Chevron’s Approach to Cybersecuring Process Control Networks

Byron K. Wallace explains Chevron’s isolation efforts, as well as steps that industrial manufacturers can take to protect their core business assets.

Byron K. Wallace, Chevron’s cybersecurity process control network vulnerability assessor
Byron K. Wallace, Chevron’s cybersecurity process control network vulnerability assessor

“What would you do if you were hacked?” began Byron K. Wallace, Chevron’s cybersecurity process control network vulnerability assessor at the Automation Conference & Expo 2016. In that stressful moment, would you know who to call? “You have to have a procedure in place,” he said, and know what to do besides panic.

While many manufacturers are scrambling to add data access and control from anywhere in the world, the cybersecurity approach at Chevron might surprise you. The company opts to air gap critical systems to disconnect them from the Internet as much as possible (though no system is 100 percent isolated).

Wallace acknowledged that this style might not suit every company. “We go to a bit of an extreme,” he said. “It’s not a one-for-all model… The core functions are the same, but the application is different industry to industry.”

Regardless of your connectivity strategy, Wallace shared advice on cybersecuring for industrial companies:

  • Learn from others’ mistakes by researching what happened to companies that have been hacked. A lot of this information is kept private, but network vulnerability assessment companies can provide that information if you work with them.
  • Train all of your employees on security policies and breaches so it’s not just system administrators watching, but everyone.
  • Change passwords frequently. It might seem obvious, but Wallace said many entities still have default passwords on their devices, including one major metropolitan city’s IP cameras.
  • Get involved by asking your vendors about their security policies and what the updates will do to your equipment. “You may trust [your supplier], but you have to protect your own assets,” he said. If your vendor can access your process control system, ensure you add layers of security.
  • Beyond collecting intrusion detection and protection system (IDS/IPS) data logs, analyze them for patterns or anomalies.
  • Perform “fire drills.” Once you have policies in place, simulate breaches to test staff readiness. For example, send a phishing email to see who in your company clicks. Include executive management in the test—they could be the worst offenders.

The process of securing assets might sound daunting, but Wallace said companies can start by identifying the most critical systems. “Start small, putting safeguards around those systems, and then keep moving forward,” he said. For more information, download IEC 62443: Industrial Network and System Security or visit the NIST site for more resources, including information on prevalent threats by industry.

More in IIoT