Staying Ahead of the Cybersecurity Threat

June 27, 2016
Evolving cyber attacks require evolving defenses. At its users group meeting in San Antonio, Texas, Honeywell executives explain the need to get away from purely reactive approaches.

Cybersecurity has become a given in everything that automation suppliers pursue. Where not so many years ago automation was sold with little regard to the ramifications of being connected, today suppliers are more accountable than ever for the security of their products.

Last week at the Honeywell Users Group (HUG) Americas in San Antonio, Texas, Honeywell was talking up its capabilities in the Industrial Internet of Things (IIoT) space, making a push for its “IIoT Ready” products and services. That push for connectivity only makes cybersecurity that much more important.

“All of this has to happen in a cybersecure manner,” said Vimal Kapur, president of Honeywell Process Solutions (HPS), during his keynote the first morning. “We must make our products inherently and natively cybersecure.”

Regardless of what HPS is working on, cybersecurity will be an important consideration, Kapur noted in a separate briefing with industry press and analysts. “It’s going to be perfected, whether we build our products natively secure or add more layers of protection,” he said. “It is going to take a while for people to accept that. This is not a slam dunk. But we’re doing everything that we should.”

Asked if customers are willing to pay for security, Kapur responded that they have become much more receptive to the value the added security brings. “We have far more to offer now, and customers are buying it,” he said. “People are spending money, specifically where there’s a high awareness.”

As an industry, we are doing things well with regard to cybersecurity and certainly better than before, according to Eric Knapp, HPS’s global director of cybersecurity solutions and technology. “But most cybersecurity is still very reactive,” he said, noting that common techniques like antivirus, for example, is only as good as the signature that antivirus software uses. “And malware changes very, very quickly.”

Most manufacturers still think in terms of perimeter detection, such as firewalls or intrusion detection systems, Knapp said. “These are great; we have to implement these controls,” he said. “But it’s a very static and reactive approach to cybersecurity.”

USB protection

Attackers will always go after the path of least resistance. That easy path was once the networks, but manufacturers have figured that out, and hackers in turn have chosen a new path. “We’ve locked our networks down tight,” Knapp said. “Because of that, we have to rely on things like removable media. The bad guys have figured this out too, and now malware comes in on USB drives.”

The well-known Stuxnet virus, which attacked the control system at an Iranian nuclear facility in 2010, used an infected USB flash drive to infiltrate the network. And yet people will still haphazardly insert unknown memory sticks into USB ports on the manufacturing floor.

“Because we know that USBs are the No. 1 pathway to get into facilities today, we found a way to get in the middle of that path,” Knapp said, announcing HPS’s imminent launch of Secure Media Exchange (SMX), which lets users scan USB sticks to detect and remove malware.

Though removable media like USB sticks have become the most common way for attackers to gain access to the network, Honeywell knows that as it and others block the path to USB, hackers will just move on to something easier. “Information has to flow,” Knapp said. “We protect the network, and now they’re using USBs. Once that’s locked down, they’ll find another way.”

So a comprehensive approach remains important. Honeywell is looking at trends, doing more research and engaging with customers to develop new products such as the SMX.

“We’re currently taking a very risk-based approach, which can show us where the biggest bang for the buck is, and we can focus the limited resources we have on those areas,” Knapp said. “A risk-based approach is very efficient by nature, and has a high reward, especially in the very beginning.”

But when you start prioritizing the things that really need to be done, you might find that there are a lot of really high-priority issues. More proactive approaches like whitelisting and antivirus software are steps in the right direction. But there are a lot of unknowns, Knapp said, pointing to the need for threat intelligence. “Not just understanding what the threats are, but operationalizing threat intelligence—getting information in a way you can actually act on it so it’s valuable to you,” he explained. “We’ve just started doing that at Honeywell, really embracing future cybersecurity approaches.”

At its cybersecurity research facility that it opened a little over a year ago in Duluth, Ga., Honeywell is taking what it knows about its control systems to find new ways to infiltrate and manipulate them. “We want to be the people who discover the next big attack vector so we can protect against it,” Knapp said.

Honeywell has cybersecurity expertise of its own, and is also partnering with other companies like Intel Security, Cisco and Belden to provide a broad approach to security.

In February, HPS announced a partnership with Palo Alto Networks, with Honeywell’s Industrial Cyber Security business offering Palo Alto Networks’ Next-Generation Security Platform to industrial customers. At HUG, Honeywell announced the release of the latest version of its Risk Manager software to include inspection capabilities from Palo Alto. “Palo Alto Networks’ cutting-edge inspection technology is now integrated right inside Honeywell’s Risk Manager,” Knapp said.

Beyond the firewall

Palo Alto Networks was founded about a decade ago on a next-generation firewall, reinventing the concept from the ground up to integrate functionality into the same platform to increase performance and lower cost, said Del Rodillas, senior manager of SCADA and ICS product marketing for Palo Alto.

The work that Palo Alto Networks is doing with Honeywell includes that next-generation firewall along with other key technologies:

  • Threat Intelligence Cloud submits suspicious payloads to the cloud, and analyzes whether they’re malicious or benign. “It’s a mechanism to analyze things you’ve never seen before and make a determination of their malicious or benign nature,” Rodillas said.
  • Wildfire sandbox detonates these suspicious payloads. “A lot of organizations typically don’t have this capability in their plants,” Rodillas said.
  • Traps are a new product that could be used at endpoints like HMIs, historians or SCADA servers, Rodillas said. “Rather than look at fingerprints, it looks more fundamentally at what that attack is doing." Tens of thousands of new signatures are identified each year, making it difficult to keep up with patches. Traps instead looks at the small subset of exploit techniques used. “Forget about signatures,” Rodillas said. “Traps stop the core couple dozen exploit techniques. Even unknown threats are using that same core of techniques.”
  • Cloud services are also available as a public or private cloud. The public cloud has the added benefit of some 10,000 users sharing their incidents, with protection getting distributed to all users, along with intelligence submitted through research teams and partners. A subset of users that don’t feel comfortable submitting anything to a public cloud can still get the same sandboxing capabilities on their plant floor, and still get some benefits of shared intelligence.

The industry is seeing a divergence in cybersecurity philosophies, particularly beyond the IT/OT perimeter, with some organizations preferring a zero-trust architecture and others a more passive approach, Rodillas said. “Whether they’re more inclined to passive monitoring or more segmentation at the core, we have that capability,” he said.

Though nothing else has been made public at this point, Palo Alto Networks is working with several other key automation suppliers, Rodillas said, as well as some startups that offer complementary security solutions.

About the Author

Aaron Hand | Editor-in-Chief, ProFood World

Aaron Hand has three decades of experience in B-to-B publishing with a particular focus on technology. He has been with PMMI Media Group since 2013, much of that time as Executive Editor for Automation World, where he focused on continuous process industries. Prior to joining ProFood World full time in late 2020, Aaron worked as Editor at Large for PMMI Media Group, reporting for all publications on a wide variety of industry developments, including advancements in packaging for consumer products and pharmaceuticals, food and beverage processing, and industrial automation. He took over as Editor-in-Chief of ProFood World in 2021. Aaron holds a B.A. in Journalism from Indiana University and an M.S. in Journalism from the University of Illinois.

Companies in this Article

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...