Industrial Cybersecurity: PAS Optics 2020 Event

Industrial Cybersecurity: PAS Optics 2020 Event
Industrial Cybersecurity: PAS Optics 2020 Event

The PAS OptICS 2020 virtual event explored the key operational and cybersecurity challenges facing industrial organizations as well as best practices and strategies to address them.


Digitalization: Driving the benefits and managing risks

Keynote Speaker Anup Sharma, SVP Global Business Services, LyondellBasell, and Eddie Habibi, founder/CEO of PAS Global, had an interesting discussion. LyondellBasell is one of the world’s largest plastics, chemicals, and refining companies and believes digital transformation is important to achieve sustainable value creation.

Sharma started by stating: “As we were looking into our crystal ball in the September/October 2020 timeframe, we saw the economy being soft, but we did not predict the double Black Swan events of the pandemic and the resulting economic conditions--but we took a different approach. We asked ourselves if we were to buy ourselves where would we find trapped value.” He described how that informed the company’s focus on digitalization. “The value creation opportunities are now the North Star for us.” He described applying technologies, processes and people to capture the value. “How do we advance our competitive capabilities in the marketplace with our assets?” Today, technology is becoming pervasive, enabling them to improve maintenance and apply machine learning optimizing operations. 

Sharma noted that digitalization inherently creates larger cybersecurity attack surfaces, requiring a balance between digital expansion and cyber security. “It has to be about competitive advantage; if we have zero risk, we would not have a business. We have cybersecurity experts around the world that help us outpace the bad guys. It can be overwhelming. The way you tackle it is with innovation, partnering with organizations, companies, people and government entities that are like-minded with a joint focus on a common adversary and risk. Much like safety, if our suppliers are not as dedicated to safety as we are it will be hard to achieve goal zero (no incidents).” He then described the approach at LyondellBasell: “We integrated our enterprise and OT cybersecurity into a single organization, a global team.”


Making sense of ICS security products and integration with enterprise solutions

Dale Peterson, CEO of Digital Bond opened his session by discussing how industrial people many times have a reaction that the technologies coming from other areas, including IT and enterprise computing, immediately claim it will not work in ICS.  “Understand it probably will work; it’s something we’ve been hearing about in the past about ethernet, antivirus and other technologies,” Peterson said. “If you get this knee-jerk reaction that it won’t work in ICS, chances are it probably will work eventually.” Peterson suggested, “Keep an open mind.”

Products are one part of the cybersecurity solution that requires thoughtful analysis. “Companies, especially senior management, like to like to think they can solve security problems by buying a  product," Peterson said. “Products can help, but they are only part of the solution. One of the challenges we have is a lot of these cybersecurity companies have a tremendous amount of marketing dollars, so what they’re doing is hitting your executives saying this is what you really need; they are very aggressive.”  He continued, "Thinking about your ICS program, it’s important for you to communicate with your executives because if they do not understand and buy into what you’re proposing, one of these product vendors is going to convince them what to do, and once management has that in their mind, it’s almost impossible to dissuade.”

Peterson recommended watching Rebekah Mohr’s S4 2020 conference presentation describing her experience in the early days of anomaly detection in OT. When she didn’t select it, or even want it, and one day it generated so much traffic that it caused an outage resulting in a $1M+ loss resulting in unplugged the anomaly detection.  A key point, anomaly detection software as an investment does nothing for prevention. She describes the issues and rational approaches to designing and investing in a cyber security program in the video presentation. The video.


Dale Peterson suggestions

Endpoint protection: “Hopefully, you have been looking at application whitelisting replacing antivirus or at least if you have to run antivirus do both," Peterson said. He emphasized that antivirus is only going to find mass-market malware. “It’s not going to find any sophisticated attacker or anyone that is evading antivirus. 

Remote access: Remote access has been growing and now accelerating with Covid. Two factor authentication is a must for all remote access, should be number one on asset orders list. “The vast majority of the incidents you hear about in ICS are related to someone getting on the enterprise network in riding in on credentials they recovered," he said.

Perimeter security: Unidirectional, one-way, data diode is fine for things like sending data to the cloud for maintenance. Two-way communications require deep packet inspection.

Detection: About 2015, there was a huge tidal wave of companies about 30 companies with software to detect ICS attacks and incidents on the network by passively listening on the network. These companies raised a tremendous amount of money: “Half a billion a venture money and still going," Peterson said. “With all that money, asset owners are getting bombarded with advertising, webinars, articles, presentations at conferences, it got far more mind shares in deserved even though it is an interesting category.” 

Asset inventory: It is important to have accurate asset inventory to understand the attack surface. Many of the passive detection software have asset inventory capabilities but identify only a part of the systems. A comprehensive asset management system includes many other things including complete asset inventory, configuration management, quality management, change management, IP & MAC address, operating system type, application versions, physical locations, totality and personnel responsible. 

Vulnerability management: Vulnerability management requires asset inventory, identify vulnerable software/firmware. Based on vulnerability information patching, updating and other actions need to be taken to be successful.


Dale Person predictions

  1. All passive solutions will add active monitoring.

  2. Asset management and detection will be separate solutions.

  3. Incident response retainers will be major revenue source for many ICS detection vendors.

  • Detection GUI’s/management app will be used for sensor configuration only resulting in price collapse. The GUI dashboard will be IT.  For example, Splunk introduced an add-on for OT cybersecurity. The Splunk add-on for OT Security expands existing Splunk Enterprise Security frameworks to improve security visibility in OT environments adding capabilities in three primary areas:
    -Expanded ability to ingest and monitor OT Asset
    -Improved OT Vulnerability Management including defined applications of MITRE ICS Attack
    -Interfaces and reports to support customer compliance and audit with NERC CIP

  1. Sensor appliances will be replaced by “embedded” into the Ethernet switch. He noted Cisco bought Sentryo an M2M cybersecurity company illustrating the point. Cisco noted, “We believe visibility is a key issue for saviors dirty, and we are trying to make it easier and more integrated into the network, rather than something that you have to bolt on or put in as an aftermarket capability.”

  2. Asset management and detection competition will focus on vulnerability management, risk scores and compliance.

 

Peterson’s recommendations

Peterson recommends starting with an asset management solution.  Next, adding a detection system interfaces seamlessly with the asset management system. The third step is to engage an incident responder on retainer that understands your detection solution very well so they have no learning curve. 


Cybersecurity survey

PAS Global LLC performed the survey asking the degree of OT cybersecurity risk for several potential threats. “Human Error” topped the list as the highest risk area followed by “Nation States,” “Digital Transformation,” “Remote Work,” “Criminal Activity” and “Internal Malicious Actors.” Other survey highlights include:

  • Only 12% of respondents indicated OT cybersecurity risk is low

  • 37% have experienced an OT cybersecurity incident in the last year or do not know if they have

  • 85% reported an inadequate OT asset inventory

  • 38% are taking an ad hoc or reactive approach to OT vulnerability management

  • Only 27% are taking a proactive approach to OT vulnerability management based on business risk

See more about the survey here.


More sessions

The PAS OptICS 2020 sessions are available on-demand for 3 months for anyone that registers.


Thoughts & observations

Attending the virtual event provided another glimpse into the evolving industrial cybersecurity evolution.


IT/OT integration: Presentations typically from users provides further confirmation of the integration of IT and OT organizations to achieve effective digitalization and Industry 4.0 goals. Cybersecurity is clearly integral to this evolution.

Government & culture: Throughout industry industrial cybersecurity discussions describe it as analogous to plant and machine safety. There are clear similarities: both provide a protection function and require technology, training, best practices, systems and procedures. If cybersecurity follows the same course as safety, it may take many years for automation systems to become fully focused on cybersecurity; the safety culture took years to develop. The industrial safety culture took many years to develop but the initial forcing factors were the force of law and fines that led to safety investments and industry best practices. The United States Occupational Safety and Health Act (OSHA) became law on December 29, 1970—about 50 years ago. It took many years of OSHA inspections and non-compliance fines before safety became deep-rooted in industry. Governments role in industrial cybersecurity is evolving.

Cybersecurity & safety: There is a big difference between cybersecurity and safety. Safety analysis and mitigation once defined is relatively static, deterministic, and a bounded problem. Cybersecurity is a continually changing dynamic challenge.

About The Author


Bill Lydon brings more than 10 years of writing and editing expertise to Automation.com, plus more than 25 years of experience designing and applying technology in the automation and controls industry. Lydon started his career as a designer of computer-based machine tool controls; in other positions, he applied programmable logic controllers (PLCs) and process control technology. In addition to working at various large companies (e.g., Sundstrand, Johnson Controls, and Wago), Lydon served a two-year stint as part of a five-person task group, where he designed controls, automation systems, and software for chiller and boiler plant optimization. He was also a product manager for a multimillion-dollar controls and automation product line and president of an industrial control software company.


Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..

Subscribe