The Many Sides of Cybersecurity

Feb. 18, 2015
Manufacturers are waking up to the fact that a control system breach is inevitable if the plant network is not protected.

What are the daunting—perhaps haunting—aspects of manufacturing that keep plant managers awake at night? Not cybersecurity, believe it or not. Rather, it’s cost pressure, an aging infrastructure, productivity improvement, workforce attrition, and operational excellence. Cybersecurity didn’t even make the top 10, according to research presented by ABB at the ARC Industry forum in Orlando last week. That is surprising, considering employee safety ranked number seven on the list, and, the threat of death and destruction is real if a hacker takes over an industrial control system.

It is encouraging to hear, however, that companies are finally spending money on cybersecurity—which they were not doing not too long ago.

“When I joined the company two years ago, nobody knew exactly what cybersecurity was,” says Noel Tabas, lead DCS engineer at Agrium Redwater, a supplier of agricultural products and services. But they knew they needed to know.

Agrium is not alone in this revelation. Amid credit card breaches at retail stores and the Sony hack, manufacturers are taking the possibility of another Stuxnet seriously. As they should…

In December, hackers infiltrated a German steel mill leading to massive damage in a blast furnace that could not be properly shut down. The details of this digital attack—minus the name of the plant-- were revealed in the annual report of the German Federal Office for Information Security (BSI). According to the report, hackers went spear-phishing, sending targeted email that looks like it comes from a trustworthy source, in order to trick the recipient into clicking on the attachment. Once inside the company’s corporate network, the attackers were able to get into production networks and access industrial equipment.

It is clear from this incident, and from the conversations at the ARC conference, that the only way to truly protect the plant network is to isolate it from the enterprise.

After a third-party audit of Agrium’s network revealed vulnerabilities, the company turned to its DCS vendor Honeywell Process Solutions to provide guidance around cybersecurity, including functional requirements and redundancy. Most importantly, the two plants involved were to be isolated from the enterprise, yet still share data between them in the event of a cyber incident. The addition of a demilitarized zone (DMZ) cut the umbilical cord between the plants and the enterprise, creating a trusted plant network, Tabas says.

Agrium was in the middle of a DCS modernization effort, which was the perfect time to tackle cybersecurity. But how can we protect legacy systems?

It’s a situation that automation suppliers have set out to solve.

At the ARC event, PAS demonstrated its Cyber Integrity software which protects critical assets through the one-way data collection of cyber inventory (a complete inventory of control system assets regardless of connectivity); configuration baselines (documenting the operational and security configuration of assets); workflow management (pre-defined workflows for daily security operations, such as patch assessment); and backup and recovery (a single repository to backup all systems automatically).

The purpose is first and foremost to provide visibility into the ICS, because you can’t manage what you can’t see. By using a non-intrusive one-way collection of information, Cyber Integrity serves as a centralized point for managing any DCS, PLC, or even manufacturing execution system (MES), says PAS founder and CEO Eddie Habibi.

The configuration manager provides continuous monitoring to identify changes in the system, alerting the right personnel in the event of unauthorized alterations. Then automated work processes are put in place to prevent human error and unauthorized changes. Backup and recovery is there because “you have to assume there will be a breach,” says Habibi.

Indeed, there will be a breach if a firewall is the only line of defense. That is why Waterfall Security Solutions developed the Unidirectional Security Gateway, which gives the corporate network access to control system information, but does not allow access to the plant network.

The hardware and software set up includes a one-way communication channel that creates a copy of the system outside of the firewall. This fully functional replica of data provides access to the system, however, only the data that needs to be accessed by another enterprise network can be made available—and encrypted-- limiting the risk of data exposure.

“It takes a scary industrial cybersecurity problem and converts it into a classic IT problem, says Lior Frenkel, co-founder and CEO of Waterfall. “The server is outside, not in the control network anymore, so nothing can influence the network.”

These are just a few examples of the many products emerging to protect the plant. Of course, cybersecurity is a multifaceted problem that requires layers of protection and a corporate culture that supports the effort. It also requires a shifting of priorities for plant managers who are more worried about cost pressure, an aging infrastructure, productivity improvement, workforce attrition, and operational excellence. Let’s face it, none of that matters if a massive security breach causes irreparable damage.

About the Author

Stephanie Neil | Editor-in-Chief, OEM Magazine

Stephanie Neil has been reporting on business and technology for over 25 years and was named Editor-in-Chief of OEM magazine in 2018. She began her journalism career as a beat reporter for eWeek, a technology newspaper, later joining Managing Automation, a monthly B2B manufacturing magazine, as senior editor. During that time, Neil was also a correspondent for The Boston Globe, covering local news. She joined PMMI Media Group in 2015 as a senior editor for Automation World and continues to write for both AW and OEM, covering manufacturing news, technology trends, and workforce issues.

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...