Staying Ahead of the Cybersecurity Threat

Cybersecurity has become a given in everything that automation suppliers pursue. Where not so many years ago automation was sold with little regard to the ramifications of being connected, today suppliers are more accountable than ever for the security of their products.

Last week at the Honeywell Users Group (HUG) Americas in San Antonio, Texas, Honeywell was talking up its capabilities in the Industrial Internet of Things (IIoT) space, making a push for its “IIoT Ready” products and services. That push for connectivity only makes cybersecurity that much more important.

“All of this has to happen in a cybersecure manner,” said Vimal Kapur, president of Honeywell Process Solutions (HPS), during his keynote the first morning. “We must make our products inherently and natively cybersecure.”

Regardless of what HPS is working on, cybersecurity will be an important consideration, Kapur noted in a separate briefing with industry press and analysts. “It’s going to be perfected, whether we build our products natively secure or add more layers of protection,” he said. “It is going to take a while for people to accept that. This is not a slam dunk. But we’re doing everything that we should.”

Asked if customers are willing to pay for security, Kapur responded that they have become much more receptive to the value the added security brings. “We have far more to offer now, and customers are buying it,” he said. “People are spending money, specifically where there’s a high awareness.”

As an industry, we are doing things well with regard to cybersecurity and certainly better than before, according to Eric Knapp, HPS’s global director of cybersecurity solutions and technology. “But most cybersecurity is still very reactive,” he said, noting that common techniques like antivirus, for example, is only as good as the signature that antivirus software uses. “And malware changes very, very quickly.”

Most manufacturers still think in terms of perimeter detection, such as firewalls or intrusion detection systems, Knapp said. “These are great; we have to implement these controls,” he said. “But it’s a very static and reactive approach to cybersecurity.”

USB protection

Attackers will always go after the path of least resistance. That easy path was once the networks, but manufacturers have figured that out, and hackers in turn have chosen a new path. “We’ve locked our networks down tight,” Knapp said. “Because of that, we have to rely on things like removable media. The bad guys have figured this out too, and now malware comes in on USB drives.”

The well-known Stuxnet virus, which attacked the control system at an Iranian nuclear facility in 2010, used an infected USB flash drive to infiltrate the network. And yet people will still haphazardly insert unknown memory sticks into USB ports on the manufacturing floor.

“Because we know that USBs are the No. 1 pathway to get into facilities today, we found a way to get in the middle of that path,” Knapp said, announcing HPS’s imminent launch of Secure Media Exchange (SMX), which lets users scan USB sticks to detect and remove malware.

Though removable media like USB sticks have become the most common way for attackers to gain access to the network, Honeywell knows that as it and others block the path to USB, hackers will just move on to something easier. “Information has to flow,” Knapp said. “We protect the network, and now they’re using USBs. Once that’s locked down, they’ll find another way.”

So a comprehensive approach remains important. Honeywell is looking at trends, doing more research and engaging with customers to develop new products such as the SMX.

“We’re currently taking a very risk-based approach, which can show us where the biggest bang for the buck is, and we can focus the limited resources we have on those areas,” Knapp said. “A risk-based approach is very efficient by nature, and has a high reward, especially in the very beginning.”

But when you start prioritizing the things that really need to be done, you might find that there are a lot of really high-priority issues. More proactive approaches like whitelisting and antivirus software are steps in the right direction. But there are a lot of unknowns, Knapp said, pointing to the need for threat intelligence. “Not just understanding what the threats are, but operationalizing threat intelligence—getting information in a way you can actually act on it so it’s valuable to you,” he explained. “We’ve just started doing that at Honeywell, really embracing future cybersecurity approaches.”

At its cybersecurity research facility that it opened a little over a year ago in Duluth, Ga., Honeywell is taking what it knows about its control systems to find new ways to infiltrate and manipulate them. “We want to be the people who discover the next big attack vector so we can protect against it,” Knapp said.

Honeywell has cybersecurity expertise of its own, and is also partnering with other companies like Intel Security, Cisco and Belden to provide a broad approach to security.

In February, HPS announced a partnership with Palo Alto Networks, with Honeywell’s Industrial Cyber Security business offering Palo Alto Networks’ Next-Generation Security Platform to industrial customers. At HUG, Honeywell announced the release of the latest version of its Risk Manager software to include inspection capabilities from Palo Alto. “Palo Alto Networks’ cutting-edge inspection technology is now integrated right inside Honeywell’s Risk Manager,” Knapp said.

Beyond the firewall

Palo Alto Networks was founded about a decade ago on a next-generation firewall, reinventing the concept from the ground up to integrate functionality into the same platform to increase performance and lower cost, said Del Rodillas, senior manager of SCADA and ICS product marketing for Palo Alto.

The work that Palo Alto Networks is doing with Honeywell includes that next-generation firewall along with other key technologies:

• Threat Intelligence Cloud submits suspicious payloads to the cloud, and analyzes whether they’re malicious or benign. “It’s a mechanism to analyze things you’ve never seen before and make a determination of their malicious or benign nature,” Rodillas said.
• Wildfire sandbox detonates these suspicious payloads. “A lot of organizations typically don’t have this capability in their plants,” Rodillas said.
• Traps are a new product that could be used at endpoints like HMIs, historians or SCADA servers, Rodillas said. “Rather than look at fingerprints, it looks more fundamentally at what that attack is doing." Tens of thousands of new signatures are identified each year, making it difficult to keep up with patches. Traps instead looks at the small subset of exploit techniques used. “Forget about signatures,” Rodillas said. “Traps stop the core couple dozen exploit techniques. Even unknown threats are using that same core of techniques.”
• Cloud services are also available as a public or private cloud. The public cloud has the added benefit of some 10,000 users sharing their incidents, with protection getting distributed to all users, along with intelligence submitted through research teams and partners. A subset of users that don’t feel comfortable submitting anything to a public cloud can still get the same sandboxing capabilities on their plant floor, and still get some benefits of shared intelligence.

The industry is seeing a divergence in cybersecurity philosophies, particularly beyond the IT/OT perimeter, with some organizations preferring a zero-trust architecture and others a more passive approach, Rodillas said. “Whether they’re more inclined to passive monitoring or more segmentation at the core, we have that capability,” he said.

Though nothing else has been made public at this point, Palo Alto Networks is working with several other key automation suppliers, Rodillas said, as well as some startups that offer complementary security solutions.