Explore the common cybersecurity challenges that producers face, and ways to mitigate threats and secure industrial automation systems
Just as most people haven’t crossed paths with sophisticated criminals in their everyday lives, most industrial automation users have not had to face major cyber threats from bad actors. Many manufacturers and producers don’t know how vulnerable their systems are – and unfortunately, the ramifications of an attack go deeper than lost product.
Threats and bad actors are out there – just ask the 18,000 companies affected by the recent SolarWinds hack, or the industrial and energy-producing facilities targeted by the Stuxnet malware attack on PLCs in 2009. Manufacturers and producers are increasingly facing cyber threats, particularly ransomware, as well as data breaches. In fact, more than half of respondents to a recent survey reported a data breach in the year prior.
As plants become more interconnected and dependent on the Internet, and as digital transformation becomes less of a buzzword and more of a norm, vulnerabilities increase and risks compound. At a plant, an attack could mean lost product, unscheduled downtime, worker safety issues, losses of confidential and/or proprietary information, and sometimes negative consequences on the company’s public image.
In order to truly mitigate risk, every producer needs to be proactive about knowing what risks are out there, understanding their unique vulnerabilities, and prioritizing mitigation tactics from there. The bottom line? Don’t just assume you are safe from cyber attacks – you must be proactive to protect your system. Attackers constantly evolve and so must you.
DCS cybersecurity: Assess your risk
When it comes to a distributed control system (DCS), plant managers and engineers know cybersecurity is essential. How can you help ensure your system is secure? And how can you do that if you don't know all the nuances of your system?
For security, people often immediately think to create strong passwords and are aware of the need to implement software updates and patches in our everyday computing environments. But cybersecurity for a process system – which contains any number of products including, but not limited to controllers, networking, HMIs, advanced analytics, and most importantly people – requires a more comprehensive plan.
That plan should consider not just the IT/data management side of things – computing, software and hardware – but also OT, or operational technology, cybersecurity. OT systems, like a DCS, control the physical aspects of the plant and have special requirements beyond typical IT security measures.
A comprehensive plan should align to international standard ANSI/ISA-62443-3-3, which provides security guidance for industrial automation and control systems and defines procedures to implement a secure system. This standard is considered by many industrial cybersecurity experts to be the global standard for now and the future. Because it was written by multivendor/user security experts in industrial automation, it has specifically addressed the idiosyncrasies of our industry.
Based on the ANSI/ISA-62443-3-3 standard, the first step in any cybersecurity plan is to take an accurate inventory of all the devices and interfaces that make up the system and understand any vulnerabilities they have. A risk assessment led by a trusted third-party partner can make a huge difference, as it’s easy to miss the things that are right in front of us. This assessment will help producers find vulnerabilities and allow the site to understand what level of risk they can tolerate. This will allow them to make the best choices for threat mitigation in their company.
Four common challenges and tips for improving security
Once a risk assessment is complete, securing a system can seem extremely daunting, but there are generally accepted countermeasures that will improve your security posture. The ever-increasing connectivity of automated plants provides unprecedented visibility into systems, resulting in advanced analytics and data that can help improve processes, create efficiencies and increase profitability. But that connectivity can leave systems exposed and vulnerable to threats.
Plant decision-makers exploring DCS-related cybersecurity improvements may face one or more of the following common challenges. Here are tips to consider for overcoming these challenges:
1. Open systems. When the Stuxnet computer worm struck and spread easily throughout control systems, it highlighted just how open those systems were. Open protocol networks are a historical hallmark of distributed control systems and are usually considered a huge benefit. But the additional avenues of risk associated with online, connected control systems may leave producers more vulnerable. The Zone and Conduit model can help mitigate the threat and keep critical assets segmented from most vulnerable areas. This also allows for open networks from being exposed to the easy avenues of attack. The ISA 62443 series of standards supports zones and conduits, and a clear definition of each can be found in this blog post.
2. Legacy equipment. Every plant has equipment of varying vintages, and many manufacturers take a piecemeal approach to upgrading their system. That means a new PLC might be on the same network as a computer running Windows XP. These older machines, especially if they have not been updated in many years, are potential entry points for viruses, worms and hackers. This is where a risk assessment can expose a vulnerability and develop a strategy to strengthen them. In larger plants you may not even know there is still an obsolete operating system on your network. Replacement is critical, but if it is not possible, some protection could be gained with network segmentation building layers of defense.
3. Evolving workforce. Employee turnover internally and at external partners and vendors is another big challenge for producers. Turnover for system integrators in particular is often extremely high. The people who have access to your plant and systems are an important piece of the overall cybersecurity puzzle. Breaches can be caused by innocent mistakes as well as those with nefarious intentions. Do you know who manages user accounts and system access for your company? Are there any accounts that have remained active and unused for years? Adhering to ISA 62443 standards and managing your users as part of a cybersecurity strategy can help mitigate risk.
4. Unknown ROI. It can be difficult enough to get management buy-in for investments when the return on investment is clear. With cybersecurity or any risk mitigation initiative, it’s less about how much money the company will make and more about what you don’t want to lose. Cyber attacks can cause losses of production and uptime, communications, information and, worst-case, safety of workers. With a proper risk assessment, vulnerabilities, risks, and mitigation strategies can be evaluated and allow producers to ask: What risk are we willing to accept? What will it cost to make the changes needed to feel comfortable in our risk posture? It may not be as expensive as you think to make changes, and the opportunity cost for not protecting is too great to pass up implementing even some simple measures. Determine your risk posture and protect your most vital assets.
Secure your system for the outcomes you need
Threats can come from every direction and the more layers of defense we implement, the more likely we will mitigate true risks and not become a statistic. When it comes to system security, the real goal is to improve your risk posture.
If you’re like many producers, you may not realize the true breadth of the threat landscape. You may not know just how vulnerable you are. Fortunately, trusted providers are looking out for their producer customers – helping them to be both proactive and reactive in the face of continuing and evolving cyber threats.
It’s important that your industrial automation provider takes security seriously, aligns with the ANSI/ISA-62443-3-3 standard and builds their products and systems in accordance with that standard. To explore your risk tolerance and security posture, ask your provider about a comprehensive risk analysis, which can help you take a proactive stance beyond your DCS.
This post was originally published on the Rockwell Automation blog.