72 www.controlglobal.com O C T O B E R / 2 0 1 5

Security isn’t a barrier. Security is awareness. But it’s hard to get out of that old barrier mindset.

After all, people have been hiding in caves, huts and castles, and behind shields, fences, walls and locked doors for a long time. The desire is always to get behind the barrier where you can breathe easy.

However, that’s not how cybersecurity works. Today’s probes, intrusions and attacks are directed by software, travel via increasingly widespread Ethernet networks aided by In-ternet protocol (IP), and can run on all kinds of computers that are always up and running—so they must be continu-ously sought and eradicated in the same way.

“You can put firewalls between the plant floor, IT/busi-ness level and other functional areas that define the traffic

allowed between them, but then you have to monitor that only the right data gets through in the right way, and that means using the firewall’s whitelisting functions to define specifically what data sources and destinations are allowed,” says Chuck Tommey, PE, business development manager at A&E Engineering (www.AEEngr.com), a CSIA-member system integrator in Greer, S.C. “If there’s unusual traffic, whitelisting can monitor it, not just at the firewall level, but down to the PC level, too.

“Unlike typical antivirus software that’s reactive, and blacklisting that just blocks known bad actors and must be constantly updating, whitelisting doesn’t need to repeatedly download new versions, apply patches, and conduct virus scans. When whitelisting software is updated, new signa-

Effective cybersecurity requires ceaseless

monitoring and evaluation of network data

and traffic to identify and head off evolving

intrusions and potential attacks, but improved

tools are making it simpler and easier.

by Jim Montague

on securityBLINKDON’T

C Y B E R S E C U R I T Y

O C T O B E R / 2 0 1 5 www.controlglobal.com 73

tures are needed for applicable files, and this does require some effort, but IT has been using these tools for a long time, and the plant can use them, too. These include newer tools like security information and event management (SIEM), which sorts monitoring log files from firewalls, switches with routing functions and PCs, looks for any unauthorized activ-ity, and alerts administrators.”

Neil Peterson, DeltaV product marketing director at Em-erson Process Management (www.enersonprocess.com), adds, “There’s no silver bullet for cybersecurity, so security assessments, risk prioritization, firewalls and antivirus soft-ware, network segmentation, whitelisting and constant mon-itoring are crucial. Tools like SIEM can show all networking monitoring in a central display, and look for anomalies in how the network is supposed to be working. Users can then write rules for good or bad behaviors in their networks. This is very doable for steady-state process applications.”

Vulnerabilities and vectorsToday’s stressful cybersecurity environment evolved from IT-based computing and networking, which historically sent and received data from all devices on their networks, and tried to put a lid on afterwards. At first glance, the new and

expanding Internet of Things (IoT) and Industrial IoT (IIoT) just mean more pervasive networking, which means “larger attack surfaces” and “more attack vectors”—in short, larger targets and more places for bad guys to shoot from.

The predictable result has been a stream of mainstream and a few industrial breaches. For instance, Germany’s Fed-eral Office for Information Security (BSI) reported in De-cember, 2014, that staff at a steel mill were subjected to a tar-geted-email, or spear phishing, attack that reportedly tricked recipients into opening an attachment or visiting a website that downloaded malware. This code then penetrated and compromised many of the mill’s corporate and production systems, and even prevented the shutdown of a boiler and blast furnace, causing severe damage. This was the first well-known disclosure of malware causing physical, plant-floor damage since 2010, when Stuxnet was found to have dam-aged uranium centrifuges in Iran. [A report by the SANS Institute on the attack is at https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf.]

“The German steel mill incident and the stream of vul-nerabilities discovered in the OpenSSL library, including Heartbleed and others that received less public attention, or the Poodle vulnerability in certain common configurations

To help users, businesses, manufacturers and often criti-

cal industries requiring security advice and solutions, the

U.S. government’s cybersecurity efforts have also been

ramping up lately.

“The U.S. Dept. of Homeland Security (DHS) Industrial

Control Systems—Cyber Emergency Response Team

(https://ics-cert.us-cert.gov) has worked onsite and re-

motely with multiple companies regarding the Black En-

ergy and Havex malware threats,” says Brett Brack, op-

erational technology analyst at Bachelor Controls Inc.

(www.bachelorcontrols.com), a CSIA-certified system in-

tegrator in Sabetha, Kan. “In one recent ICS-CERT news-

letter, they clarified their use of an open-source, malware-

detection tool called Yara (http://plusvic.github.io/yara)

with specific instructions.”

In addition, ICS-CERT’s Cyber Security Evaluation Tool

(CSET, https://ics-cert.us-cert.gov/Assessments) is avail-

able to assist organizations in evaluating and protecting their

cyber-related assets. “The tool allows you to use any secu-

rity standards that you adhere to, whether its NIST, ISA, TC-

247, ISO or even your own, if your company has already de-

fined cybersecurity standards,” adds Richard Clark, network

security and application developer for InduSoft Web Studio

at Wonderware by Schneider Electric (www.indusoft.com).

• Likewise, the National Institute of Standards and Technol-

ogy (NIST) recently issued and is updating its Cyberse-

curity Framework (www.nist.gov/cyberframework), which

is a voluntary framework, based on existing standards,

guidelines, and practices, for reducing cyber risks to criti-

cal infrastructures. To encourage use of the framework,

DHS worked with critical infrastructure community mem-

bers to set up the Critical Infrastructure Cyber Community

Voluntary Program (C³VP, www.us-cert.gov/ccubedvp)

as the coordination point within the federal government

for critical infrastructure owners and operators interested

in improving their cyber risk management processes.

“The NIST framework has simplified the various stan-

dards into an easy to read document that helps asset

owners understand what needs to be done with regards

to plant cybersecurity,” says Ken Keiser, CISSP, practice

leader for plant security services at Siemens (www.usa.

siemens.com). “However, users must keep up with the up-

dates coming from the various government and vendor

websites that announce new vulnerabilities and what’s

needed to patch or fix them. Users may decide to do this

on their own or work with industry security experts, such

as Siemens Plant Security Services.”

GOVERNMENT ASSISTS SECURITY

C Y B E R S E C U R I T Y

74 www.controlglobal.com O C T O B E R / 2 0 1 5

of SSL/TLS stacks, have had a signifi-cant impact on the industrial control systems (ICS) community,” says Rag-nar Schierholz, head of cybersecurity, ABB (www.abb.com) process automa-tion division. “All these events and dis-coveries remind us that we can’t rest

on achievements we’ve made, but must stay constantly alert, and proactively look for possibilities to improve the cy-bersecurity posture of our ICS prod-ucts and installations. The trend of in-creased attention to the ICS domain in the hacker communities continues.

Flagship hacker conferences such as BlackHat or DefCon rarely go with-out talks and demos where security re-searchers describe new approaches to hacking ICSs.”

Jeff Melrose, principal technology strategist for cybersecurity at Yokogawa Corp. of America (www.yokogawa.com/us), adds, “Automation users should follow the ISA99 standard rec-ommending zoning of their industrial networks. They should have a very ro-bust, Level-3.5 DMZ separation area between business networks and plant networks. This separation is critical to dealing with sophisticated attacks, and would have thwarted the German steel mill breach.”

The brightening sideThe good news is that improving strat-egies, protections, and even IIoT, vir-tualized computing and cloud-based services can also make cybersecurity easier. Just as eternal vigilance is the price of freedom, effective cybersecu-rity is always on, always monitoring, and always examining data and network performance for unauthorized and un-usual activity—the traces and footprints of intrusions and potential attacks.

“I encourage practices that defeat the way Stuxnet functioned, but indus-try has threats that should be a larger focus,” says Brian Foster, senior engi-neer at Concept Systems Inc. (www.conceptsystemsinc.com), a CSIA-certi-fied system integrator in Albany, Ore. “A recent example was a water-holing attack that targeted an ICS facility by compromising a nearby restaurant’s website. The website was used to install Havex when the facility’s staff ordered from it. Havex is a Trojan horse pro-gram that often targets ICS facilities by identifying OPC servers and attempt-ing to exfiltrate collected data. It’s often used in an attack’s discovery stage.

“Many other threats exist, such as Black Energy 2 and Sandworm, but trying to protect against individual malware is no more effective than try-

C Y B E R S E C U R I T Y

76 www.controlglobal.com O C T O B E R / 2 0 1 5

ing to keep your dogs out of the garden with a fence around one corner of the perimeter. Luckily, as threats continue to grow, useful defenses are becom-ing even more accessible to industrial users. For example, Tofino’s man-

aged Ethernet switches can be placed throughout an ICS as firewalls, and do deep packet inspection (DPI) for seg-mented protection; Cylance Protect’s new antivirus software goes beyond black/white lists, and uses intelligent,

neural network programming to ana-lyze what programs are doing, deter-mine if they’re trying to modify files, and decide whether to lock them out; and Bedrock Automation just released an ICS that authenticates software commands down to the chip level.”

Recognizing this new reality, more users, integrators, suppliers and gov-ernments are demanding cybersecu-rity solutions. “We just learned that New York State’s Environmental Pro-tection Dept. has mandated that any water/wastewater plant with an IP con-nection must undergo a cybersecurity audit,” says Dan Schaffer, business development manager for networking and security at Phoenix Contact (www.phoenixcontact.com). “This means a lot of applications will pass from us-ing external firewalls/switches like our mGuard to protecting the next layer of the onion with more antivirus, anti-malware and whitelisting functions on the inside. For instance, Common In-ternet File System (CIFS) is a standard file-sharing method for computers that can establish a baseline for what a PC is supposed to look like, and then make sure that no critical changes are made to programs, executables or HMI files. If you’re running antivirus software, then CIFS can let it scan plant services and PCs through an mGuard switch.”

Beyond basic servicesOnce passwords are updated, ports are closed, the network is segmented and firewalled, traffic is encrypted, new tools are applied and staff is trained in basic security practices, what’s next? Well, it’s time to reassess, seek more vul-nerabilities and protections, and resume seeking to make the odds of a successful intrusion and attack ever smaller.

For instance, one of Boliden’s (www.boliden.com) mining and smelting plants in Sweden already had a cyber-security program for its System 800xA control system, but managers recently wanted to augment it with a fresh per-spective, so they initiated ABB’s multi-

Let’s connect.www.weidmuller.com

Powerful PROfessionals! connectPower PROeco Power Supplies.Compact design, high efficiency and ease of maintenance make PROeco power supplies the right choice for your application. • Uninterruptible DC UPS, diode and CAP modules

available for custom application solutions• Operating temperatures from -25°C to +70°C• High MTBF of >500,000 hours

C Y B E R S E C U R I T Y

78 www.controlglobal.com O C T O B E R / 2 0 1 5

layered Cyber Security Fingerprint program to validate the plant’s existing security policies, find new areas they hadn’t considered, and supplement their efforts to prevent unauthorized access and mitigate computer viruses

(Figure 1). The fingerprint service collected data from more than 100 points in the plant’s control system, conducted in-depth interviews with Boliden personnel, and used software-based analysis to compare its perfor-

mance with industry standards and best practices. It also helped the plant add protection layers to its 800xA sys-tem, and Boliden’s staff reports it gave them greater confidence in their cyber-security program and increased their knowledge about proactively prevent-ing breaches.

Likewise, Honeywell Process Solu-tions (www.honeywellprocess.com) recently launched its Industrial Cy-ber Security Risk Manager, which is a digital dashboard designed to proac-tively monitor, measure and manage cybersecurity risks for process control systems within and across all security zones of a plant, including third-party systems. By understanding security zones, it’s aligned with ISA 62443 and can calculate accurate risk scores.

“It’s still useful to think of cyberse-curity like process safety: ask what are the consequences if a system gets com-promised; perform risk assessments; decide which consequences are ac-ceptable; and limit them to acceptable levels,” adds Mike Baldi, cybersecurity solutions architect at Honeywell. “After setting up firewalls and monitoring, it’s also important to have a site incident response plan (SIRP), including an iso-lation strategy for disconnecting when a breach occurs, an approval plan for who can act, a team that can assess and do recovery, and a schedule for practic-ing the SIRP.”

Josh Carlson, systems cybersecurity manager for North America at Schnei-der Electric (www.schneider-electric.us), adds, “The same dots can be connected with cybersecurity as with process safety, but users also need to go beyond DMZs and segmenting their networks, and broaden their security scope to include outside engineers, contractors, vendors and components coming in.”

Better remedies for deeper defensesFortunately, stronger and simpler cy-bersecurity software and hardware tools appear to be multiplying lately, enabling users to effectively protect

Your Industrial Control Solutions Sourcewww.maplesystems.com | 425.745.3229

2 New Models,Versatile Features

9.7" Touchscreen70° Viewing Angle 1024 x 768 High-Resolution1GHz ProcessorEthernet + 3 Serial PortsUL + CANbus (HMI5097XL only)StaStarting at $625

Step Up Your HMI Game Today.

9.7” HMI Bigger. Faster. Modern.

HMI5097NXLHMI5097XL |

C Y B E R S E C U R I T Y

O C T O B E R / 2 0 1 5 www.controlglobal.com 79

their applications and facilities more quickly and with fewer headaches.

For example, Bedrock Automation (www.bedrockautomation.com) has de-veloped a universal, open-source ICS with an electromagnetic backplane architecture, software-configured uni-versal analog and discrete I/O, and em-bedded cybersecurity. “Bedrock’s con-troller is easier to apply because it has built-in, galvanic isolation and isola-tion channels, so it doesn’t need added relays. It can also can take care of its own encryption via OPC UA, too, be-cause its backplane won’t accept coun-terfeit modules,” says Dee Brown, prin-cipal at Brown Engineers LLC (www.brownengineers.net) in Little Rock, Ark., an electrical, mechanical and sys-tem engineering firm that focuses on water, wastewater, power distribution, critical power and security projects. “We’re looking to add it to three or four utility customers. They want to control security functions from their iPads and control centers because their networks are getting hammered every day by probes and attempted intrusions, and this controller will give them another layer of protection beyond their fire-walls and VPNs. At the hardware level,

it powers up and checks for validated hardware. At the operating systems level, it checks that valid programs are running. All of these have to be OK for the controller to operate. Regular PLCs don’t do this.”

One of the primary trends fueling development of these new cybersecu-rity solutions is the increasing conver-gence of IT and operations technology (OT), according to Bill Mueller, senior project engineer at Banks Integration Group (www.banksintegration.com), a life sciences-focused, CSIA-member system integrator in Vacaville, Calif. “For instance, Cisco and Rockwell Au-tomation’s partnership has produced familiar switching gear with several functions typical of enterprise-level network gear. In the past, segmenta-tion and network isolation were accom-plished with two network cards, two switches and separate subnets. With the newer switch gear, we can get simi-lar results with half the hardware. Also, configuration wizards built in to the switches provide easy setup of virtual local area networks (VLANs) and data traffic-shaping functions. Another ben-efit for our clients is that the new sys-tems can be maintained by traditional

Figure 1: One of Boliden’s mining and smelting plants in Sweden uses ABB Cyber

Security Fingerprint to augment its security program by collecting data from more

than 100 points in the plant’s 800xA control system, interviewing personnel, and using

software-based analysis to compare its performance with industry standards and

best practices.

FINDING NEW HOLES

AB

B

Industrial Cabling Solution for Fast and Gigabit Ethernet

Rugged Graded-IndexFiber Optic Cables

LC Crimp & CleaveConnectors

A Furukawa Company

GiHCS®

To learn more,visit us at www.ofsoptics.com

C Y B E R S E C U R I T Y

80 www.controlglobal.com O C T O B E R / 2 0 1 5

control engineers directly, and don’t require involvement by corporate IT. This lowers the barrier to design more efficient and secure network topologies.”

Training humans for a united frontWhile new innovations can help users stay ahead of cyber-security threats, one of the most powerful security tools is already inside most process organizations, but remains un-used by many—cooperation between plant/process and IT professionals, and training each in the needs and best secu-rity practices of the others. More recently, due to the risks posed by many outside contractors’ vulnerable equipment, users are giving them the same training and protections de-ployed internally.

“The two most potent ways to improve cybersecurity are layering network architecture defenses and training the hu-mans,” says Concept’s Foster. “Phishing and spear phishing come through email, and watering hole attacks trick users into downloading malware, so it’s crucial to educate employ-ees and third-party contractors about dealing with them.”

A&E’s Tommey adds, “Last year, one of our clients got a virus on their control system, and when they checked their

One common headache shared by process control en-

gineers and IT managers is successfully managing their

multiplying, sometimes sanity-threatening software

patches.

“Patching is not everyone’s favorite job. You’re al-

ways trying to find the next hole and plug it. With prep-

aration, patching begins to look like an assembly line,”

says Kurt Russell, consultant engineer for automation

at Eli Lilly and Co., who manages 15 DeltaV DCSs at its

pharmaceutical plants in Indianapolis, Ind. “As a result,

we experimented with mechanisms to automate patch-

ing with some success, but we’re thankful that Emer-

son Process Management (www.emersonprocess.

com) developed its Guardian Software Update Delivery

Service (GSUDS) and offers it as a free software tool

for patch management.”

GSUDS enables Eli Lilly to download software

patches, hot fixes and other updates. These tasks are

performed on the Guardian WSUS Interface (GWI).

WSUS is short for Windows Server Update Services.

“GSUDS main benefit is that we don’t have to run around

and manually do patches anymore,” explains Russell.

“We can see them all in one place, and easily get the

data and reports we require.”

Russell adds that Eli Lilly’s applications are served

by an upstream server with Internet access, which

hosts a Microsoft-based WSUS and GSUDS. The sys-

tem also includes a downstream, dedicated, non-Del-

taV server, which hosts a Microsoft WSUS, GWI and

Symantec Live Update Administrator (LUA) for each

DeltaV system.

“All of the Microsoft security patches are automati-

cally approved at the upstream server and synchronized

to the downstream server,” adds Russell. “Also, GWI

approves DeltaV-specific updates on the downstream

server, and DeltaV hot fixes are approved at the down-

stream-server level, so each system administrator ap-

proves for their own system.”

To ensure that release notes are followed prior to in-

stalling, Russell added that hot-fix prerequisites still must

be performed. “Otherwise, installation of new patches

may fail, and a second attempt will be necessary to re-

run updates after a Windows reboot,” he said. “So, over-

sight of the patching process is required to verify distri-

bution. In all, GSUDS gives us a single infrastructure for

patching and automatic distribution of updates and other

content, and saves us much time and effort compared to

manual methods.”

AUTOMATIC PATCHING AT ELI LILLY

EASY INSTALLATION• No holes in tanks or pipes • Away from sensitive processes

VERSATILE• One size adjusts to motors, from

small up to 150hp

• Works on 3 phase, fi xed or variable frequency, DC and single phase power

SENSITIVE• 10 times more sensitive than

just sensing amps

CONVENIENT OUTPUTS• For meters, controllers, computers

4-20 milliamps 0-10 volts

MONITOR VISCOSITY SIMPLYSENSE MIXER MOTOR HORSEPOWER WITH UNIVERSAL POWER CELL

POWER SENSOR

MIXER MOTOR

CALL NOW FOR YOUR FREE 30-DAY TRIAL 888-600-3247

WWW.LOADCONTROLS.COM

O C T O B E R / 2 0 1 5 www.controlglobal.com 81

laptops, they found that some of the young guys in operations had changed the boot sequence on the PCs from only loading from the hard drive to also loading from a flash drive. They did it so they could load and play games, but this also introduced the virus. These abilities can be disabled, but this is also a management issue. People have to be told and trained in the rules, and then they have to be held accountable.”

Virtual, IP-aided security?Finally, one the core principles of cy-bersecurity in process control is the ISA99 standard, now IEC 62443, which directs users to achieve defense-in-depth by further dividing their process control networks and sub-networks into zones with common functions, and link them with conduits guarded by managed Ethernet switches servings as firewalls (Figure 2). However, these di-rectives can now be get an added boost from virtualized and cloud computing assisted by Internet-based networking,

which is also how they’ve fueled the emergence of the IoT and IIoT.

“The simple and practical method we’ve employed to provide a secure transfer of system data is to use a DMZ. Data from the secure manufacturing networks is collected by a server on the manufacturing network, and passed onto a second server providing the data on the enterprise network,” says Banks’ Mueller. “Recently, we’ve been taking this architecture one step further to provide remote support for our clients. A connection is provided through the corporate enterprise domain to a ma-chine on the DMZ, either VPN or an application server such as Citrix. From there, a remote engineer connects through the DMZ to a virtual devel-opment environment on the manufac-turing network. These virtual develop-ment environments are deployed and destroyed on an as-needed basis to sup-port manufacturing facilities.”

Jim Montague is Control ’s execut ive edi tor

Figure 2: The ISA99, now IEC 62443, standard directs users to achieve defense-in-

depth by further dividing their process control networks and sub-networks into zones

with common functions, and link them with conduits guarded by managed Ethernet

switches servings as firewalls, such as Belden’s Tofino security modules.

IN THE ZONES

Be

lde

n

InternetIT firewall

Office network

Plant network

Control network

Wireless

Enterprise workstations

Enterprise servers

IT firewall

HMI stations

PLCs PLCs Remote diagnostics

External network

Engineering stations

Servers

Servers Contractor Wireless Dial-up

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•