as it was in the past because you just need good, well-defined standards of the interface, APIs (application programming interfaces) and communication protocols and other things that exist amongst these various layers. Then, innovation will thrive. That’s where we’re at now. That transition is happening. Those standards and definitions and APIs are in place, and companies and users can get the best-of-class technologies. That’s important. Why? Basically, it’s cost. It’s driven by costs — lifecycle costs and then cyber. In cyber, it’s, “What does it cost me to protect my system?” So you’ve got to drive costs down.
You’ve got to drive complexity down because the successful technologies are the ones that are low cost and simple. These are the factors driving costs down through the whole lifecycle, improving the complexity and performance of the system but simplifying the user experience. All of that will happen and is happening because of open and secure technologies and open, secure architectures. The PLC versus DCS (distributed control system) versus RTU versus PAC (programmable automation controller), that doesn’t really matter anymore. That sort of segmentation is mostly gone.
The tools and the standards of the engineering environment and the interfaces, those things are well-defined and are available to be exploited by users and operators. So it’s happening. You can’t stop it, and you have to be able to accelerate the level of innovation and the level of change, so these systems can evolve. A SCADA system can evolve at the speed of software innovation. It’s separate to the speed of innovation that’s in hardware, firmware, semiconductor design and so on. So these things can exist and co-exist because the interface between them doesn’t change so much.
That’s how good architecture and good technology will evolve. It’s happening across your desktop. You can buy a PC (personal computer) from anyone. You can buy the applications that you need from anywhere. You can buy the switches and networks and pieces from anywhere. So you plug and play and buy the best bang for your dollar. That’s happening right now in industrial automation.
ICSP: Is any of that complicated by the fact that many OT systems have been running for decades, that these are older systems?
Rooyakkers: Well, it is a complicated thing, because in these applications, you have brownfield versus greenfield. At some point, a given infrastructure or a given facility that has brownfield and they’re saying for various reasons — obsolescence or other things are going on — they are going to replace that control system. Now, at that point, the question is, what’s the appropriate evolution? Every site is different. Every customer has different needs and requirements. The really important thing is to come at this thing in a practical, pragmatic way. You have to be able to evolve these systems.
You want to protect your system as long as possible. You want to protect it in the lowest-cost, most evolutionary way. You don’t want to spend millions for the sake of spending millions. You cannot disrupt or shut down a process unless it’s in a scheduled shutdown or some major window of repair. All these factors have never changed. It’s always been that way and always will be. But in these sites where you do have capital and CapEx (capital expenditure) and OpEx (operating expenses) projects or maintenance repair operations budgets, you need to spend that money in the most wise and appropriate way.
There are many, many ways that different vendors provide different evolutionary stories to upgrade equipment. But at some point, all these dollars get spent. And then the question will be, when you’re in this process, do you install using traditional technologies? What’s the degree of cyber protection that’s built into it? What will be the lifecycle cost of the system over a lifecycle window that matters to you? Some people say, “Well, I don’t care about the 20-year window anymore. I have to care about what’s happening in the next two years, three years or five years.”
So you need to be able to quantify and qualify the lifecycle cost variables that matter to you and compare it against different vendors and different technologies. Come up with concrete decisions based on logic and data, and then you’ll make the right decisions. People are smart, and they care about their companies and their money, so they’ll come to the right conclusions. The tools are there. And the great thing is now you can buy, say, a SCADA system like Inductive Automation, which has really great tools and capabilities, and it can interface the legacy PLCs.
It can interface the modern systems like ours. That’s a different tool set, different technology. You can do that now, and it’s all there for you to exploit.