This article is one in the 2021 cybersecurity update multi-part series.
View the rest of the series here.
Much of the useful news, historical context and practical advice on cybersecurity comes from end users and system integrators who've already run the gauntlet. However, most recovered from cyber-probes, -intrusions and -attacks by implementing effective new tools and software from process control and automation suppliers, who have plenty of helpful recommendations on how to protect process operation and facilities. Here are a few of the latest.
Acquired Data Solutions
Steven Seiden, president of Acquired Data Solutions, reports it addresses cybersecurity by making it part of an overall risk management framework based on NIST 800-53, which it uses to make its automation testing products secure. It's also made cybersecurity part of its engineering lifecycle as it's continued to emerge in the past three to five years. ADS is a system integrator and industrial automation testing firm in Rockville, Md., and member of the Control System Integrators Association.
"We help users develop risk profiles based on NIST 800-53, mostly for aerospace and critical infrastructure applications, and conduct penetration testing of development, security and operations (DevSecOps) to address ransomware," says Seiden. "This is crucial because one of the major trends we're seeing is a systematic mining of potential attack surfaces. Unfortunately, during and after COVID-19, many of the network boundaries that used to be limited to the organizational boundary have disappeared, and now everywhere is becoming an attack surface. Consequently, we need user-defined and dynamically defined boundaries, along with smart security applications that can see them."
To enable more intelligent cybersecurity, ADS reports it recently partnered with Assert Security (www.assertsecurity.io), which provides security test automation solutions, such as its Vinari software. This partnership will enable ADS to make sure its users' Internet-linked devices and presences are secure, and conduct continuous, automated cybersecurity testing of software, which is increasingly required by governments and other organizations.
"These functions can only be done with smart security software," says Seiden. "In the future, we may also add mobile apps, so users can determine the locations of ports they want to keep open."
Emerson
"When users set up industrial networks, they must also look at hardening and protecting them by changing passwords, finding open Ethernet ports, closing unused ports, encrypting communications, checking that networks are operating normally, and turning on time-synchronization functions," says Eric Braun, product security officer for Emerson's Measurement Solutions division. "It's also crucial to compartmentalize and segregate networks with firewalls and other defensive layers, and establish procedures for examining logs and quick remediation. To identify where probes and intrusions occur, network forensics can be carried out by an in-house or outsourced team that blends IT and OT experts, but it's likely best to call in a third-party for remediation."
To address similar and growing concerns about device-level cybersecurity, Braun reports that standardized network protocols will be needed. "The lower levels of the Purdue model for industrial control system (ICS) security used to be isolated, but they're becoming more vulnerable, too," says Braun. "You can make a regular device-level protocol like HART more secure, but the result is it can't interface and loses its interoperability. Consequently, we need to use more open protocols that can also provide device-level security. These include HART-IP that supports native security; OPC UA that can adjust to its own security model; MQTT that can add security functions; and Ethernet Advanced Physical Layer (APL) that provides interoperability and security. Open protocols can also publish details that can be reviewed, and use encryption algorithms and private software keys. Former proprietary protocols are less open and less able to be reviewed, which makes them weaker."
Braun adds that Emerson has implemented OPC UA and a secure version of HART-IP in its products, and "bakes in" cybersecurity at all stages of its design, development and testing processes. "We also use threat models, perform vulnerability assessments, and conduct penetration testing," says Braun.
Rockwell Automation
"Cybersecurity starts with best practices like performing asset inventory and risk assessment, then identifying vulnerabilities and applying things like network segmentation to mitigate risks," says Tim Mirth, PlantPAx platform leader at Rockwell Automation. "We’re seeing an increase in attacks, such as ransomware, since many cybersecurity best practices aren't in place. Sometimes it's the use of outdated equipment, exposed networks or a lack of sufficient backups that safely restart operations. That means having securely stored and tested backups of things like servers, controller configuration files and even historical data.”
Along with protecting assets, Mirth reports more insurers are requiring process industry companies to establish and maintain robust security postures. This includes aligning with standards and partnering with security competent companies. "Once you identify your assets and any vulnerabilities, trusted partners can provide guidance to help mitigate those vulnerabilities," says Mirth.
Because security is multifaceted, Mirth explains that product-only security isn't enough. He adds that network segmentation is necessary due to growing use of remote access. Segments and functional zones can be separated by logical segmentation, using virtual local area networks (VLAN), firewalls, demilitarized zones (DMZ), encrypted tunnels and other network strategies depending on the company’s risk posture. "Segmentation planning involves multiple steps. First, identify process zones requirements and risks, such as functionality, efficiency and criticality. Next, make judgement calls on the risk posture of each zone. From there, separate critical production processes and their network from less-critical, higher-up administrative and enterprise areas to reduce the threat landscape," explains Mirth. "Then the main question becomes how to control communications between areas if they need to share data? This where we need to apply authentication, authorization, firewalls and cryptography.”
Mirth concludes that cybersecurity must be continually updated over the lifecycle of the process system. "All users, system integrators and the like have to be authenticated and authorized to access information, and that list of users needs to be updated, just as software patches are updated. Users and patches that are OK today may not be tomorrow," says Mirth. “ODVA CIP Security and other protocols are beginning to define ways to gain end-to-end and device-to-device capabilities that will lead to a zero-trust and zero-touch security landscape. This is an exciting premise. We're not quite there yet, but development continues for OT-based applications and users.
"Likewise, there are other promising technologies, such as software define networking (SDN), that could allow another layer of defense by restricting data flow and improving network availability. For example, SDN enables micro-segmentation from one device or area to another – almost like their own personal network. SDN can also be used to increase availability by providing multiple network paths, all of which can be obfuscated to the user, so that they can focus on running their plant. SDN still needs proven for OT demands but has been used in the IT space for a few years now. The technology is promising as security strategies continue to evolve.”