It’s an exciting time in cybersecurity right now. Yes, what some might classify as “exciting” could be considered “scary” by others. Industrial operations are dealing with weapons-grade exploits, after all. But it’s also a time when the good guys are bringing more weapons to bear and really battling back. “You’re witnessing a really pivotal moment in cybersecurity,” noted Eric Knapp, global director of cybersecurity solutions and technology for Honeywell Process Solutions (HPS).
Taking the stage at the Honeywell Users Groups (HUG) Americas symposium last week in San Antonio, Texas, Knapp was not recommending that manufacturers disregard security measures, but he nonetheless urged attendees to think beyond the air gap. Forget the idea that you can protect your manufacturing operations by closing them off from the network. Instead, cross over the gap and take the security fight to the cloud.
“Unless we cross the gap, it’s simply not a fair fight,” he said. “All it takes is a little bit of courage—courage from you, but also from Honeywell.”
Knapp was referring in large part to what Honeywell is calling the world’s first industrial threat intelligence cloud, the Advanced Threat Intelligence Exchange (ATIX). Honeywell is combining heuristics, behavioral analysis, advanced threat detection and more, and bringing these capabilities into its cloud environment. “By bringing all these capabilities into the cloud, we can analyze across industries and across geographies,” Knapp said. “We can use massive data stores and analyze them to find threats.”
Honeywell is putting together a comprehensive end-to-end set of industrial cybersecurity capabilities, with more than 150 cybersecurity professionals around the world, according to Jeff Zindel, vice president and general manager of Honeywell Industry Cyber Security.
“This has been an unbelievable year for cybersecurity advancements,” Zindel said, referencing Honeywell’s recent Nextnine acquisition; its partnership with the Singapore Economic Development Board (EDB) to develop an industrial cybersecurity center of excellence in Singapore, modeled after its cybersecurity research lab in Atlanta; and the launch of its Secure Media Exchange, which Knapp gave a sneak peek of at last year’s HUG event.
“The Nextnine acquisition was a tremendous add to our portfolio,” Zindel said, noting that Honeywell was already leveraging Nextnine’s software as part of its own offering, and will continue to leverage it further. “It really does strengthen us and better position us to provide the leading platform of choice for industrials. This adds great multi-site capabilities; excellent secure remote and secure connect capabilities.”
Honeywell will continue to support Nextnine’s existing customer base, which in some cases are Honeywell competitors. That is not a new model for Honeywell, however, which is used to working with competitors since its Matrikon acquisition seven years ago.
Meanwhile, Honeywell is just over two years in with its first in-house developed cybersecurity product, Risk Manager. The company has added “some amazing enhancements” for visibility of threats and vulnerabilities, Knapp said, and also introduced Enterprise Risk Manager, which is able to look across an entire organization to see risks across all sites.
Another recent capability is dynamic rules, which enables an operator to be proactive in the face of a suspected cybersecurity incident. “When there’s a specific threat or vulnerability, there’s often an indicator that goes along with that,” Knapp explained. “An operator can create specific rules to look for those indicators. The system will tell you where all the indicators are and how to address them, or it will tell you that there are none to worry about.”
Secure Media Exchange (SMX), which Honeywell has teased at HUGs past, has now come to fruition. Though it’s one of the simplest for customers to use, it was one of the more complex products for Honeywell to develop and engineer, according to Knapp.
Years ago, the network was the primary vector for attack on a process control facility, so air gaps were put into place, along with firewalls, demilitarized zones and other technologies to lock the network down tight. “Now networks are no longer the largest attack vector,” Knapp said. “Now it’s USB media.”
USB memory sticks—so prevalent in manufacturing environments—have become the easiest way to compromise plant security. Many plants have started banning USBs, putting locks on the USB ports, even filling them in with epoxy in same cases. “It keeps you from getting in, but it also keeps you from getting work done too,” said Seth Carpenter, a cybersecurity technologist for HPS.
Other plants rely on traditional IT malware scanning solutions, which are difficult to maintain and provide limited protection. Not only are they often not kept up to date, Carpenter said, enforcement is typically easy to bypass.
With SMX, contractors can check in their USB device at an SMX Intelligence Gateway, usually centrally located within a facility. The ruggedized device analyzes the files on the USB device and either clears them for use or quarantines them in a separate folder. The SMX client software provides the other end of the enforcement, since no USB device will work on a protected system until its been scanned by the gateway. “If it has been checked, it can access files, but only those that are safe,” Knapp said. “They are two pieces that work really well together.”
Though the SMX Intelligence Gateway is physically in a control room or entry point somewhere in the plant, it never connects to the process control network at all. This is one point where the cloud comes back into play, providing a lot more computing power than could be provided locally. “It connects to ATIX so that it can do some really, really advanced threat detection,” Knapp said. “It can’t do it locally on the device; it doesn’t have the horsepower. We take it up to the cloud where we can do it justice.”
ATIX is leveraged now by SMX, but Honeywell plans to leverage it further—ultimately across all its Industrial Internet of Things (IIoT) products, Knapp said. “It’s not something we sell. We built it to use across Honeywell products,” he explained. “It’s a self-learning organism. So when ATIX learns about a threat, it spreads that information across the network.”
Some manufacturing plants are still holding steadfastly to the idea of the air gap. But others insist its not realistic or even desirable to stay disconnected. “While air may no longer be a defense, the cloud can be,” Knapp said.