General cyber security protects against cyber-attacks that compromise IT systems where the consequences might involve the loss of intellectual property, databases or loss of operation. What follows are 12 steps that should be performed to minimise the risk of an industrial cyber security attack. By Thomas Ayral, Cyber Security Specialist, Honeywell Industrial Cyber Security
In recent years, a large majority of companies and plants have taken steps to implement some degree of industrial cyber security controls. However, it is to no one’s surprise that new cyber security threats appear daily. The latest attack, known as ‘Goldeneye’ or ‘Petya’, has sent shockwaves through businesses and governments worldwide. Given the potential impact of these attacks and expected future malware attacks, it is strongly recommended that organisations take immediate steps to protect their industrial control systems. Existing vulnerabilities must be quickly identified to ensure the effectiveness of established cyber security countermeasures.
Companies may not be able to exactly predict when or how a facility might be attacked, but they can assess the risk of different threat scenarios. By implementing the 12 steps described in this article, plant managers can take an active approach to staying ahead in this very dynamic and perilous environment.
An industrial process control system typically includes routers, switches, controllers, and Windows-based servers and workstations, all communicating on the Process Control Network (PCN). It is critical to monitor the PCN and all attached devices for cyber security threats and vulnerabilities. A single device that is compromised on a PCN can be used as a jump point to access, modify, or shutdown multiple nodes. If process control system security is compromised, plant processes and production can be affected with possible disastrous consequences.
Industrial Cyber Security Vs. General Cyber Security
General cyber security protects against cyber-attacks that compromise IT systems where the consequences might involve the loss of intellectual property, databases or loss of operation.
Industrial cyber security protects against cyber-attacks that assault industrial control systems, which monitor and control production and processing plants by ultimately controlling positions and percentage open of valves; amperage of heaters and transformers; Revolutions Per Minute (RPM) and speed of pumps, centrifuges and motors; temperatures of reactors, etc.
The consequences of an industrial cyber security attack might involve loss of production, destruction of production plants and facilities, death and injury of employees, explosions and the release of poisonous gases or smoke causing injury and death to non-employees or civilians, environmental impact, government fines, damage to corporate reputation, and loss of confidence by investors and customers.
12 Steps To Reduce The Risk Of An Industrial Cyber Attack
For the nodes, end points, workstations, computers, and servers on the industrial process control network, the following 12 steps should be performed to minimise the risk of an industrial cyber security attack.
- Complete all control system software backups as recommended according to schedules provided by manufacturers.
- Install and properly configure firewalls.
- Apply all industrial control system critical software patches as soon as possible, and use mitigating controls to protect systems between maintenance and patch cycles.
- Update anti-malware/Anti-Virus (AV) software and virus definitions (DAT files).
- Install application whitelisting (technology that permits execution of only good or known files). This is accomplished by creating a list of approved files and allowing only them to execute.
- Install an automatic method to track and inventory assets or nodes on the control system network, including infrastructure devices, personal computers and servers.
- Install a method to automatically detect ‘dark devices’ or ‘rogue devices’ (ie: control system assets or nodes that communicate on the network, but are not monitored for cyber risk). These may include removable media brought onto the site such as USB drives and CD/DVDs, as well as laptops and smartphones.
- Train company employees about industrial control system security, including the importance of password controls and awareness of social engineering attacks. The percentage of policy violations and security incidents detected should be automatically tracked. Mandatory changes in passwords at a regular frequency are part of password controls.
- Automatically monitor the plant’s and PCN’s status on important industrial cyber security metrics and be able to show how its security posture is improving.
- Monitor the percentage of control system hardware, nodes and endpoints free of detected malware and viruses.
- Automatically estimate the overall vulnerability in the control system hardware, nodes and endpoints, and know whether the number is decreasing.
- Have an automatic method that points to the source of a cyber threat. This may include connections between the corporate IT network and the industrial process control network.
Monitoring Industrial Cyber Security Risk And Threats
The ability to quickly monitor the metrics associated with these 12 steps and recognise how they are changing with time is crucial to the success of industrial cyber security. Below is an example solution that has been developed to monitor industrial cyber security risks, vulnerabilities and threats.
Dials and trends are used to show the immediate and varying status of risks. Notifications explain and point to warnings and errors from inputs. Drill down capability provides plant engineers with the ability to determine exactly the node, endpoint, server, device or computer causing the alert or warning. Changes in site trend and site risk indicate whether the site’s cyber security risk is improving or worsening. Standardised reports can be prepared showing key industrial cyber security metrics.
Users of this software solution describe how plant employees do not need to be industrial cyber security experts to monitor and minimise the plant’s risk. Since plant process control engineers can quickly know their cyber security risk profile daily, no head count increase is required.
When a cyber-attack occurs, plant control engineers receive email alerts and can identify and prioritise system security risks. With cyber security events, they can drill down to the problem and make quick logical decisions with minimal effort and also assess the plant and PCN’s cyber security posture on a daily or more frequent basis.
Comprehensive Approach To Safeguard Your IP
In sum, at Honeywell, we believe that the most important parts of a cyber security program are in being able to identify security risks, being proactive, embracing a security philosophy as well as developing a long-term strategy that reduces potential cybersecurity threats.
In order to protect systems and networks, industrial facilities require a comprehensive approach to cyber security that involves ongoing risk assessment, well-defined security policies and an aggressive overall security posture.
Even for plants that have already initiated an industrial cyber security program, the risks are ever-evolving, and attacks are increasingly targeted. Minimising threats by implementing the latest industrial cyber security innovations, however, represent major steps forward. These are best taken proactively, rather than as pressured actions while a cyber-attack is underway.