An industrial process control system typically contains routers, switches, regulation and control components as well as Windows-based servers and workstations, all of which communicate via the process control network (PCN). It is important to monitor this PCN and all connected devices for cyber security threats and vulnerabilities. A single compromised device on a PCN can serve as a gateway to access, modify or disable other nodes. If the security of the process control system is compromised, operations and production can be affected with potentially devastating consequences. These consequences include the possible stoppage of production, but also the destruction of production facilities and equipment, death or injury of employees, explosions and the release of toxic gases or smoke with injury and death of external employees or civilians, damage to the environment, official fines, damage to the company's reputation and loss of confidence among investors and customers.

12 steps to reduce the risk

The following twelve steps should therefore be carried out for the modules, endpoints, workstations, computers and servers of an industrial control system network in order to minimize the risk of an attack on industrial cyber security:

1. Create all data backups of the control system software in accordance with the manufacturer's instructions.
2. Install and properly configure firewalls.
3. Installing all important software corrections (patches) in industrial control systems and using mechanisms to protect the systems between maintenance and patch cycles.
4. Updating malware and virus protection software (AV) and virus definition files.
5. Installing application whitelisting technology that only allows the execution of accepted or known files. This is achieved by creating a list of checked applications and only allowing these to run.
6. Installation of an automatic method for monitoring assets or nodes in the control network, including infrastructure components, PCs and servers.
7. It is also necessary to install a method for automatically detecting hidden or defective components (e.g. I&C components that communicate via the network but are not monitored for cyber risks). This may involve removable media such as USB drives and CDs/DVDs or laptops and smartphones.
8. Training of company employees on the security of industrial control systems, including the importance of password checks and awareness of social engineering attacks. Percentage of policy breaches and security incidents detected should be automatically recorded. Mandatory password changes at regular intervals are part of password monitoring.
9. Automatically monitor the status of assets and networks with relevant industrial cyber security indicators. It is important to show how the security status is improving.
10. Monitor the percentage of control hardware, nodes and endpoints that are not infected by known malware and viruses.
11. Automatically determine general vulnerabilities in the control hardware, nodes and endpoints and record whether the number is increasing.
12. Have an automated method that points to the origin of a cyber threat. This can also include connections between the company's information network and the industrial control network.

Ongoing monitoring is crucial

The 'Risk Manager' tool proactively records, monitors and manages cyber risks in industrial plants and systems.

© Honeywell

The ability to quickly monitor the indicators associated with these twelve steps and to see how they change over time is very important for the success of industrial cyber security. Honeywell offers the right tools to implement these twelve steps.

The 'Risk Manager' is a sample solution specifically designed to monitor risks, vulnerabilities and threats in this security area. Proprietary algorithms proactively detect risk indicators. An early warning enables more active control and more opportunities to eliminate security gaps before it is too late. Analysis and monitoring is based on endpoint security, patches, network security and data backups. Monitoring the control network and capturing numerous servers, workstations, controllers, firewalls, routers and switches enables meaningful metrics to be created for threat assessment and an action plan to be developed.

Scales and trends show the current and changing status of risks. Messages explain and point to warnings and errors in input data. Detailed views allow the plant engineer to identify the exact node, endpoint, server, facility or computer that triggered the alert or warning. Changes in trend or risk data in the plant indicate whether the cyber security risk is improving or deteriorating.

If the aim is not only to continuously monitor larger distributed systems, but also to be able to secure them with specific measures, 'ICS Shield' is the right solution from Honeywell.

There should be no lack of existing technology

With this top-down platform for OT security management, which serves as the basis for securing ICS/SCADA (Industrial Control Systems) environments, the user can access all control systems. Among other things, it offers not only functions for monitoring and detecting system components, but also secure remote access from a central operating center as well as secure data transmission, automated patches and AV updates. The platform standardizes and automates the policy management process and, unlike the 'Risk Manager', enables the creation, deployment and enforcement of asset-wide and granular security policies.

The first step is to automate the asset inventory in the network. This captures more detailed configuration data for each asset and classifies them according to criticality levels. The monitoring of changes in the asset band and configuration as well as asset visualization enable holistic transparency of OT assets.

In addition, 'ICS Shield' provides AAA (Authentication, Authorization, Accounting) remote access to ensure security for remote access and monitoring, protected distribution of files to devices and secure data transfer from the asset to the central office for analysis and risk management. Secure remote access is ensured, for example, by the administrative definition of security guidelines for remote access, two-factor authentication, password management and reports on all remote access sessions.

Key features include the continuous, active auto-detection of the asset, which uses its own server to query vulnerabilities, among other things. The distributed ICS Shield infrastructure is designed for vendor-neutral use at multiple locations and therefore guarantees complete data security and integrity.

USB sticks - a great danger

Handy, easy to use and available with more and more storage space: USB sticks are now part of everyday working life, but can also be a gateway for hacker attacks.

© Honeywell

In addition to external sources of danger, one of the greatest security risks can be the company's own employees and the all too often careless handling of company data and storage media. To prevent a USB stick, for example, from becoming a gateway for unauthorized network access, Honeywell offers a solution for secure media exchange with Secure Media Exchange (SMX). Consisting of a hardware unit and corresponding software, SMX reduces cyber security risk and limits operational disruption by monitoring, protecting and logging the use of removable media in industrial facilities.

The SMX security unit first prompts the visitor to insert their removable media as part of the login procedure. Malware and other security threats are detected before they are transferred to critical facilities via USB sticks, for example. The solution prevents unverified devices from using the USB ports and keeps the interface open only for verified devices.

In addition, Honeywell offers a range of services for recording and evaluating the respective threat situation, creating a cyber security profile for the relevant company, integrating the technology and training the relevant personnel. Even the outsourcing of certain measures - such as automatic patching or regular monitoring - and notification in the event of an alarm are now possible with corresponding managed services packages.

Lack of readiness

However, the existing technological possibilities do not help if there is a lack of willingness on the part of the company and even entire industries. One example is the operators of critical facilities (KRITIS) in Germany, who should be held more accountable under the IT Security Act passed by the BSI. In practice, however, many of the companies concerned are still far from being able to meet the requirements in the field of automation security for various reasons. The willingness to do so is the main problem here. On the one hand, this may be due to the fact that although the BSI has formulated specific requirements in the regulation, there are hardly any known consequences for non-compliance. On the other hand, the topic of cyber security has barely reached the C-level to date, with the result that there is a lack of corresponding expertise and resources.

An important first step could be to analyze your own threat situation and create a corresponding threat and security profile. After all, every plant operator should at least be interested in knowing who the potential attackers are in their individual case and to what extent they are already armed against them.

Ultimately, every company and every operator of a critical plant decides for themselves how much risk they want to bear, both economically and socially. However, for all those who are prepared to take the issue of cyber security seriously and take appropriate measures, a wide range of functional technologies and supporting services are already available so that an individual concept can be developed quickly.

Authors:
Thomas Ayral is a Cyber Security Specialist at Honeywell Industrial Cyber Security;
Konstantin Rogalas is Business Lead at Honeywell Industrial Cyber Security for Central and Southern Europe.