Energy infrastructure is quite a large sector on Earth. It has evolved from the past 200 years and is still evolving. From mechanical to electronics to sophisticated control system technologies, it has helped in improving ease of usage and efficiency. With the emergence of the latest software and equipment, energy infrastructure is highly vulnerable due to legacy applications running on plant premises.
The inside of industrial automation is different from information technology (IT) industries. There are applications which are designed for high availability and high performance for control purposes. Since all these applications were released with the operating system of that time, both started their journey together. However, as most of the systems have operating systems which upgraded themselves very fast (even yearly), the industrial software such as distributed control systems (DCS), supervisory control and data acquisition (SCADA), or human machine interfaces (HMI) didn’t upgrade at a similar rate. So, this generated a huge gap, and that gap is causing system vulnerability.
Still, in many plants, we wouldn’t be surprised to find Windows XP running peacefully and the applications running smoothly as well. This won’t last long due to the changing cyber threat landscape.
Energy infrastructure includes power generating stations, power distribution, and power consumption segments. On a granular level, we can segment these sectors further; power generating stations could be categorized as renewable, non-renewables, solar, thermal, wind, etc.
In these power stations or distribution stations, there exists control systems. All these control systems at some extent use software, and with software comes its bugs, its vulnerabilities, and its risks.
In these sectors, software used are DCS, HMI, SCADA, monitoring systems, predictive maintenance software, vibration monitoring solutions, and more. All software or software solutions are based on some sort of operating system: It could be Windows Server, Windows Workstation, Linux OS, and some proprietary software solutions as well.
Some DCS include HIMA, SPPA-T-3000, Foxboro, Metso Automation, Yokogawa, Honeywell, and ABB, to name a few. Similarly, for specific solutions, several vendors, original equipment manufacturers (OEMs), service providers, or suppliers provide multiple solutions for energy sectors. Energy management systems are quite prominent in these sectors.
“Upgrade and update” is not a daily routine in these industries, because availability is the utmost priority in these industrial systems. Systems are so critical that they do not have privilege to miss a single microsecond bit, thus custodians sacrifice security with availability.
The main issue is fear of the loss of service for any system. To understand this issue, we need to understand what is meant by upgrade or update.
Antivirus systems installed on the servers or workstations need to be updated, or if Windows pushes new updates very often for discovered vulnerabilities or functionality improvement. So, in the case of updating, there is a possibility that it is mandatory to reboot systems. If industries have high availability or if they have multiple workstations, then they can afford or prioritize these updates and positively if it can be done as an online upgrade.
Per my understanding of cybersecurity, the first thing to do is internal and external awareness, education, and knowledge about the threat landscape. Custodians can start with knowing the inventory of the plant, because for planning any cybersecurity solution, you must know what is in your plant.
An intensive inventory scanning and audit will show new devices, even if the plant has been operational for many years. There might be some devices that have been neglected for a long time due to less importance or less usage, and these become soft targets for cyber-attacks.
We can enhance cybersecurity posture by first understanding the existing posture of the organization. So, we need to understand the correct existing posture by vulnerability assessments and risk assessments. Once weak areas are identified, then as per the security level, the proper cybersecurity controls can be deployed, and posture can be corrected.
To existing customers, it is easy to educate, but for others the first thing is the mindset. It has been often observed that, if we talk about investing in cybersecurity, customers do not show much interest. A better suggestion would be to provide some free trainings or sessions to customers on cybersecurity.
If someone understands the security solutions and how they work, only then can they think of its deployment in the industries. Creating awareness is the prime step for the education of customers.