Industrial Cybersecurity Insights
- As plants have become increasingly connected, proper industrial cybersecurity is imperative to limiting loss from cyberattacks.
- Some good preventive steps to take are regular audits on OT systems, addressing any security gaps and training employees to use best cybersecurity practices.
There is no doubt that the ongoing pandemic has forced us to rethink our cybersecurity programs and planning. In recent months, we’ve seen several industrial companies that have unfortunately learned a difficult lesson from not applying proper cybersecurity controls to protect their industrial control system (ICS) networks. To help others reconsider their industrial cybersecurity posture, I thought it might be useful to share some of my experiences and learnings in implementing industrial cybersecurity with critical infrastructure around the world. You’ll see that there are some obvious mistakes to avoid, but sadly many end users are not aware of them.
During my time as a control systems engineer and automation systems migration leader at customer sites, I worked to solve critical situations including loss of view, loss of control or both at once. Such situations, if not handled properly, might lead to total plant shutdown and production loss. Generally, there is a predefined timeframe within which the critical issue must be resolved, based on the factory design, type of operation and capability to handle operations manually at the site level. If these timeframes cannot be met, the operator should opt for emergency operational shutdown. These decisions directly affect production and revenue. Under such pressure, I have witnessed how different groups behave.
Top 5 insecure actions
The most common behavior in this situation was allowing temporary insecure actions of bypassing standard physical or cybersecurity controls to maintain production levels and avoid revenue loss until the issue was resolved. In my opinion, the top five insecure actions around cybersecurity are:
- Disabling a domain policy to enable universal serial bus (USB).
- Sharing an admin password to grant power level access.
- Temporarily configuring remote desktop to copy logs from another machine with no USB ports enabled.
- Configuring a jump server for the sake of troubleshooting and bypassing firewall security to allow remote connectivity.
- Keeping power passwords in the system during normal operations.
I have also seen service and site maintenance engineers who bypass cyber and physical security measures. For instance, they carry a USB port blocker key alongside a system cabinet spare key as a common pocket tool in their keychain.
In the transition that I had from being an end user to a vendor, Honeywell, across many countries, allowed me to see how such behaviors are unfortunately widespread among a handful of plants. Despite the standards, policies and training, these unsafe practices are still too common irrespective of the industry or the geographic region.
The pandemic and industrial security
Cybersecurity has never been more important than it is now. The pandemic has forced industrial firms to balance the needs of running the plant while maintaining the health and well-being of their staff. With resulting inherent economic pressures, all of this must be done while also controlling costs. Plant operators have had to embrace remote operations and allow non-essential staff to work from home. Plant operations, health of employees and cost control seem to be a competing part of a difficult equation that needs to be balanced. While working on balancing this equation, these are, in my view, the top three mistakes to avoid:
- Extending available corporate information technology (IT) solutions to cover operational technology (OT); IT solutions are not designed to be in such an environment and do not comply with ICS security basic standards by default.
- Using any remote operation or remote troubleshooting solution without considering basic security and without having the right infrastructure in place.
- Delaying upgrades and migrations of obsolete systems with no measures.
Cybersecurity is a matter of risk management, either by risk prevention or by risk mitigation. As we collectively face the challenges of this pandemic with a cyber maturity enhancement plan, here are my thoughts on the top five short-term actions to consider during planning a “new normal” operation:
- Invest in an industrial grade, OT-specific remote access solution.
- Consider USB security solutions behind traditional ones (USB is the primary threat vector in OT).
- Assess your hardening level and harden your Process Control Network (PCN) devices to enhance system maturity.
- Prioritize and refresh obsolete OT systems and upgrade your network to reduce risk.
- Apply proper zoning and segmentation, paying special attention to the layer between IT/OT.
Long-term cyber strategy planning
Finally, here are my personal recommendations for long-term OT strategy planning:
- Know your site’s security gaps by conducting a cybersecurity risk assessment.
- Design OT-specific cybersecurity implementation programs aiming at maintaining a high maturity level.
- Training and awareness are key as people are the weakest part of the organization security triangle.
- Be ready for the worst, which means adding your incident response, disaster recovery and business continuity plans to include OT cybersecurity.
- Build OT-specific policies and procedures and integrate them into corporate ones.
- Regularly assess your hardening level to maintain maturity level.
Original content can be found at ISAGCA.