Creating a CyberSecurity Culture for Process Heating Control Systems
As industrial plants increasingly incorporate networked and remote-access controls for thermal processing, they must take steps to secure these systems from cyber-attacks and other cyber-vulnerabilities.
Industrial process heating control is found in many sectors having critical infrastructure, including oil and natural gas pipelines, discrete and process manufacturing, and transportation systems.
Operational technology (OT) used in industrial control systems for flow control has been a critical part of operating, monitoring and maintaining physical infrastructure for decades. However, as OT has become digital, information technology (IT) has been an increasing part of that evolution — providing platforms, software and networks to enhance control and functionality.
Unlike IT, the core deliverable of operational technology is not information. Instead, the core deliverable of operational technology is a management of state. For example, if a valve needs to be opened or closed, operational technology can open or close it. If a gas pipeline experiences pressure beyond its operating parameters, operational technology can bring it back within tolerance levels.
The Pillars of Cybersecurity
- Analyze the system and identify weaknesses.
- Limit intrusions and impact through effective protection.
- Detect abnormal and suspicious behavior of the system.
- Ensure recovery.
The industrial internet age stretches from traditional operational technology such as supervisory control and data acquisition (SCADA) systems to the emerging Internet of Things (IoT), whose nervous system is digital and software based. Sometimes referred to as Industry 4.0, the Industrial Internet of Things (IIoT), with its control elements such as sensors, valve actuators and pumps acquiring a “digital skin,” is exponentially increasing the digital presence in industrial control systems.
The nature of the risks is different between IT and operational technology worlds:
- Business risks are mainly related to the confidentiality and integrity of the data processed and hosted by the IT systems. This leads to intangible consequences such as loss of know-how and loss of reputation.
- For operational technology systems, business risks are related to the availability, integrity, reliability and safety of the industrial control system itself. Risks include operational consequences in the physical world such as production shutdowns and financial losses, environmental damage and the inability to control the process or to obtain accurate information about its state.
Common beliefs that operational technology environments were impervious to outsider threats are now known to be false. Industrial corporations are increasingly connected with each other to improve efficiencies, and operational technology systems are starting to resemble IT systems. To take advantage of the digital supply-chain benefits, industrial corporations may allow suppliers to connect to automation systems for maintenance and asset-management services.
This integration provides significantly less isolation for operational technology from the outside world, creating a greater need to secure these systems. According to Frost & Sullivan’s “Top 10 Cyber Trends Affecting the CNI Sector (2014),” the supply chain introduces weaknesses and allows threats and entry-point access to critical infrastructures. This requires thinking of the value chain as a whole.
Operational technology environments are vulnerable and exposed to cyber-attacks. Persistent design vulnerabilities (PDVs) are inherent in operational technology systems as part of its function. The International Society of Automation (ISA) describes it this way:
“OT [operational technology] systems are not designed to ensure resilience against concerted attacks that intend to place components in dangerous operating states. This is expected to be a growing area of cyber-attack and engineering research."
As operational technology environments incorporate IT technologies, IT-related vulnerabilities are introduced.
Because of the longer operational technology lifecycle (10 to 15 years), widely dispersed and legacy systems cannot be patched or upgraded in typical IT security fashion. As a result, operational technology environments remain highly vulnerable for long time periods. Meanwhile, in addition to the nature of operational technology environments, the knowledge and skills needed to attack operational technology networks are spreading rapidly. Operational technology-related cyber-risks have reached a critical threshold and require immediate action.
Operational Technology Cybersecurity and Regulatory Risk
It is generally accepted that there is a significant governance, knowledge and experience gap between the IT and operational technology domains. Operational technology staff tend to have process engineering expertise but little or no cybersecurity training and understanding. Closing this gap to make operational technology staff part of the cybersecurity chain is critical.
FIGURE 1. In today’s world, industrial control systems are increasingly interconnected.
More broadly, on behalf of senior executives, chief security officers (CSO) and chief information security officers (CISO) are requested to establish a consistent cybersecurity operating model integrating the operational technology environments in order to address the following issues:
- What are the major operational technology assets to protect? Are they vulnerable? Where are they located? Are both external and internal threats considered? Does the organization understand the origin of threats (e.g., cyber-criminals, competitors, governments, rogue employees, etc.)?
- How shall operational technology cybersecurity be governed within the organization? Is it well integrated into the corporate governance? Are the roles and accountabilities well defined among industrial site directors, IT, operational technology and cybersecurity stakeholders?
- What are the major operational technology cyber-risks the organization faces? What are the risks of compromising the operational technology network to enter into the corporate IT network or vice versa? Is the organization able to detect abnormal events and weak signals of cyber-attacks?
- How can we empower operational technology staff to make them aware of their role related to cybersecurity? Have control engineers receive some basic cybersecurity awareness training?
- In the event of a serious operational technology cyber-incident, which incident-response and crisis-management process needs to be developed?
FIGURE 2. The biggest challenge in OT environments remains to manage OT systems in order to reduce the attack surface and then to know when a cyber-attack occurs or has already started and respond rapidly so that corporations can ensure business resilience of their industrial operations.
Especially for those in the chemical processing industry or operators of essential services, regulatory pressure is increasing. This will require chief security officers and the chief information security officers to accelerate the enforcement of cybersecurity best practices and the readiness to detect and provide notification of severe cyber-incidents.
The U.S. National Institute of Science and Technology (NIST) Framework and the European Networking and Information System (NIS) Directive requires critical operators to conduct risk-assessment exercises and to detect and provide notification of their severe cyber-incidents to the national or federal information security agencies (to avoid potential systemic effects). Therefore, the main current CSO and CISO challenge is to raise awareness at the industrial director’s level and to increase their influence across the organization in order to address, in a holistic way, increasing operational technology-related risks.
The Challenges of Operational Cybersecurity
Operational technology cybersecurity derives many practices and technologies from IT security. However, changing the state of a system has unique safety, business continuity and security implications. This means that merely translating IT security practices and copying IT security technology to address operational technology security will not result in a secure operational technology environment.
In IT environments, technology is already there, and security operations centers (SOC) have been set up to monitor and detect cyber-attacks. There have been many cases where IT cyber-compromised systems have gone undetected for months. In the operational technology world, the use of active cybersecurity solutions — for example, firewalls, intrusion detection systems, antivirus, vulnerability scanners — has limited value, for several reasons:
- For existing systems, implementing such security solutions is limited by the risks of false-positive events, which might create perturbation on mission-critical operational technology networks.
- Such IT technologies are too intrusive for mission-critical and low latency systems where false positives are not acceptable.
- Most operational technology components in the field today such as PLC, controllers, remote terminal units (RTU) and intelligent electronic devices (IED) do not support any third-party IT security software.
The biggest challenges in operational technology environments remain. First, the operational technology team needs to manage OT systems to reduce the attack surface. Second, the security team must be able to detect when a cyber-attack occurs and respond rapidly so that the corporation can ensure the business resilience of the industrial operations.
FIGURE 3. Industrial corporations must adopt a step-by-step pragmatic approach to avoid making the process so complex that the goals are never achieved.
As a consequence, a reasonable approach to protect an operational technology system is to implement both active cybersecurity solutions where possible (meaning where it will not disturb the system) and passive monitoring solutions without taking the risk of disrupting the OT system by generating false-positive events. Focus should be on monitoring solutions that are tailored to the unique characteristics of operational technology environments (i.e., mission critical, low latency and long lifecycle).
The Cyber-Control Room
A cyber-control room is a security operations center (SOC) dedicated to operational technology environments. We can simply define a cyber-control room as a virtual facility for monitoring cybersecurity of operational technology networks and assets. Through sensors, which are the equivalent of cameras in the physical world, we can collect data from different operational technology environments.
The greatest value in a cyber-control room comes from its early and accurate detection capability, as well as its ability to streamline collaboration between operational technology staff, IT staff and cybersecurity experts. Its ease of integration with an IT security operations center by correlating IT and operational technology events enhances organizational detection capabilities as a whole.
Establishing a cyber-control room is a must have to win the operational technology cybersecurity battle. However, it represents a long journey for industrial corporations in particular to be able to continuously monitor all the operational technology components in a 24/7 mode. Such a cyber-control room will entail positive side effects, deal with legacy operational technology equipment and empower operational technology operators and staff. Industrial corporations must adopt a step-by-step pragmatic approach to avoid making the process so complex that the goals are never achieved.