Even within the last 5 years, barely a month would go by before another major corporation was compromised. Capital One, Equifax, Citrix, Target and Marriott are just a few notable ones. Financial information, social security information and other sensitive data was now out in the open.
The possibility that your personal information was now available to the highest bidder meant that millions of people were open to identity theft, which results in billions of dollars lost each and every year.
These threats are not going away, and are only becoming more sophisticated. Malware, phishing and denial of service are some of the examples of attacks. Then there are the more notable ransomware attacks, such as NotPetya and WannaCry.
So with a topic as riveting as cyber security, why is the process industry only now just catching on?
The IO/OT Problem
Conversations in the process industry when the topic of cyber security comes up would often go like this: “Hey have you thought about how you plan to protect your DCS from cyber threats?”
Responses will vary, but one could boil them all down to this: “Not really, you might want to speak with IT.”
Except IT then says something like: “We don’t really mess around with the DCS, process control really isn’t our thing. We let the operators handle it.”
Beginning to see the issue?
The differences between IT and OT
IT (Information Technology) and OT (Operational Technology) have similar acronyms, but the reality of their roles is very different. IT is responsible for the networking, protection and overall function of the business network. Emails, financials, personnel records and whatever other systems and information a company keeps is the responsibility of IT. That includes responding to service calls when “try restarting it” just didn’t do.
OT personnel, generally referred to as operations, are responsible for the system of instrumentation and physical equipment that manufacture and create their products. They utilize DCS and PLC to manage process conditions and operate safely. They interface with these systems via HMI’s, which are your standard PC’s that you would find in any office environment. These systems can be physical, virtual, or even cloud-based.
The consequences of a compromising on IT
Consequences of a business network compromise in the IT space are often limited to financial losses and embarrassment on the part of the company. Public perception and their reputation could be weakened, but the vast majority of companies do recover.
Consequences of a control system compromise in an operational environment could result in varying degrees of disaster, both financially and to the actual people working there. When control systems and operational environments are compromised in any way, the potential exists for people to lose their lives.
We hear about these mistakes on the news, and they are usually accompanied by explosions, smoke and images of citizens evacuating.
Hurricanes in Texas caused an Arkema chemical plant to catch fire because they didn’t shut down in time, and the exothermic reactions could not be managed, resulting in an explosion. This was a combination of poor decision making, and the force of mother nature.
A Hydrotreating unit at an Exxon refinery suffered from poor temperature measurement, limiting visibility to the reactor, leading to catalyst attrition and coke build up that then overheated to the point where it melted through the side of the reactor. A lack of pervasive sensing was the cause there, and it led to significant changes in the temperature management program at that refinery and others in their network.
Then you have the nuclear disasters of Chernobyl and Fukushima. Chernobyl was the result of cheap design and a lack of accountability in the operational culture of the Soviet Union. Fukushima was mother nature being the one to reveal their design flaws, as the diesel generators that kept cooling water flowing through the core were flooded and shut down.
While none of these examples were the result of cyber security compromises (especially Chernobyl, since that was in 1986), they do illustrate how severe any form of adverse condition can be, and the disastrous consequences of failure.
When does cyber security come into play?
The primary reason for the rift between OT and IT is less a personal one, but a genuine understanding that poor operational decisions have far more severe consequences than a hacked email network. IT personnel are not operations and process engineers, and both sides recognize that. Operations also recognizes that they are not computer experts, and even when their computers are having hiccups, they still seek the help of trained systems engineers, because the stakes are so much higher.
(Ok, sometimes the rift is personal, but that is a topic for another article.)
Since the internet age, operations would get around a perceived need for cyber security by claiming to be “air-gapped”. The air gap is a common vernacular for a PC that has never been connected to the outside world. This PC only operates within the confines of itself or its own network. So they would refer to their systems as “air-gapped”, and think that this is the only thing they need to do to protect from cyber threats.
The problem with the air gap is that it’s a fallacy. If a computer has ever been updated, whether from a temporary connection to the internet, a flash drive, a hard disk or someone plugging in their phone, then it is no longer air-gapped!
As we know, no system is future-proof, and will always need updating, upgrading and maintenance.
Why avoiding an internet connection isn’t enough
This is a question I get asked frequently –
“Doesn’t avoiding an internet connection 99{66f7997927a862c9f57ec7dffc6a2fe6d405caee7001dff533b976d48fe118b1} of the time keep my process safe enough?”
Hopefully you too see the blissful ignorance in this question. The answer here is clearly of course not.
The idea that every cyber attack comes from a hooded figure in a room with their Matrix-esque, Neo-hacker setup only exists because of popular culture (which includes “The Matrix”). Not to say that they don’t all wear hoodies, because that I would believe. It is more to say that a majority of the threats are brought into facilities unknowingly. Whenever someone plugs in a phone or USB drive, that becomes a pathway for cyber attack!
Essentially, the majority of the threats tend to come from those we know. The ones that are a part of the team.
With the increasing need for connectivity and data-driven decision making, that air-gap is going away. Cloud-based analytics, information being sent to augmented reality devices like smart glasses in the field, all require secure and reliable connections to the internet.
The essential tools to protect against cyber attacks
Cyber security depends on layers of protection, creating boundaries wherever it can to stop the spread of a cyber threat, to isolate it. Most people think of anti-virus, generally referred to as endpoint security, as the byword for cyber protection.
That is simply one piece of the puzzle. Let’s look at what the options are, and the reasons for deploying them.
Firewalls
These are encrypted physical barriers, placed between the outside world, and layered throughout the various layers of the network. They offer protection and the ability to notify operations of a malicious presence. Firewalls exist at the internet layer, and even down to the PLC/DCS controller level.
Port Lockdown/Physical Security
Preventing physical connections by securing the computers and limiting access to personnel are a way to prevent accidental intrusions into the system. USB connections are closed off, usually allowing for only one connection in order to provide updates manually.
Endpoint Security (Anti-Virus)
This is applied to each user station, each point of entry. In this case, each HMI, engineering station and field mounted display would have AV applied. AV is there to defend you from the threats that already exist in the world. These are the viruses, malware, ransomware and others that have already been used in prior attacks. As new attacks occur, these AV signatures are updated to provide the system with additional protections.
Application Whitelisting
This is for the threats we do not know about. The up front work to determine which files can be executed and installed is critical. Once that is complete, if an application is not on the list, the file cannot even be opened. Think of it like a bouncer at a party. If you’re not on the list, you’re not getting through the door.
Automated Patch Management
This is utilized to ensure that all updates and protections against new threats are uploaded into the system as soon as they are available. These are usually managed by your control system or cyber security vendor.
Will my system ever truly be secure?
This is never a straightforward question, as there is not a discrete line in the sand, where one side is secure, and the other is not secure.
Cyber security cannot be thought of as a war that can be won with the swift application of the best technology that the market has to offer.
No, it must be thought of as a constant border skirmish, where vigilant troops and a steady supply chain are the only thing keeping the enemy at bay. Why do you think there is a layer in the Purdue model of control system architecture called the DMZ?
The best solution is to bring IT, OT and the control system vendors together to have these discussions. Weigh the risk versus the cost of implementation, and make sound decisions from there. Remember, the success of an organization is not how fancy the tools and systems are, but how well people work together to protect their people and their facilities.
Or as Smokey The Bear would say…
“Remember – Only you can prevent forest fires!”