Once you know that cyber-attacks are multiplying, what do you do next?
“More security incidents remind everyone of the importance of cybersecurity, so there’s clearly increasing awareness, guidelines and regulations about securing networks and physical infrastructures, protecting communications and energy sources, and keeping them updated,” says Matthew Bohne, advisory board chair of International Society of Automation’s (ISA) Global Cybersecurity Alliance and Chief Product Security Officer at Honeywell. “Lately, this means making device, networks and process applications secure by design and practice by following the ISA/IEC 62443 standard.”
Get your subscription to Control's tri-weekly newsletter.
Though it’s useful to adopt authentication, network segmentation, traffic evaluation and other common cybersecurity best practices, Bohne reports the extent to which users and organizations follow ISA/IEC 62443 or implement other defenses depends on their individual profiles and roles, and how far along they are with each.
“It’s especially important for those in charge, such as chief engineers, to ask what’s being done to secure their operations and facilities,” explains Bohne. “Plant Operators are typically focused on operations, but may not always have the resources or capability to focus on critical cybersecurity tasks such as applying software patches, securing budgets and looking at cyber risks that can impact the safe operation of their processes.”
Security at SOCAR and STAR
For instance, State Oil Co. of the Azerbaijan Republic’s (SOCAR) Turkey Aegean Refinery (STAR) in Aliaga, Izmir province, can process 214,000 barrels of crude oil daily or about 10 million metric tons (Mt) annually. Though the refinery is only six years old, SOCAR’s leadership was concerned about recent breaches in other energy sectors, and whether STAR had sufficient protections and skilled resources to apply and maintain them. They determined that STAR’s cybersecurity support requirements included:
- Performance monitoring from several different network levels;
- Flexibility for future extensions, so additional sites could be connected with minimal effort;
- Security clearance (SC) creation for Level 4 assets; and
- Centralized Microsoft and antivirus updates.
To align its industrial control system (ICS) and process control network (PCN) with global industry standards, STAR’s managers consulted with Honeywell about countermeasures needed to elevate the refinery to the next level of cyber-assurance. Specifically, the refinery wanted on-premise, cloud-based, managed security services (MSS) that would provide visibility of operations technology (OT) assets and secure remote access. STAR subsequently implemented Honeywell’s Forge MSS, which provides seamless protection across expanding ICS and PCN attack surfaces, and addresses the visibility, availability and reliability necessary for OT performance in process applications, networks, mobile environments and/or cloud-computing services.
In general, Forge MSS increases cyber-resilience, expedites risk mitigation, shortens recovery time and improves safety records by providing:
- Honeywell’s Secure Connection featuring encrypted communication to protect data;
- Automated patching and antimalware services to ensure all computers are updated with the
- latest security protections;
- Continuous monitoring and alerting services to monitor the performance and health of the PCN; and
- Intelligent reporting services to transform system statistics into actionable trends.
Forge MSS let the refinery better manage and update its OT assets, as well as deploy an authenticated and encrypted virtual private network (VPN) that lets Honeywell’s dedicated support engineers and subject matter specialists remotely troubleshoot security and maintenance issues. Honeywell’s cybersecurity services let STAR:
- Reduce the risk of security breaches;
- Manage the security posture of its process control infrastructure;
- Provide 24/7 monitoring and alerting of the PCN, including controllers, servers and workstations; and
- Deliver intelligence reporting services to turn system statistics into actionable trends.
SOCAR reports that Honeywell’s assistance gave STAR better control over its OT environment, including improved visibility, connectivity, reporting and monitoring. Forge MSS also provided secure remote access and enterprise visibility of OT-related work without requiring onsite personnel. This saves time for the refinery’s engineers and contractors, who can complete required assignments faster. In addition, geospatial technology and applications center (GTAC)-based remote access and support further reduces the need for onsite staff. Engineers working from home have become STAR’s default practice, while sitework is reserved for emergencies and on-demand tasks.
Common-sense regulations
To meet demands for uniform cybersecurity practices, Bohne reports several governments developed and passed new cybersecurity regulations this year, most notably the European Union’s (EU) Network and Information Security 2 (NIS 2) directive, EU’s Radio Equipment Directive (RED) and its Cyber-Resilience Act (CRA).
Similarly, the Biden Administration issued Executive Order 14028, “Improving the nation’s cybersecurity,” in May 2021, which requires U.S. federal agencies, contractors and service providers to enhance cybersecurity and software supply chain integrity. This was followed by the U.S. Dept. of Energy (DoE) that issued its “Cybersecurity Strategy” in January. Bohne adds more rules are expected in the next 12 to 24 months.
“We’re seeing greater sensitivity to cybersecurity worldwide, and customers asking for common specifications,” adds Bohne. “From a vendor’s standpoint, users are getting the message, and seeking cyber-secure development practices that leverage ISA/IEC 62443 for making their products. This is a reminder that cyber-threats are everyone’s problem and that cybersecurity is a team sport. Everyone in each organization must recognize their responsibility and participate for cybersecurity to be successful. For example, a supplier can make a cyber-secure product, but an owner or system integrator has to implement and enable these capabilities securely in order for it to be secure operationally.
When users seek to update or replace components at the device-level to improve cybersecurity, Bohne reports his first question is: what’s the age of the environment and what security is being applied now? “Equipment that’s 15-20 years old probably isn’t easy to secure or support and may have already passed end-of-life, so it’s no longer getting any software support. If it’s isolated, it can likely continue to operate, but it will need alternative security controls because it’s unlikely software updates are available,” he explains. “It’s more important than ever for owners to ensure they’re keeping the security of their operations updated and patched. Industrial products developed in the last few years have even more cybersecurity designed and baked into devices, which can be tested to make certain they’re secure. They also use a secure software development lifecycle (SSDLC) that ensures good development practices, with many vendors now getting their SDLC certified as compliant with key parts of ISA/IEC 62443.”
