Proactive Management Of Plant Cybersecurity | Thanh PLM

The inward-looking plant control system gives way to a wider and flatter network architecture, which requires a different cybersecurity focus. Operations technology (OT) is undergoing a sea change in goals, structure, and management—as is an information technology (IT) with the integration of the plant control system with the business systems. This is making it necessary to manage enormous data flows inside the plant.

The physical plant continues to be important, but it is complemented and managed by the virtual plant, a concept that makes possible a “digital twin” of the actual plant. Management and operations can use the digital twin to experiment and improve operational efficiency. Besides, new tools and process controls are becoming available. Robots and virtual reality can be used in hazardous areas to improve operator safety, and simpler, easier-to-operate advanced process control systems are becoming common.

Outside the plant, the cloud and related applications have made the Industrial Internet of Things (IIoT) practical and useful. A big part of any IIoT implementation is a proliferation of new sensors installed inside and outside the plant for improving plant performance.

Open process automation (OPA) initiatives—intended to produce a common platform so controllers, sensors, and software can work together without vendor compatibility issues (Figure 1)—have been added to the mix.

Figure 1: Cyber threats are proliferating due to increased information technology/operations technology (IT/OT) integration, along with the advent of the Industrial Internet of Things (IIoT) and open process automation (OPA) initiatives. Courtesy: Yokogawa Electric Corp.

All these trends are occurring simultaneously and have contributed to a time of disruption. The old ways of running process plants are no longer competitive in many process industries. However, these disruptive events can create new value propositions through innovation.

OT cybersecurity transformation

Traditionally, sensors and controllers have been connected directly to the plant control system using wired or wireless protocols. OT cybersecurity has been focused on protecting the plant control network and keeping unauthorized users from invading the control systems. However, OT cybersecurity is now transforming.

OT cybersecurity principles are being used in non-traditional automation sectors, such as building automation, transportation, and medical automation. What used to be a hard-wired perimeter has moved outward from the plant and become virtual. The 2-D structure of OT cybersecurity is 3-D with the inner applications, level 0 and 1 devices and applications, and sensor devices connected directly to the cloud. From there, they’re connected to the automation systems, maintenance, repair, and operation (MRO) systems, and plant business systems.

Plant operations personnel always have recognized the need for functional safety. The rise of OT cybersecurity has made it clear an insecure plant is an unsafe plant. Cybersecurity and functional safety mirror overlap and complement each other. The security of the safety instrumented system (SIS) is now a critical function, just the same as the basic plant control system’s security.

With fully integrated business systems, the cybersecurity of the entire value chain is critical. Making a supply and a distribution chain integrated and secure are essential in today’s enterprise. OT cybersecurity is no longer a static function; instead, it becomes a fluid and continuously changing entity that must be managed carefully.

OT cybersecurity threats, defenses

As the function and footprint of OT cybersecurity have grown and changed, the threats it faces have broadened. Traditional cybersecurity evolved to deal with threats in the IT environment, such as email phishing, human-in-the-middle penetration attacks, malware, and disaffected employees. First-generation OT cybersecurity began by implementing IT-derived solutions to these threats, for example, perimeter security and air gaps.

The second generation of threats was more plant-centered and fewer IT-focused. These include advanced persistent threats (APTs), continuing stealthy attacks from outside the enterprise aimed at IP theft, or destruction of plant operations.

The third and current generation of threats is persistent and focused on causing harmful disruption to plant operations. It potentially is destructive to machinery and systems. Threats have evolved to become OT-specific as hacking has evolved, as well.

OT cybersecurity defenses have been reactive, complacent, and conformance-oriented. They typically are based on IT security technologies. Thus, they are not always a good fit for OT purposes and have often evolved slowly into OT security technologies. They have been based traditionally on conformance to standards and based on lifecycle, certifications, and regulations. These defenses are relatively easy to penetrate, especially using APTs, and provide an unrealistic security sense.

Standards such as ISA/IEC 62443, the NIST framework, NERC CIP, and many others have provided a framework and a path forward to designing good OT security postures for plants. The ISA Security Compliance Institute has been certifying components to be “ISA Secure” since 2010. Standards compliance alone, however, does not necessarily result in adequate or increased cybersecurity protection.

OT cybersecurity challenges

The basic challenge for OT cybersecurity is to deal with the ongoing industry transformation. First, it is necessary to assess the effectiveness of traditional controls and cyber tools. Traditional penetration testing has been used for this purpose. The problem is it is challenging to operationalize these traditional tools without considerable training and overhead. It is the issue of getting from the theoretical to the practical, or from wishing to be more secure actually to be more secure.

The current challenge is moving the perimeter from the physical plant and a network-centric focus to the virtual, which requires security to edge components and applications (Figure 2). Edge devices are numerous and proliferating. This makes it impossible to provide a secure cyber environment without protecting edge devices in real-time to maintain security for each Level 0 and 1 device.

Figure 2: Cybersecurity must be applied in the process industries from the enterprise to the application level. Courtesy: Yokogawa Electric Corp.

One of the main issues is the increase of poorly-secured IIoT devices installed in plants to send data to the cloud and then to the plant. These IIoT devices can provide intrusion vectors overlooked by plant operators and engineers eager to get more data.

The plant is not secure if the supply chain is not secure. The high integration between the supply chain and the control system required in modern process plants makes the supply chain a vector for potential attacks.

Active detection of anomalies is necessary to maintain a secure plant network. This makes it possible to achieve a predictive and preventive response posture instead of a reactive and conformance-oriented activity. This includes threat intelligence from outside the plant.

OT cybersecurity

The best option in many cases is to move from a reactive approach to an adaptive security posture. An adaptive security posture provides the ability to:

• Predict by establishing a baseline and anticipating threats
• Prevent threats by hardening OT devices and isolating IT and OT networks
• Detect anomalies in real-time, prioritize the risk, and contain them, and
• Respond by hunting the threat, performing proactive and reactive investigation, and remediating any damage caused by the intrusion.

This adaptive posture provides for understanding and discovering the OT digital assets using automated digital asset discovery and maintenance tools. This posture allows plant operators and engineers to develop and understand the plant cybersecurity baseline—what “normal” actually looks like—so they can see anomalies when they occur.

Real-time monitoring and management are needed, including at a minimum automatic device configuration and network management, along with automated IP address management. Operators must know where all the devices are and how secure each is at any moment. This is the first step in making the security posture adaptive and transforming from preventive to the predictive response.

The future plant will integrate operational reliability monitoring, security monitoring, and network monitoring with process monitoring. The detection will be transformed from signature-based detection to anomaly detection.

OT cybersecurity must be integrated with the management of change functions, alarm management, safety systems, security information, and event management. The entire plant operational system revolves around security and safety. For many process plants, it can be difficult to implement a modern functional security position. This is where companies specializing in cybersecurity can be of assistance to process plants.

MORE ANSWERS

Keywords: cybersecurity, OT cybersecurity, Industrial Internet of Things, IIoT

Cybersecurity threats against process plants are becoming more sophisticated.

Information technology (IT) and operations technology (OT) are merging and learning to cooperate.

Process plants need to move from a reactive approach and take an adaptive security posture.

About the author

Camilo Gomez is the global cybersecurity strategist at Yokogawa, responsible for developing its cybersecurity vision worldwide. Before joining Yokogawa in 2017, he held senior advisory positions in the process control cybersecurity domain at CGI, SVG International, and BP PLC. Camilo represents Yokogawa in international standards bodies and certification organizations such as ANSI/ISA, IEC, ISASecure, IECEE, and the Open Group Automation Forum (OPAF) is co-chairing the Security Architecture Subcommittee. He holds an MBA degree from the University of St. Thomas, and an MTech degree in Telecommunications, and a BSc degree in Systems Engineering from Politécnico Grancolombiano.