Energy infrastructure is a large sector. It has evolved in the past 200 years and is still evolving. From mechanical to electronics to sophisticated control system technologies, it has helped improved the usage and efficiency of energy. With the emergence of the latest software and equipment, energy infrastructure is highly vulnerable due to legacy applications running on plant premises.
The inside of industrial automation is different from information technology (IT) industries. There are applications which are designed for high availability and high performance for control purposes. Since the applications were released with the operating system of that time, both start their journey together. However, as most of the systems have operating systems which upgraded themselves very fast (even yearly), the industrial software — such as distributed control systems (DCS), supervisory control and data acquisition (SCADA) or human-machine interfaces (HMI) — didn’t upgrade at a similar rate. This generated a huge gap, and that gap causes an influx in system vulnerabilities.
In many plants, it isn’t surprising to find Windows XP running peacefully and the applications running smoothly as well. This won’t last long due to the changing cyber threat landscape.
What is energy infrastructure?
Energy infrastructure includes power generating stations, power distribution and power consumption segments. On a granular level, we can segment these sectors further: power generating stations could be categorized as renewable, non-renewables, solar, thermal, wind, etc.
In these power stations or distribution stations, there exists control systems. The control systems use software and with software comes its bugs, vulnerabilities and risks.
What type of software is being used in the plant?
In these sectors, software used are DCS, HMI, SCADA, monitoring systems, predictive maintenance software, vibration monitoring solutions and more. All software or software solutions are based on an operating system: It could be Windows Server, Windows Workstation, Linux OS, and other proprietary software solutions as well.
Some DCS include HIMA, SPPA-T-3000, Foxboro, Metso Automation, Yokogawa, Honeywell and ABB. Similarly, for specific solutions, several vendors, original equipment manufacturers (OEMs), service providers or suppliers provide multiple solutions for energy sectors. Energy management systems are prominent in these sectors.
Why are systems not upgraded frequently?
“Upgrade and update” is not a daily routine in these industries because availability is the utmost priority in these industrial systems. Systems are critical and do not have privilege to miss a single microsecond bit. Thus, custodians sacrifice security with availability.
What issues arise when upgrading and updating systems frequently?
The main issue is fear of the loss of service for any system. To understand this issue, it is important to understand what is meant by upgrade or update.
Antivirus systems installed on the servers or workstations need to be updated, or if Windows pushes new updates very often for discovered vulnerabilities or functionality improvement. In the case of updating, there is a possibility that it is mandatory to reboot systems. If industries have high availability or if they have multiple workstations, then they can afford or prioritize these updates if it can be done as an online upgrade.
Where to start
The first thing to do is share internal and external awareness, education and knowledge about the threat landscape. Custodians can start with knowing the inventory of the plant, because for planning any cybersecurity solution, you must know what is in your plant.
An intensive inventory scanning and audit will show new devices, even if the plant has been operational for many years. There might be some devices that have been neglected for a long time due to less importance or less usage, and these become soft targets for cyberattacks.
How can we enhance the cybersecurity posture of the plant?
Enhancing cybersecurity posture begins by understanding the existing posture of the organization. We need to understand the correct existing posture by vulnerability assessments and risk assessments. Once weak areas are identified, then as per the security level, the proper cybersecurity controls can be deployed, and posture can be corrected.
– This originally appeared on ISA Global Cybersecurity Alliance’s website. ISA is a CFE Media and Technology content partner.