12 days of cybersecurity: System integrator takes cybersecurity page from IT
Check out the 12 days of cybersecurity mini-series!
Though many OT folks on the plant-floor continue to view their IT counterparts with sometimes justified suspicion, IT has typically been dealing with malware, viruses, worms and other quickly evolving cybersecurity issues for many more years than the manufacturing side—and offers many best practices that OT can use.
"The need for cybersecurity on the plant-floor really catalyzed when data acquisition (DAQ) devices and historians began to evolve," says Scott McCausland, digitalization services manager at IT system integrator Process and Data Automation LLC in Erie, Pa., which is a member of the Krones Group, and a certified member of the Control System Integrators Association (CSIA). "Users always want more data, but how can they get it from instruments and controls, and turn it into better decisions? They needed help from controls and engineering services people to collect information and get it into databases. This also meant that industrial networking was up to the controls guys, who started out with fieldbuses and Ethernet, but saw it become more involved than they could handle, and needed more security as it made more connections."
McCausland reports Process and Data Automation pushes its networking and software engineering staffs to write programs that provide confidentiality and data accuracy, but their highest priorities are availability and uptime. "Our digital services department concentrates on virtual, data and access security, and our mission is to make our client's IT team successful with their mission, while also supporting its production staff. We can speak both IT and control languages, so we can help IT be comfy with the solution we provide, and understand the needs of OT and production. If a client has a robust IT cybersecurity team, we can conform to and design around their infrastructure and data access requirements. If they have a less robust cybersecurity solution, we can help them conform to cybersecurity best practices from NIST, DHS and the ISA/IEC 62443 standard."
Similar to most cybersecurity efforts, Process Data and Automation deploys defense-in-depth layers that make users secure enough based on their individual needs, but still give them easy access to their data. Steps to implement these layers include:
-
Understand a client's present and cybersecurity architecture;
-
Identify a networking program that can enable growth and continuous improvement; and
-
Propose a network architecture with stronger cybersecurity that uses zones, conduits, firewalls and DMZs to provide isolation from business levels and the outside world, but still be able to reach them as needed.
"Each client and their application has individual and organization-driven requirements, so cybersecurity must also be based on access control determined by individual responsibilities," says McCausland. "Users should only be allowed into areas where they're authorized to work, but even if someone is allowed to work in both finance and operations, those areas still need to be in separate zones, and track-and-trace functions still need to show who is working where and when."
Once initial architecture and network protections are in place, McCausland reports threat and anomaly detection software can help find potentially malicious probes and intrusions. "There are generalized patterns among authorized users, so monitoring and detection tools can be set to find and block unusual patterns, activity and IP addresses, unless they're subsequently authorized," says McCausland. "For example, we had a client in operations who traveled a lot, and tried to access his operation network from the airport, but was blocked because he couldn't identify who he was sufficiently. For a year, he had to get temporary access from his IT department, and later added two-factor authentication that sent a code to his smart phone, which granted access after confirming he was the right person."
To implement these and other modern cybersecurity tools, McCausland explains the most important element is co-educating IT and OT personnel, so they can "play in the same sandbox" because more clients are requiring the two side to cooperate. "IT holds the keys to the kingdom for all PCs and networks, while OT controls operations," he says. "We speak both of their languages, translate as needed, and advocate for both sides. Operations needs IT to support production, and IT needs to do it for everything to harmonize. We recently had a manufacturing client implement security, so no vendor could get remote access. However, we had a candid talk with them, described the exact information we needed and when we'd need it, and this definitive criteria helped and fostered our relationship. We're also working as part of a new group that includes the client, their OT and IT people, and ours. We've even created a new role for a 'manufacturing IT' person that's part of our integration group, makes sure users have access and helps them work together. This 'internal system integrator' is someone that all of OT can talk to, and talk to IT, just as we'd do to bridge gaps."
McCausland adds this new bridging role will help many clients "operationalize" cybersecurity and other IT functions by moving them from larger, one-time capital expenditures (CapEx) to ongoing, smaller operational expenditures (OpEx). "These manufacturing IT people can give OT more data about what's happening at the IT level, such as how to handle new patches coming in, or when a vendor has been flagged for some issue. This role can also give IT more information about what's happening on the plant-floor to maintain uptime and aid continuous improvement. Consequently, they can also improve cybersecurity by opening and maintaining communications among all these parties."