What are the daunting—perhaps haunting—aspects of manufacturing that keep plant managers awake at night? Not cybersecurity, believe it or not. Rather, it’s cost pressure, an aging infrastructure, productivity improvement, workforce attrition, and operational excellence. Cybersecurity didn’t even make the top 10, according to research presented by ABB at the ARC Industry forum in Orlando last week. That is surprising, considering employee safety ranked number seven on the list, and, the threat of death and destruction is real if a hacker takes over an industrial control system.
It is encouraging to hear, however, that companies are finally spending money on cybersecurity—which they were not doing not too long ago.
“When I joined the company two years ago, nobody knew exactly what cybersecurity was,” says Noel Tabas, lead DCS engineer at Agrium Redwater, a supplier of agricultural products and services. But they knew they needed to know.
Agrium is not alone in this revelation. Amid credit card breaches at retail stores and the Sony hack, manufacturers are taking the possibility of another Stuxnet seriously. As they should…
In December, hackers infiltrated a German steel mill leading to massive damage in a blast furnace that could not be properly shut down. The details of this digital attack—minus the name of the plant-- were revealed in the annual report of the German Federal Office for Information Security (BSI). According to the report, hackers went spear-phishing, sending targeted email that looks like it comes from a trustworthy source, in order to trick the recipient into clicking on the attachment. Once inside the company’s corporate network, the attackers were able to get into production networks and access industrial equipment.
It is clear from this incident, and from the conversations at the ARC conference, that the only way to truly protect the plant network is to isolate it from the enterprise.
After a third-party audit of Agrium’s network revealed vulnerabilities, the company turned to its DCS vendor Honeywell Process Solutions to provide guidance around cybersecurity, including functional requirements and redundancy. Most importantly, the two plants involved were to be isolated from the enterprise, yet still share data between them in the event of a cyber incident. The addition of a demilitarized zone (DMZ) cut the umbilical cord between the plants and the enterprise, creating a trusted plant network, Tabas says.
Agrium was in the middle of a DCS modernization effort, which was the perfect time to tackle cybersecurity. But how can we protect legacy systems?
It’s a situation that automation suppliers have set out to solve.
At the ARC event, PAS demonstrated its Cyber Integrity software which protects critical assets through the one-way data collection of cyber inventory (a complete inventory of control system assets regardless of connectivity); configuration baselines (documenting the operational and security configuration of assets); workflow management (pre-defined workflows for daily security operations, such as patch assessment); and backup and recovery (a single repository to backup all systems automatically).
The purpose is first and foremost to provide visibility into the ICS, because you can’t manage what you can’t see. By using a non-intrusive one-way collection of information, Cyber Integrity serves as a centralized point for managing any DCS, PLC, or even manufacturing execution system (MES), says PAS founder and CEO Eddie Habibi.
The configuration manager provides continuous monitoring to identify changes in the system, alerting the right personnel in the event of unauthorized alterations. Then automated work processes are put in place to prevent human error and unauthorized changes. Backup and recovery is there because “you have to assume there will be a breach,” says Habibi.
Indeed, there will be a breach if a firewall is the only line of defense. That is why Waterfall Security Solutions developed the Unidirectional Security Gateway, which gives the corporate network access to control system information, but does not allow access to the plant network.
The hardware and software set up includes a one-way communication channel that creates a copy of the system outside of the firewall. This fully functional replica of data provides access to the system, however, only the data that needs to be accessed by another enterprise network can be made available—and encrypted-- limiting the risk of data exposure.
“It takes a scary industrial cybersecurity problem and converts it into a classic IT problem, says Lior Frenkel, co-founder and CEO of Waterfall. “The server is outside, not in the control network anymore, so nothing can influence the network.”
These are just a few examples of the many products emerging to protect the plant. Of course, cybersecurity is a multifaceted problem that requires layers of protection and a corporate culture that supports the effort. It also requires a shifting of priorities for plant managers who are more worried about cost pressure, an aging infrastructure, productivity improvement, workforce attrition, and operational excellence. Let’s face it, none of that matters if a massive security breach causes irreparable damage.