676487e2f7203d4ab1a2e975 Shutterstock 2324657777
  1. Protect
  2. Cybersecurity

Suppliers cut a path through the cybersecurity jungle

Dec. 19, 2024
Emerson, Red Lion and Yokogawa guide users through newly released European Union cybersecurity standards and other recent requirements

Unfortunately, dealing with multiplying cyber-threats means learning and adopting new cybersecurity remedies, requirements and standards. Luckily, many suppliers are experts in the latest developments, and can provide much-needed guidance and advice. 

Emerson

Because more hits on the OT side shows they’ll inevitably have to deal with cyber-intrusions and -attacks, Alexandre Peixoto, cybersecurity business director for Emerson’s Process Systems and Solutions business, reports users are increasingly concerned, and their managers know they must do something because they’ve come to understand that anyone can be a target.

“Just because cybersecurity hasn’t been part of their critical infrastructure before is no excuse not to do it now, so we’re seeing more requests from users to get educated about it,” says Peixoto. “Once they do passwords and network segmentation, they want to know what else they should do. Unfortunately, many companies don’t have enough staff for cybersecurity, so it’s easy to get overwhelmed.”

Spurred by EU requirements

Peixoto adds that more users are asking for help with cybersecurity because of the European Union’s new Cyber Resilience Act (CRA) and its earlier Network and Information System (NIS) 2 security directive, which require users to define critical infrastructure and procedures for protecting them.

“NIS 2 focuses on assets and process owners, but again, they can’t do everything, so they need to perform due diligence, and determine where they need partners,” explained Peixoto. “This is why CRA focuses on rules for suppliers. Many of them are already following the IEC/ISA 62443 series of standards to help certify their solutions, so CRA is just adding some adjustments to the work they’ve already done.”

Guided by standards

Peixoto reports Emerson started pursuing compliance to cybersecurity standards about 10 years ago. For example, its DeltaV, Version 13 (V.13), distributed control system (DCS) included cybersecurity features in 2016 that accounted for approximately 80% of the overall release at that time. Some of the features released with V.13 sought to prevent online configuration changes by locking controllers via software, and preventing locking status with firewalls to enforce physical presence. There were administration and auditing tools released with V.13, which let users review Windows services and files against the baseline set during DeltaV’s software installation.

In 2019, DeltaV, V.14, added an independent domain controller function, which allows users to choose a different server than the DeltaV Professional Plus station or the DeltaV Application station to host the domain controller functionality for the DeltaV system. This separation provides protections similar to IT-based systems. Peixoto adds that V.14 was the first DCS to achieve ISASecure’s System Security Assurance (SSA) certification. Based on the IEC 62443-3-3 standard, this certification ensures that a control system can be deployed following stringent cybersecurity requirements specified in the standards. It also covers the secure development lifecycle to obtain system-level certification, which in this case was covered by the IEC 62443-4-1 standard. Emerson is also certified for development processes under ISASecure’s Secure Development Lifecycle Assurance (SDLA) program.

“Since then, more customers have been demanding products with cybersecurity certifications,” says Peixoto. “We’re shifting from products that add cybersecurity features like firewalls and threat monitoring to providing cyber-governance, policies, and procedures proactively. We’re seeing requests for cybersecurity consultation at projects’ front-end, engineering-design (FEED) phase, which provides users with a cybersecurity roadmap for the whole automation project lifecycle. Other services requested by customers regarding cybersecurity include cybersecurity solution testing, tabletop exercises (drills and simulations similar to what is done for personnel safety), and on-the-job training sessions.

Rehearse the response

To develop suitable cybersecurity tabletop exercises, and the incident response plan they’re based on, Peixoto reports that Emerson and its clients rely on the National Institute of Standards and Technology’s (NIST) SP 800-61 six-stage framework that shows what users need for cybersecurity, how to pre-plan, and how to drill on the responses they’ve developed.

“If a user’s staff isn’t scanning USB devices, or is bypassing them, a response plan can show how to establish enforcement,” explains Peixoto. “If a user is experiencing a cyber-attack, the response plan can show how to interact with personnel and local law-enforcement. And, if data and evidence has been erased, the plan can show how to restore it and deal with liability issues, too.”

Response plans can also help users decide what threats to consider in the first place and how to study them. It can show how to perform a 2 x 2 prioritization exercise to determine what issues and scenarios are most relevant for each user, as well as what tests would be most applicable and useful. Similar to the severity and frequency analysis used for process safety, prioritization also balances likelihoods versus impacts, and lets users and suppliers discuss cybersecurity issues thoroughly.

Red Lion

With cyber-attacks and other conflicts on the rise worldwide, many controls engineers are seeking to improve the security posture of their processes and facilities to match the risk tolerances of their larger organizations, according to Barry Turner, technical business development manager at Red Lion. “This typically means firewalls and virtual local area networks (VLAN), but risk assessment and risk tolerance surveys are still needed to apply them appropriately,” says Turner. “Because IT departments have usually already elevated their security posture to meet the risk tolerance of the organization, their controls counterparts should have a collaborative approach to implementing cybersecurity measures on the OT network.”

The well-known and crucial trick to aligning IT and OT cybersecurity is resolving their different procedures based on their different priorities. “IT’s priorities are confidentiality, integrity and availability, while OT’s priorities are health safety and environment (HSE) with a key focus on ensuring uptime,” explains Turner. “Either way, they may be dealing with supply chain-related threats or cyber-probes due to botnets, and devices that got compromised but weren’t discovered for a long time. This is another reason why risk assessments are important for showing users what issues are in front of them and guiding them. There are practical ways to balance security and access to critical systems. This usually begins with multilayer, defense-in-depth strategies enabled by firewalls, encrypted communications, authentication and network segmentation.”

Turner explains that Red Lion builds security into devices by adhering to cybersecurity principles, such as those in the ISA 62443 standard, and applying their IT-based reference architecture to OT components at the design stage.

“User architectures employee zones and conduits with different security levels, so they can balance cybersecurity without interrupting device and operations uptime,” explains Turner. “However, many networks are organizationally flat, even though they use subnets, and many also don’t have virtual local area networks (VLAN) and aren’t aligned with ISA 62443 or other standards. This means they’re still vulnerable when users bring in outside laptops with Windows and other SCADA/HMI software, which can connect via available conduits and allow network traffic. Consequently, many users also deploy managed Ethernet switches, such as Red Lion’s NT 5000, and use devices that can route like FlexEdge, powered by Crimson 3.2 software, to serve as conduits between zones routing and conduits driven by our Crimson software.”

Once users learn what ISA 62443 and other cybersecurity standards recommend, Turner adds they can conduct cyber security, risk assessments, understand their architectures and including OT, and determine their risk tolerance. “This lets users decide how IT and OT should work together in their environments,” says Turner. “This also guides them about what firewalls, encryption and multi-factor authentication they should implement, as well as enabling isolation of critical equipment and systems, and continuous monitoring of their networks, including making first-mile data accessible by joining IoT gateways with IT networks.”

Yokogawa

Just as digitalization keeps turning hardware into software, cybersecurity is likewise evolving from network segmentation and add-on infrastructures to more asset-centric orientations, according to Camilo Gomez, global cybersecurity strategist at Yokogawa.

“Data and applications aren’t just on embedded devices anymore. They’re in the cloud, virtualized and containerized, so cybersecurity is also becoming a managed asset, regardless of its location, which needs to be everywhere anyway,” explains Gomez. “In addition to supporting digitalized functions, cybersecurity is also extending into asset lifecycles by using zero-trust strategies.”

Despite these shifts, Gomez reports that many users and organizations still think they don’t experience cyber-probes, intrusions or attacks. “Users must realize that no one is immune from being compromised, and they should improve their resilience by implementing policies, procedures and processes that can mitigate the likelihood of breaches and incidents. They should also implement technology that can detect, respond and contain cyber-events, and minimize their impact.”

Standardizing security

Matt Malone, industrial cybersecurity consultant for North America at Yokogawa, reports that cybersecurity still closely parallels process safety, but achieving it increasingly means following standards like IEC/ISA 62443 and the four security levels it defines for different potential cyber-threats. These efforts usually start with examining existing controls, and asking if they have the default capabilities to defend their processes and organizations, or do they need to be supplemented with something stronger?

Gomez adds that the ISA99 committee and its IEC counterpart launched cybersecurity co-development working groups in April that are expected to reach consensus more quickly, and accelerate development, adoption and publication of consistent cybersecurity requirements. It also plans to refresh sections of existing cybersecurity requirements more quickly. In fact, it’s already reviewed IEC/ISA 62443-2-1 for security programs, and is working on 62443-3-2 for assessments, 62443-2-4 for service providers and system integrators, and 62443-4-1 for security development lifecycles.

“The reviews and updates of IEC/ISA 62443-3-3 and 62443-4-2 are being conducted in parallel, so they can make sure that security technical requirements for systems and components are properly aligned,” says Malone. “These efforts don’t just define cybersecurity functions, but they also enable suppliers to design and provide products and services that are secure by design.”

One of these solutions is the Open Process Automation Standard (O-PAS) that adopted 62443-4-1 and 62443-4-2 in 2018 to help bake cybersecurity into its testbeds and applications. “Users know that O-PAS allows suppliers to implement ISA/IEC 62443 into Level 2 devices and systems,” says Gomez. “This enables them to standardize security functions for their hardware and software.”

To extend these cybersecurity gains, Malone reports that ISA and IEC organizers are also starting to look at conformance certifications for devices and software such as the ISASecure process.

“Certification shows that standards, in this case for cybersecurity, have been adopted and security of products will be kept up-to-date,” adds Gomez. “Certifications can also help suppliers and users demonstrate that they’re complying with new rules like the European Union’s Network and Information Security 2 (NIS2) directive for asset owners and operators. It was released in 2022 with a deadline for implementation that was scheduled for October 2024. Likewise, the Cyber-Resilience Act (CRA) for manufacturers of networks and digital elements was released in November, and came into force in December 2024. These requirements typically don’t state how to achieve compliance, so conforming certifications are useful in showing that they’re following standards and best practices, and earning certifications that let them build compliant devices.”

This is part eight of Control's November/December cybersecurity cover story. Read the other installments here.

About the Author

Jim Montague | Executive Editor

Jim Montague is executive editor of Control. 

Email

Continue Reading

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...