This article is one in the 2021 cybersecurity update multi-part series.
View the rest of the series here.
There's no way to go it alone on cybersecurity. Because no one knows everything, even the most informed and competent end user is going to need help from someone more know-how and information about a certain device, software, best practice or other protection their process or facility requires. Mere mortals usually need cybersecurity help just to get started. Fortunately, there are many well-informed and generous sources, who can provide history, education, encouragement and solutions to make cybersecurity projects workable, efficient, thorough, cost-effective and reliable over the long term.
IT vs. OT to Ethernet and IIoT
Laurie Cavanaugh, business development director at E Tech Group, reports that cybersecurity's recent evolution is a natural outgrowth of operations technology (OT) and information technology (IT) learning to work together and speak each other's languages. Located in West Chester Twp., Ohio, E Tech is an engineering and systems integration firm that combined with Superior Controls, Banks Integration and Glenmount Global Solutions in 2018, and presently has more than 400 staffers in 14 locations. Superior is a certified member of the Control System Integrators Association.
"We migrated into the IT space 20 years ago due to working in consumer packaged goods (CPG)," says Cavanaugh. "This lets us put on our part-time therapist hat, and explain to both IT and OT that the enemy isn't within and that they need to develop a cybersecurity plan for who's going to do what."
Cavanaugh explains that OT and IT must cooperate on their organization's overall cybersecurity assessment, which will give a true reading of its OT assets, PLCs and unmanaged devices, as well as its network topology, managed switches, firewall protections and IT-related components. "We move users to a Converged Plantwide Ethernet (CPwE) strategy that's driven more by Internet of Things (IoT) demands. This lets them begin to speak a more common IT-OT dialect," says Cavanaugh. "This is important because they still have the same needs and tasks, such as patch management. Whether they're updating servers or PLCs, the behavior needed for patching either is the same. It's not just assessing vulnerabilities and prioritizing the fixes they need, but also modernizing automation platforms as obsolete equipment poses cybersecurity risks as well."
Un-flatten your network
To beginning addressing some of the IT-based tasks that cybersecurity requires, individual process and site characteristics can show what gaps need to be filled, and point the way to the most suitable and effective remedies.
“The first step in any cybersecurity program is an audit because you must know what you have,” says Dave Jennings, cybersecurity director at AutomationPlus, a division of Plus Group, an architecture in engineering firm. “And as you do the network and security audit, you do a risk assessment (RA) for what you find, and come up with a mitigation design based on the RA priority of each item. You basically take the audit’s results and use it to fill in the gaps.”
Jennings reports the biggest single gap is facilities and organizations with one big, flat network that allow production processes and corporate functions to be connected. “The number one way to segment is to put a demilitarized zone (DMZ) between production and enterprise networks,” says Jennings. “The newer strategy is to monitor and manage network traffic. This includes determining which HMIs, PLCs and PCs are talking to each other, establishing a traffic pattern for them, using an automated software platform to check for anomalous traffic and any new services that are running, and continuing endpoint monitoring of network firewalls, switches and services.”
Jennings adds that AutomationPlus doesn’t just approach cybersecurity from a network perspective, but also provides it as part of an entire information system for the plant floor because users mainly want convenient data access and control. “We look at a bigger picture that includes cybersecurity as part of a complete information and control system for the plant floor,“ says Jennings. “AutomationPlus usually provides a virtual VMware stack to run all operating systems, and implements all workstations, HMIs and data reporting devices as thin clients. Of course, a lot more of this has been needed lately due to the COVID-19 pandemic because more users want remote access.“
Before connecting a VMware stack to the plant floor, Jennings explains that a cybersecurity audit and risk assessment must be done first, as well as network segmentation and security mitigation. “This is when we connect what previously wasn’t connected, such as using Ethernet and gateways to add discrete I/O,” says Jennings. “We use three easy steps at AutomationPlus: audit, mitigate and monitor. Along with monitoring, we do continuous cybersecurity auditing and testing of firewalls and other mitigation controls including penetration testing. We also make sure that staff are trained, and that they don’t have email or anything like it near the plant floor or going through the DMZ, which is why we used thin clients and software that run safely on a server. When I’m in a customer’s control room, the first thing I recommend is to get any PCs there off the Internet. Cybersecurity has more to do with people and policies than it does with technical migration techniques."
Detection tools reduce insurance costs
Back at E Tech, Cavanaugh reports it recently worked on cybersecurity with a large metal processing company, and discovered that 80% of its in-cabinet switches were unmanaged, and 40% of its PLCs were non-compliant with cybersecurity requirements. Plus, it was running old DeviceNet protocol and other obsolete systems that were exposed, and it didn't know if the HMIs on its control network, which typically require access via a VPN, were also exposed to the Internet and vulnerable. "This company began to move on cybersecurity when it realized its insurance provider raised premiums and reduced coverage after a review of two manufacturing sites. Having a cybersecurity plan in place, and acting on the remediation recommendations, helped them have a new conversation with the insurance company," says Cavanaugh. "Similarly, other users like water/wastewater utilities are talking more with each other about cybersecurity, and working amongst themselves, where they used to be less likely to share best practices."
Tim Ingalls, cybersecurity expert at E Tech, adds that cybersecurity is also ramping up among the biotechnology firms it serves, but they must also resolve conflicts between costly processes that can't be interrupted and IT-based demands to periodically shut down networks for patching. "Most biopharmaceutical systems are also validated, so they can't be altered whenever users desire. They should also be built with network layers, demilitarized zones (DMZ) and barriers around everything to reduce risk," says Ingalls. "Microsoft famously applies patches on Mondays and Tuesdays, but if a planned patch from IT requires a production system to be revalidated, then OT will likely need to sequester and delay it until it can be applied safely."
Cavanaugh adds that once cybersecurity gaps in networks and devices are identified, they should be prioritized by severity and frequency, but also according to which mitigation response will allow the best results. These can include boosting profitability, enabling access to data for analytics, securing connections at the least cost, and even fitting in with the user's future plans for its application and network. She reports that E Tech often uses Nessus vulnerability scanning software from Tenable Inc. to compare current security levels and activity against prior benchmarks. "After finding initial vulnerabilities and replacing unmanaged switches, users must continue to look at their PLCs, drives and other devices, especially those approaching obsolescence, and make sure they're adhering to corporate risk and security standards," she says. "Next, they must check network traffic by applying an intrusion detection system (IDS), and employing an intermediate distribution frame (IDF) to examine traffic from different panels. They also need to run staff awareness campaigns, and train personnel not to open phishing emails.
"Sometimes IT is afraid of OT, so we bridge gaps, runs scans on the OT side, address their trust issues, and encourage them to acknowledge that they didn't get along in the past. This helps them decide who's responsible for what from the top floor to operations. This also means determining what's in IT's bubble of responsibility and what isn't, and many organizations are still trying to answer these questions."