There is no doubt that the ongoing pandemic has forced us to rethink our cybersecurity programs and planning. In recent months, we’ve seen several industrial companies that have unfortunately learned a difficult lesson from not applying proper cybersecurity controls to protect their industrial control system (ICS) networks. To help others reconsider their cybersecurity posture, I thought it might be useful to share some of my experiences and learnings in implementing industrial cybersecurity with critical infrastructure around the world. You’ll see that there are some obvious mistakes to avoid, but sadly many end-users are not aware of them. I want to help change that!
During my time as a control systems engineer and automation systems migration leader at customer sites, I worked to solve critical situations including loss of view, loss of control, or both at once. Such situations, if not handled properly, might lead to total plant shutdown and production loss. Generally, there is a predefined timeframe within which the critical issue must be resolved, based on the factory design, type of operation, and capability to handle operations manually at the site level. If these timeframes cannot be met, the operator should opt for emergency operational shutdown. These decisions directly affect production and revenue. Under such pressure, I have witnessed how different groups behave.
The most common behavior in this situation was allowing temporary insecure actions of bypassing standard physical or cybersecurity controls to maintain production levels and avoid revenue loss until the issue was resolved. In my opinion, the top five insecure actions around cybersecurity are:
- Disabling a domain policy to enable universal serial bus (USB)
- Sharing an admin password to grant power level access
- Temporarily configuring remote desktop to copy logs from another machine with no USB ports enabled
- Configuring a jump server for the sake of troubleshooting and bypass firewall security to allow remote connectivity
- Keeping power passwords in the system during normal operations
I have also seen service and site maintenance engineers who bypass cyber and physical security measures. For instance, they carry a USB port blocker key alongside a system cabinet spare key as a common pocket tool in their keychain, just in case!
The transition that I had from being an end-user to a vendor, Honeywell, across many countries, allowed me to see how such behaviors are unfortunately widespread among a handful of plants. Despite the standards, policies, and training, these unsafe practices are still too common irrespective of the industry or the geographic region.
Surely, cybersecurity has never been more important than it is now. The pandemic has forced industrial firms to balance the needs of running the plant while maintaining the health and well-being of their staff. With resulting inherent economic pressures, all of this must be done while also controlling costs. Plant operators have had to embrace remote operations and allow non-essential staff to work from home. Plant operations, health of employees, and cost control seem to be a competing part of a difficult equation that needs to be balanced. While working on balancing this equation, these are, in my view, the top three mistakes to avoid:
- Extending available corporate information technology (IT) solutions to cover operational technology (OT); IT solutions are not designed to be in such an environment and do not comply with ICS security basic standards by default
- Using any remote operation or remote troubleshooting solution without considering basic security and without having the right infrastructure in place
- Delaying upgrades and migrations of obsolete systems with no measures
Indeed, cybersecurity is a matter of risk management, either by risk prevention or by risk mitigation. As we collectively face the challenges of this pandemic with a cyber maturity enhancement plan, here are my thoughts on the top five short-term actions to consider during planning a “new normal” operation:
- Invest in an industrial grade, OT-specific remote access solution.
- Consider USB security solutions behind traditional ones (USB is the primary threat vector in OT).
- Assess your hardening level and harden your Process Control Network (PCN) devices to enhance system maturity.
- Prioritize and refresh obsolete OT systems and upgrade your network to reduce risk.
- Apply proper zoning and segmentation, paying special attention to the layer between IT/OT.
Finally, here is my personal recommendations for long-term OT strategy planning:
- Know your sites security gaps by conducting a cybersecurity risk assessment.
- Design OT-specific cybersecurity implementation programs aiming at maintaining high maturity level. Secure the basics first!
- Training and awareness are key as people are the weakest part of the organization security triangle.
- Be ready for the worst, which means adding your incident response, disaster recovery, and business continuity plans to include OT cybersecurity.
- Build OT-specific policies and procedures and integrate them into corporate ones.
- Regularly assess your hardening level to maintain maturity level.
At the end, we are in this together. Feel free to comment as I am interested to know more about your thoughts and best cybersecurity practices during the pandemic. I wish a healthy and secure environment for your systems.