Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Industrial Cybersecurity Mistakes to Avoid in the New Normal

There is no doubt that the ongoing pandemic has forced us to rethink our cybersecurity programs and planning. In recent months, we’ve seen several industrial companies that have unfortunately learned a difficult lesson from not applying proper cybersecurity controls to protect their industrial control system (ICS) networks. To help others reconsider their cybersecurity posture, I thought it might be useful to share some of my experiences and learnings in implementing industrial cybersecurity with critical infrastructure around the world. You’ll see that there are some obvious mistakes to avoid, but sadly many end-users are not aware of them. I want to help change that!

During my time as a control systems engineer and automation systems migration leader at customer sites, I worked to solve critical situations including loss of view, loss of control, or both at once. Such situations, if not handled properly, might lead to total plant shutdown and production loss. Generally, there is a predefined timeframe within which the critical issue must be resolved, based on the factory design, type of operation, and capability to handle operations manually at the site level. If these timeframes cannot be met, the operator should opt for emergency operational shutdown. These decisions directly affect production and revenue. Under such pressure, I have witnessed how different groups behave.

The most common behavior in this situation was allowing temporary insecure actions of bypassing standard physical or cybersecurity controls to maintain production levels and avoid revenue loss until the issue was resolved. In my opinion, the top five insecure actions around cybersecurity are:

  • Disabling a domain policy to enable universal serial bus (USB)
  • Sharing an admin password to grant power level access
  • Temporarily configuring remote desktop to copy logs from another machine with no USB ports enabled
  • Configuring a jump server for the sake of troubleshooting and bypass firewall security to allow remote connectivity
  • Keeping power passwords in the system during normal operations

I have also seen service and site maintenance engineers who bypass cyber and physical security measures. For instance, they carry a USB port blocker key alongside a system cabinet spare key as a common pocket tool in their keychain, just in case!

The transition that I had from being an end-user to a vendor, Honeywell, across many countries, allowed me to see how such behaviors are unfortunately widespread among a handful of plants. Despite the standards, policies, and training, these unsafe practices are still too common irrespective of the industry or the geographic region.

Surely, cybersecurity has never been more important than it is now. The pandemic has forced industrial firms to balance the needs of running the plant while maintaining the health and well-being of their staff. With resulting inherent economic pressures, all of this must be done while also controlling costs. Plant operators have had to embrace remote operations and allow non-essential staff to work from home. Plant operations, health of employees, and cost control seem to be a competing part of a difficult equation that needs to be balanced. While working on balancing this equation, these are, in my view, the top three mistakes to avoid:

  • Extending available corporate information technology (IT) solutions to cover operational technology (OT); IT solutions are not designed to be in such an environment and do not comply with ICS security basic standards by default
  • Using any remote operation or remote troubleshooting solution without considering basic security and without having the right infrastructure in place
  • Delaying upgrades and migrations of obsolete systems with no measures

Indeed, cybersecurity is a matter of risk management, either by risk prevention or by risk mitigation. As we collectively face the challenges of this pandemic with a cyber maturity enhancement plan, here are my thoughts on the top five short-term actions to consider during planning a “new normal” operation:

  • Invest in an industrial grade, OT-specific remote access solution.
  • Consider USB security solutions behind traditional ones (USB is the primary threat vector in OT).
  • Assess your hardening level and harden your Process Control Network (PCN) devices to enhance system maturity.
  • Prioritize and refresh obsolete OT systems and upgrade your network to reduce risk.
  • Apply proper zoning and segmentation, paying special attention to the layer between IT/OT.

Finally, here is my personal recommendations for long-term OT strategy planning:

  • Know your sites security gaps by conducting a cybersecurity risk assessment.
  • Design OT-specific cybersecurity implementation programs aiming at maintaining high maturity level. Secure the basics first!
  • Training and awareness are key as people are the weakest part of the organization security triangle.
  • Be ready for the worst, which means adding your incident response, disaster recovery, and business continuity plans to include OT cybersecurity.
  • Build OT-specific policies and procedures and integrate them into corporate ones.
  • Regularly assess your hardening level to maintain maturity level.

At the end, we are in this together. Feel free to comment as I am interested to know more about your thoughts and best cybersecurity practices during the pandemic. I wish a healthy and secure environment for your systems.

Mohammed Adel Saad
Mohammed Adel Saad
Mohammed Adel Saad currently serves as the OT Cybersecurity Sales and Business Development Director at Honeywell Connected Enterprise, based in Atlanta, Georgia, US. With over 17 years of industrial experience, Saad has an extensive technical background and is an expert in industrial control systems, process control, and industrial cybersecurity. Prior to his current role, Saad was the Global Head of Honeywell’s Cyber Technical Solution Consulting Group in which he was responsible for forming a global team of cyber experts helping industrial customers across the globe design the right cyber solutions to protect their operations and critical infrastructure from cyber-attacks.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM