Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Securing Energy Infrastructure from Cyber Threats

Introduction

Energy infrastructure is quite a large sector on Earth. It has evolved from the past 200 years and is still evolving. From mechanical to electronics to sophisticated control system technologies, it has helped in improving ease of usage and efficiency. With the emergence of the latest software and equipment, energy infrastructure is highly vulnerable due to legacy applications running on plant premises. 

The inside of industrial automation is different from information technology (IT) industries. There are applications which are designed for high availability and high performance for control purposes. Since all these applications were released with the operating system of that time, both started their journey together. However, as most of the systems have operating systems which upgraded themselves very fast (even yearly), the industrial software such as distributed control systems (DCS), supervisory control and data acquisition (SCADA), or human machine interfaces (HMI) didn’t upgrade at a similar rate. So, this generated a huge gap, and that gap is causing system vulnerability. 

Still, in many plants, we wouldn’t be surprised to find Windows XP running peacefully and the applications running smoothly as well. This won’t last long due to the changing cyber threat landscape. 

What is Energy Infrastructure?

Energy infrastructure includes power generating stations, power distribution, and power consumption segments. On a granular level, we can segment these sectors further; power generating stations could be categorized as renewable, non-renewables, solar, thermal, wind, etc. 

In these power stations or distribution stations, there exists control systems. All these control systems at some extent use software, and with software comes its bugs, its vulnerabilities, and its risks. 

What Type of Software is Being Used in the Plant? 

In these sectors, software used are DCS, HMI, SCADA, monitoring systems, predictive maintenance software, vibration monitoring solutions, and more. All software or software solutions are based on some sort of operating system: It could be Windows Server, Windows Workstation, Linux OS, and some proprietary software solutions as well. 

Some DCS include HIMA, SPPA-T-3000, Foxboro, Metso Automation, Yokogawa, Honeywell, and ABB, to name a few. Similarly, for specific solutions, several vendors, original equipment manufacturers (OEMs), service providers, or suppliers provide multiple solutions for energy sectors. Energy management systems are quite prominent in these sectors. 

Why are Systems Not Upgraded Frequently? 

“Upgrade and update” is not a daily routine in these industries, because availability is the utmost priority in these industrial systems. Systems are so critical that they do not have privilege to miss a single microsecond bit, thus custodians sacrifice security with availability. 

What Issues Arise When Upgrading and Updating Systems Frequently? 

The main issue is fear of the loss of service for any system. To understand this issue, we need to understand what is meant by upgrade or update

Antivirus systems installed on the servers or workstations need to be updated, or if Windows pushes new updates very often for discovered vulnerabilities or functionality improvement. So, in the case of updating, there is a possibility that it is mandatory to reboot systems. If industries have high availability or if they have multiple workstations, then they can afford or prioritize these updates and positively if it can be done as an online upgrade. 

Where Do You Start from a Security Perspective? What is Mandatory? 

Per my understanding of cybersecurity, the first thing to do is internal and external awareness, education, and knowledge about the threat landscape. Custodians can start with knowing the inventory of the plant, because for planning any cybersecurity solution, you must know what is in your plant. 

An intensive inventory scanning and audit will show new devices, even if the plant has been operational for many years. There might be some devices that have been neglected for a long time due to less importance or less usage, and these become soft targets for cyber-attacks. 

How Can We Enhance the Cybersecurity Posture of the Plant? 

We can enhance cybersecurity posture by first understanding the existing posture of the organization. So, we need to understand the correct existing posture by vulnerability assessments and risk assessments. Once weak areas are identified, then as per the security level, the proper cybersecurity controls can be deployed, and posture can be corrected. 

How Can We Educate Customers to Increase Awareness and Prevent Getting Attacked? 

To existing customers, it is easy to educate, but for others the first thing is the mindset. It has been often observed that, if we talk about investing in cybersecurity, customers do not show much interest. A better suggestion would be to provide some free trainings or sessions to customers on cybersecurity. 

If someone understands the security solutions and how they work, only then can they think of its deployment in the industries. Creating awareness is the prime step for the education of customers.

Sourabh Suman
Sourabh Suman
Sourabh Suman has over 11 years of experience in ICS and ICS cybersecurity and currently works with Capgemini in manufacturing, food processing, energy utility, and oil & gas portfolios. He is currently designing and implementing the defense-in-depth cybersecurity solutions for the OT/ICS. He previously worked with Schneider Electric, Siemens, and JPL, and holds a patent related to OT/ICS cybersecurity as well. He has a mission of helping industries defend critical infrastructure from cyberattacks by increasing cybersecurity awareness in OT/ICS among engineers working in these industries.

Related Posts

Webinar: Securing Operations and Building Resilience in Critical Infrastructure

The connectivity of systems and products has created a complex and interdependent ecosystem of stakeholde...
Kara Phelps Dec 27, 2024 7:00:00 AM

What Does the Future of Zero Trust in OT Look Like?

Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwi...
Jacob Chapman Dec 20, 2024 7:00:00 AM

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM