Years and decades of reliable service makes legacy equipment and systems familiar, but it doesn’t make them cyber-secure. In fact, older devices are typically more vulnerable than newer ones, which makes it especially important for them to be part of any thorough cybersecurity risk assessment (cyber-RA).
“The biggest turning point we’re seeing is that many companies are realizing they don’t have cyber-secure equipment bridging their IT and OT networks. They’re also learning it’s easy to add managed switches to serve as firewalls and protect new devices, but the biggest danger is old machines that have been in place since the 1960s,” says Andrew Harris, business development director for controls and instrumentation at ACS, a system integrator in Verona, Wis., near Madison, and a member of the Control System Integrators Association. “It’s crucial to address these weakest links, even if they’re located in support equipment like HVAC and building management systems.”
Get your subscription to Control's tri-weekly newsletter.
To address cybersecurity issues jointly faced by users, their upstream contractors, downstream customers and other partners, Harris reports it’s vital for users to conduct a cyber-RA and get a third-party intrusion test, which identifies their vulnerabilities, and shows where they need to upgrade and protect their devices and networks. After that, they need to do a new RA every five years during the life of their machines to address new devices and connections that have likely been added in the interim.
“Production needs can change quickly, but related cybersecurity requirements may not get rechecked right away,” adds Harris. “A new variable-speed drive might bring in a cable that isn’t routed through the firewall, or some users could inadvertently make unprotected Bluetooth connections on the plant-floor.”
Revamping automotive test cells
For instance, ACS recently helped a large automotive manufacturer upgrade 28 internal combustion engine (ICE) test cells as part of a larger facility modernization (www.acscm.com/projects/facility-upgrade-internal-combustion-engine-test-cells). These cells use dynamometers, outdated programmable logic controllers (PLC) and a data acquisition (DAQ) system to R&D cycle calibrations, validate engine performance prior to production, and generate critical, proprietary data. However, they ran on aging technology, while replacement parts were increasingly hard to find, and only one software engineer with the expertise required by its custom, legacy DAQ system remained on staff. The cells were also limited in the testing they could support, requiring units under test to be moved to different locations onsite to finish testing.
To upgrade the cells in place without impeding ongoing testing operations, ACS and its client scanned the available 116,000-square-ft space, allocated 30,000 square feet for the new testing space, and implemented phased replacements of PLCs and a DAQ system for the 28 ICE test cells in ACS’ custom-built cabinets, which interface with all of the automaker’s existing facility and test systems. Nine of the cells also received cold-fluid mechanical upgrades, which consisted of adding ACS’ mechanical skids to integrate coolant, charge air cooling and fuel systems, accommodated cold-fluid testing down to -20 °F, and expanded the plant’s testing capacity. Five other cells were upgraded with specialized benches to conduct different types of emissions testing, including certification testing to meet EPA 1037 and 1065 regulations, and added emissions analyzers that interface with sampling controllers and valves. ACS integrated the entire system into its customized design package, and subsequently improved the reliability and accuracy of test results.
Switches secure data gathering
Likewise, upgraded software enables the PLCs and DAQ system to pull information from multiple sources in the cells and unit under test, and synchronize it with one timestamp. To better network, access and monitor the cells, Harris reports that ACS and the automaker added Cisco’s managed Ethernet switches using regular TCP/IP protocol between the machines and their plant network, which secures its multiple potential failure points by disallowing unauthorized access or communications. It also installs the switches in all devices for its projects before shipping to their sites. These switches provide cybersecurity by operating three layers on each switch, including:
- Layer 1 is a programmable patch panel that establishes a connection between ports, which is just the basis of an unmanaged switch.
- Layer 2 is where data packets are pushed to their destinations, using media access control (MAC) addresses.
- Layer 3 is the network layer with firewall functions which performs network monitoring between the switch and others in the IT area, and monitors network traffic for anomalous activity or sources.
The switches can be configured for users to set up communications with known devices. This tells users which test cells and other equipment are supposed to be on the network, distinguish them from laptops and other devices that may be seen as anomalous, and add MAC addresses for other authorized devices.
“Test cells produce lots of critical and proprietary data, so our automotive client wants to be confident none of it’s at risk of being lost or stolen,” says Harris. “This is just protecting information on physical equipment, so we’re not moving any of this data to the cloud or allowing any remote control. However, we still need to monitor this network’s connections and traffic to make sure that only communications with the automotive client’s locations are occurring. So far, no equipment has been compromised because we’re only monitoring switches and network traffic, and unauthorized and third-parties can’t get out of the switches. Our client is already in the process of adding this solution to more locations.”
Even though its costs can vary widely and negatively impact production time, Harris agrees that conducting a cyber-RA is essential because the International Monetary Fund (IMF) reports that cyber-incidents have doubled since the COVID-19 pandemic.
“If you’ve only got two pieces of equipment, then doing a cyber-RA is pretty easy. However, if you’ve got 200 devices, it’s easier to show potential damage from a breach, but you’ll probably need to seek funding,” explains Harris. “We support adding layered switches between devices, of course, but it’s also important for plant-level personnel to establish risk-reduction policies and procedures like their IT-based counterparts.”
Having a cyber-response plan is crucial because, not only do cyber-threats evolve and emerge quickly, but undocumented—though not malicious—devices can likewise pop up without notice. “We’ve seen a user drop a 5G hotspot and router onto their plant-floor, so they could access production equipment remotely,” says Harris. “This is OK if it’s an approved process and is monitored and managed, but if it’s not approved or even just in unattended mode, then it’s a big vulnerability and risk.”
Harris concludes that cyber-RAs must also be routinely updated as new equipment and capabilities are added, and as new cyber-threats emerge. “A cyber-RA is a living document,” says Harris.
