In the past year, sophisticated cybersecurity attacks have demonstrated that a multitude of industries and organizations are at risk. Given the increased connectivity and associated risks, companies and plants from all industries must be aware of how each of their assets and actions impacts the security of their networks. Implementing advanced security technologies and practices is essential to a secure operation. For organizations with industrial control systems (ICSs), including those in the power generation and oil and gas industries, this is particularly critical.
While the control network is a top operational priority, processes are tightly tied to many interactions with other networks, which can be infiltrated by a significant breach in an external—or even internal—system. Field devices and pump systems, which are often distant from the central control systems, pose even more risks by increasing the overall attack surface. Process control networks represent higher-risk technologies simply because they can be highly coupled. Being highly coupled, or interconnected, increases the likelihood of a lower-level incident cascading into a higher-level event. As a result, cybersecurity measures must be designed to break down the coupling dependence so negative events become more manageable.
In the past, pumps did not pose a threat to the control network inside the plant because they interfaced with the physical world at "Level 0." Today, however, pipelines and pumps are just as digital as the computers within the plant. New portable field devices and sensors can monitor movement, corrosion and impact to pump systems, as well as transmit a large magnitude of data. With increased connectivity and data transmission, companies must not only manage the input from various field networks but also maintain secure processes across remote connections.
Any organization operating with multiple networks and various security requirements should prioritize the top two concerns—safety hazards and unplanned shutdowns—and determine best practices to prevent them, including assessing current posture, establishing centralized management and visibility, and increasing employee awareness.
Threats to Safe, Reliable Operations
Cybersecurity is primarily aimed at keeping process controls stable and preventing unanticipated changes. Cybersecurity incidents typically cause loss of view, control, operation or production, with different levels of consequence to an organization. The intersection of operational technology (OT) and information technology (IT) has improved efficiencies, but it has also posed greater risks.
In the IT world, hacking a computer is unlikely to cause physical harm to the recipient of the attack, but in the OT environment, manipulating industrial assets through digital channels can cause serious damage. When cyberattacks cause loss of view, loss of control, or denial or modification of control, operators are no longer able to manage their process control networks and their most critical assets effectively and safely. This could lead to an inability to turn pumps on or off or monitor the pressure, flow rate or chemical composition of the pumped medium. As a result, those assets become a safety hazard to the surrounding environment.
Similarly, loss of control over turbines or process equipment could have detrimental effects. In 2014, cyber attackers hacked the process control network of a German steel mill and caused an explosion in a blast furnace that resulted in massive damage.
The world of OT security is foundationally different from traditional IT detection systems in existence today. Securing connected machines in the industrial sector has a unique set of complexities that are much different from protecting a business datacenter.
While safety is the top priority when it comes to the most aggressive cyberthreats, another potential side effect of cyberbreaches is costly unplanned downtime. An oil and gas company, for example, calculated that the failure of one of its control system's human machine interfaces (HMIs) and the resulting downtime of two days would cost the organization an estimated $12 million in lost production.
Field devices and pump systems transmit data to the organization through the control system network. Attackers bypass the most secure layers and identify more vulnerable areas of entry into the system. Security practitioners are less concerned about the number of attacks that come their way than they are about the attacker's persistence or the duration an attacker can stay on the network undetected.
The longer an attacker is on the network, the deeper he or she is able to infiltrate, send back data or cause significant damage.
Furthermore, many process control networks were installed 10 or more years before current technologies and cybersecurity solutions existed. Outdated technology exposes known vulnerabilities that, if compromised, could cause loss of view, control or operations. Most organizations also have multiple pieces of equipment from various manufacturers and generations, which makes a unified security program difficult to implement and operate.
Even the latest technology tends to focus on operational efficiency rather than security. With a wide range of systems operating across legacy hardware from remote locations, it is challenging for operators to manage secure connections and keep even the simplest things such as passwords, antivirus tools and software updates current.
Cybersecurity Best Practices
As technology continues to advance, pump professionals must know the industry risks and their potential effects. Considering the following three cybersecurity best practices will help end users develop a much stronger security posture to ward off growing threats and ensure business continuity.
1. Assess current posture. As the saying goes, "You don't know what you don't know." The first step of assessment is understanding gaps in security and being prepared to institute policies and procedures pertaining to people, processes and technologies. If you do not know where to start, standards are available based on industry and/or region to help provide best practices for companies to create a baseline security reference architecture that meets their needs. The SANS Institute critical security controls guidelines are a widely accepted resource for best practices.
2. Centralize management and visibility. All organizations should have centralized management systems configured to ensure all access points are protected and continuously monitored. By running regular tests and documenting updates and configurations, operators are better able to evaluate vulnerabilities and keep track of threats entering their systems. Operators can log potential threats and send notifications to the proper contacts through a centralized system. In addition, centralized management enables security experts to collect and store system components, indexing them for quick and easy retrieval. This approach provides clear accountability for any security incident, unlike when information is fragmented.
Centralized management can also help support strong password management and enforce role-based access control, which requires every user to have a unique username and password associated to a role. Restricting remote access to a small number of security expert operators reduces the risk of privileged user threats and remote access breaches, particularly when threats extend across multilevel networks in the organization.
3. Increase awareness with training. The greatest threats to the process control are people whose lack of knowledge can result in negligence, accidents or ineffective processes.
Without the availability and enforcement of informative training, employees will not have a strong foundation of security awareness to guard their daily behaviors.
Employee training should shed light on unusual machine behaviors or signals so that end users can identify potential threats immediately.
This is particularly important in the field where there is significantly less exposure to and awareness of cybersecurity. Field operators and technicians must follow protocols regarding the use of the wireless networks that support their devices and smart assets.
Ports, CDs/DVDs and USB access must be hardened or locked down so no personal devices can be connected. Strict protocols pertaining to personal devices and data sharing should be established to prevent introducing vulnerabilities into the secure network. Fostering awareness about cybersecurity will help mitigate internal risks.
As more technology is introduced in the field, there is greater need to validate secure configurations and implement strong segmentation to maintain a reliable control system network. Industrial organizations must further understand the challenges of and differences between IT and OT to execute a strong cybersecurity strategy.
As industrial organizations place greater emphasis on cybersecurity, they should rely on industry standard best practices and lessons learned to build a solid foundation for a secure and productive enterprise.