Recognizing the need for a bulletproof security framework for industrial control systems, PAS Inc., a provider of asset and configuration management for distributed control systems (DCS), has formed a new Cyber Security Business Unit focused on providing products and services to protect the core configuration of the control system.
In addition to the announcement of a new division, PAS rolled out the latest version of its Cyber Integrity security software which adds more in-depth risk profile management and compliance reporting.
While PAS has offered a cybersecurity offering for many years, the increasing threats on industrial control systems (ICS)—which experienced a sixfold surge from 2010 to 2014, PAS officials say—and the growing sophistication of the attacks, prompted the company to take a more formal approach to the problem. According to David Zahn, chief marketing officer at PAS and general manager for the new business unit, attacks are playing out in a multilevel manner. First, the hackers gather information on the control system and then they exert control.
Most continuous process companies are investing heavily in security systems, Zahn says. “Even with oil and gas prices down we are seeing that the budgets around cybersecurity remain intact.” In fact, PAS estimates the current ICS cybersecurity market to be about $2.8 billion worldwide.
The problem, however, has been where the investments have been made to date, Zahn says. There’s a lot of investment at the perimeter in the form of firewalls, intrusion prevention, and anti-malware scanning. And, there is some anti-malware protection at the middle layer for the HMI and local area network. But there is no protection at the programming level of the automation systems including the controller and instrumented bus network.
The reason being is that you can’t protect what you don’t know. “We’ve been doing configuration management for a long time, and inventory is always the first step,” says Zahn, pointing out that PAS can identify changes at the control system layer, including hardware, software, I/O, ports, and services.
While other DCS vendors may offer their own cybersecurity product, they are focused on the Windows side, not the proprietary protocols on the backend, says PAS CEO Eddie Habibi. “The difference between what we do and what everyone else does is that we go deep into the proprietary configuration of those systems for configuration management and overall cyber-attack protection,” he says. For example, that proprietary layer is the programming that tells the system how to read sensor data and process it. “And this is exactly where a hacker would go to create a disturbance and break down systems."
PAS has always had the ability to manage these core configuration layers with its Integrity Software Suite, but was prompted to develop the security layer when asked by a customer to create workflow processes for cybersecurity.
The latest version of Cyber Integrity enables industrial companies to gather and maintain an accurate inventory of cyber assets; establish a cybersecurity configuration management policy; manage change by monitoring for unauthorized updates to cyber asset configurations; and, implement a program for system backup and recovery.
“If something bad happens that couldn’t be prevented you need the last line of defense, which is good backup of information so that you are able to recover,” Zahn says. “That is an essential part of what we offer and is included in our best practices.”
In addition, not every asset has the same risk profile, so the latest version of Cyber Integrity provides the user with the ability to categorize assets and assign risk levels, including response controls. Despite the difference in assets, users can see everything from a single view. And, the company has added additional compliance reporting to meet new critical infrastructure protection (CIP) standards.
The cyber security division is expected to contribute new revenue opportunities for PAS, which experienced a 27% increase in revenue last year. “We’ve had good steady growth,” Habibi says, “but we will be on a hyper growth path over the next three-to-five years. We expect to quadruple revenue by 2020.”
