Learn cybersecurity best practices from these experts.
by Drew Champlin
February 1, 2018

They’re coming to get you.

Cybersecurity threats are a mounting concern for the pump industry but, according to experts, most companies aren’t prepared to handle the attacks. And new systems can pose even more risk.

The Industrial Internet of Things (IIoT) architecture can link individual pieces of pumping equipment, or an area-wide group of pumps, to a cloud platform. This provides real-time, password-protected data access to anyone with an Internet connection from anywhere in the world (Feb. 2016 P&S, read the article here).

But threats can arise to compromise systems.

In a recent webinar by Indegy, 65 percent of poll respondents said their companies have no plans for the next 18 to 24 months to invest in an industrial control system (ICS) breach or detection system.

This would quickly identify abnormal situations and help users respond to breaches.

Research shows companies are aware of threats but have not invested enough in incident management, ARC Advisory Group vice president Sid Snitkin said during an Indegy webinar. There is a large gap between what companies would like to do and what actions they are actually taking.

“The resource gap is undermining the effectiveness of existing cybersecurity defenses,” Snitkin said. “Many facilities are operating with a false sense of security. Companies are wasting limited capital on technologies they can’t maintain.”

Cyber attacks are nothing new, but attackers are trending toward a different path. “Now you see more threats and attacks to the physical side of cybersecurity,” Indegy CEO Barak Perelman said. “Ten years ago, they were attacking financially. Now, they are trying to physically harm your system.”

Recently, hackers compromised systems in the U.S. and Europe, according to Symantec. Ukraine’s power grid was hacked in 2015.

Indegy director of industrial security Chris Grove said that first and most essential step into cybersecurity is understanding what’s there. Asset inventory is where you may see an anomaly. “You can’t secure it if you don’t know what you have,” Perelman said.

Three other important steps follow, per Grove: continuously monitoring who can access the network and its changes, assessing the risk to devices and networks, and enforcing policies while getting real-time alerts.

Most attacks, Perelman said, are not to Microsoft Windows or computer systems, but to the turbines and pumps. And they could happen from inside the company. Knowing how your facilities are connected is key.
“It’s so open and so vulnerable and very easy for an employee to cause damage to a system,” Perelman said. “For a power plant or turbine, there is no password. You’re trusting the goodwill of an employee.”

The IIoT speeds up performance and increases efficiency, but at a cost where companies must constantly be aware of threats.

Cybersecurity Infographic

“Progress brings risk with regard to cybersecurity,” Pioneer Pump president Steve Everton said. “I feel industry readiness is relatively low from the IoT side and potentially even lower in the area of managing the related cybersecurity issues, but with risk comes the opportunity for industry advancement and solution development.”

But as we enter 2018, industry leaders feel that many companies are still slow to react. Some maintenance and monitoring activities remain manual, Fluke director of global service and alliances Kevin Clark said. However, he said affordable and flexible sensors are helping to bring automated data to the cloud.

“Many operators today are still evaluating the (potential) efficiency and convenience benefits that might be gained from extending control of pumping applications beyond a plant via the cloud, and they’re measuring these conveniences against the potential threats that could arise via hacks,” Pulsafeeder vice president of product management Axel Bokiba said. “This is particularly so for applications that impact the public drinking water supply or for applications in sensitive petrochemical environments.

“For some applications—such as remote location, or offshore oil and gas, it is clear to see how satellite or IIoT-based communications can enhance a process. But for other pumping applications (that occur within the walls of a singular plant) the adage—‘if it’s not broke, don’t fix it’—still applies to addressing their communications needs.”

Some quotes provided through Pumps & Systems state of the industry requests