The investor analysts questioned the executive board about their cyber-exploits, “Can you please assess your capabilities to repel or recover from a cybersecurity breach?” It’s a valid inquiry, especially when stories (and non-stories) of utilities and manufacturing enterprises being halted by cyberattacks are now routine.
Less-than-brilliant hackers in their parents’ basements might take offense. There are ransomware exploits for sale on the dark web, which intruders can use to lock up your PCs until you pay them off. They’re competitively priced and ready to be deployed by any novice. Why wouldn’t CEOs turn to their CSOs or CISOs, and say, “Tell me we’re protected from this trash.” Perhaps, they might even use some profanity to describe their concerns.
Managed barriers—firewalls, for example—have been in place for years at the edges of our business networks, where they interact with the larger Internet. Still, exploits sneak through, unbeknownst to employees, who connect a phone to a company laptop for charging, or insert a USB drive for transferring a file via “sneaker net.” Emails are filtered for all manner of might-be spam. It’s a better-safe-than-sorry philosophy for email delivery, especially because we get the chance to review blocked messages. Among the spam are phishing exploits that give attackers possible routes around cyber-barriers.
Process control networks are largely isolated from the deranged and decadent free-for-all of today’s World Wide Web, at least we hope they are. One of the first things an auditor tests is whether you can “ping Google” from your distributed control system (DCS). For a few decades, we took comfort in the air gap that separates us from criminal exploits on the web.
However, Windows-based PCs and server-based operating systems run most operator workstations, engineering consoles, historians and database servers. Windows boxes have USB ports just like their business network kin, so unsuspecting end users can insert their diseased dongles or charge their infected iPhones. We block them, either with Group Policy Object (GPO) software in the Active Directory or with mechanical, USB port blockers. One vendor’s remedy for deploying group policy had the undocumented feature of also disabling USB ports serving mice and keyboards. This rendered useless an operator workstation—an essential tool for running a chemical plant. We spent hours into the weekend uninstalling the software, after which the affected workstations had to be reconstructed (bare metal install) from scratch.
Ethernet switches must have their unused ports physically blocked, and many of us have invested a few thousand dollars each to replace unmanaged switches with managed switches, which can lock down all their ports through firmware. This sounds great until the firmware has a hiccup and blocks a legit connection, or you swap out a workstation or a controller, and discover it has no connection to its kin on the process control network. Oops, forgot to unlock the ports. Issues such as these exemplify the core question of this essential tool of operations: is the cure worse than the disease?
The ideal control system is an uninterrupted connection to the (ideal) operator’s mind. They see flows, levels, pressures and their connections to the process, not numbers and graphics. It will not be a happy day when their workstations lock up, not because of ransomware, but because the latest unseen whitelisting update blocked an OPC connection or slowed their console to a crawl.
Thankfully, our system vendors vet the software to protect the OT domain. There’s hope that unknown features will be dispatched before the ladies and men at the console have an unfortunate experience.
