It’s difficult to write about cybersecurity without sounding like Chicken Little. I know that the more I flap my wings, the more you might ignore me altogether. Doomsday messages don’t strike fear; our overhyped message receptors have become too immune to the noise. You’ll either roll your eyes at the hysteria or throw up your arms in hopeless exasperation.
And yet… Not only is the threat very real, but it really shouldn’t be that difficult to build your defenses. So before I do a little more wing flapping, let’s all take a deep breath and look at the situation.
There was a time not so long ago when the people in charge of control systems—on both the vendor and the user side—didn’t have to worry about cybersecurity. They were focused on throughput and safety. Then along came Stuxnet, and the myth that the industrial control system (ICS) was protected because it was air gapped or simply too complex flew out the window.
But the best practices that were put in place years ago for safety—where there were too many shared or copied keys floating around and alarms would be suppressed late on a Friday night and forgotten over the weekend—are well suited to security as well. “We developed technology to deal with those proprietary systems in that environment,” says Eddie Habibi, CEO of PAS, which has been providing process safety and reliability for energy, power and other process industries for 20+ years. “This all ties to cybersecurity today. Many of the best practices today are exactly the same measures we put in place 20 years ago to protect proprietary systems from internal mishaps.”
Habibi describes a typical situation in which there’s no technician around on a Friday night, so a shelved/disabled alarm waits until Monday morning to be dealt with. “That disabled alarm, for example, could lead to an accident if the equipment it is protecting is over-pressurized. The threat of cyber is not too dissimilar to that,” he says. “A bad guy comes in, disables a critical alarm, then leaves it alone. That kind of sabotage is like a time bomb. At the right time, when you need the safety system, that safety system is not there for support.”
Though Stuxnet certainly created awareness, with leading companies since then taking measures to deal with cybersecurity issues, it continues to be proven over and over that:
- ICSs are critical to safety and production reliability.
- They are not protected.
- If compromised, they can be as bad as the refinery explosion at BP Texas City or as consequential as Hurricane Katrina.
“When you lose power and water for two or three weeks, things don’t look good,” Habibi says. “And then if you have an enemy that’s fighting to keep those systems down, it can be very bad.”
We’ve talked repeatedly about how being a small guy in a non-critical industry doesn’t really make you less vulnerable. It’s easy enough to get swept up in broad attacks, an internal attack or mishap, or any number of dangers. But let’s set that aside for a moment and actually focus on those major operations and critical infrastructures.
Indeed, there is hype and there are scare tactics being used by companies that want to sell you security products. But still, there simply is not enough awareness about the damage that could be done with a few focused attacks on critical assets, Habibi says.
“If four refineries in the U.S. were shut down at once; if the electric grid were shut down intentionally so it would take days or weeks to come back up… If you think through the consequences, you would understand the critical role and the severity of the outcome of a compromise of control systems,” he explains. “All it takes is shutting down the water utilities and power utilities in a couple cities for an extended period, and you have a very, very disastrous situation.”
Habibi describes a scenario that begins as a period of inconvenience. The air conditioning goes out. You might even have to buy drinking water and fill the bathtub for facilities. Then it goes from inconvenience to shortage—you run out of gas and food starts to rot. Dogs are out on the street because they’re not being fed. It starts looking like a post-war environment, with sanitation problems and disease.
“Do we have an example where that’s actually happened? No. But we have seen where nation states have tested these systems,” pointing to cybersecurity attacks on power systems in the Ukraine and nuclear facilities in the U.S. “The ability is there to make it happen.”
Habibi believes that nation states are looking at cyber attacks on the industrial sector as the next generation of stealth weapons. “These are nations that are at odds with us. These are not pranksters,” he says. “These are guys who are testing their weapons.”
The threat is real, and people know it, Habibi says, adding that many customers have begun looking to PAS for help in cybersecurity. “PAS from the beginning was a company that made industrial facilities safe and optimized their processes,” he says. “The same technologies used to improve plant safety and reliability are the foundational platform for securing industrial control systems.”
In fact, it was a major electric utility in the Southeast U.S. that first approached PAS six or seven years ago, concerned about the cybersecurity requirements it faced as part of NERC CIP (North American Electric Reliability Corp. critical infrastructure protection). The utility had been using PAS’s software to improve reliability and integrity of its control systems, and they believed PAS had the underlying ability to get to the NERC CIP requirements, Habibi says.
So PAS has built on its previous experience to create a foundational platform related to cybersecurity. It includes:
- A complete inventory of the control system from level 0 (field instruments) to level 2 (the process control network)
- Vulnerability assessment
- Baseline configuration and change management
- Patch management
- Ability to recover with a clean database
Though PAS did not previously offer vulnerability assessment or patch management, visibility to the inventory has been a critical part of its safety and reliability offerings. That visibility becomes even more critical where security is concerned. “Anomaly detection is not enough,” Habibi stresses. “To have anomaly detection without the foundation is like hiring an alarm company to install a system on your house, but missing about 80 percent of the windows and doors because they don’t have visibility to the inventory.”
Cybersecurity has long been an issue in the IT space, and that market is mostly saturated. Traditional IT security companies are now rushing into the ICS market. But coming from an IT point of view, they tend to overlook levels 0 and 1 because they don’t have visibility there. “The solutions that address cybersecurity for IT are necessary, but inadequate or incomplete for addressing operational technology,” Habibi says. “I’ve got to have the moat to protect the castle, but that’s not enough.”
As a supplier focused on the operations environment, PAS first emphasizes securing the foundation—developing and implementing policies, understanding what the system should look like, what processes are used to make changes, and automating those processes into work flows, Habibi says. “We address the plant operational performance in terms of monitoring and safety. That works hand in hand with security,” he says. “The same human behaviors and mistakes that lead to plant shutdowns are the same behaviors that a bad actor would have in bringing down the plant. We’ve been addressing the human aspect in automation systems for 23 years.”