SUCCESS COMES WITH CYBERSECURITY
BY DREW ROBB
“Go digital, young man!” is the mantra preached by OEMs, service providers and controls experts. But the journey toward digitalization requires opening up the plant and its systems to external networks. For every potential benefit, a nasty collection of threats lurk. Hackers, criminals, nation-state infiltrators, and even kids up to mischief can use the network to gain access to critical systems.
If digitalization is inevitable, then so is cybersecurity. Yet many facilities are unprepared. A study by analyst firm Gartner found security and privacy to be top concerns when it comes to the adoption of digitalization technologies, such as the Internet of Things (IoT). Yet 84% of organizations are insufficiently prepared.
Companies, such as OSIsoft, Dragos, GE, XMPLR Energy, ABB, KnowBe4, Mitsubishi Hitachi Power Systems, CCC, Amazon Web Services, and Aperio, are putting in place best practices and systems to address cybersecurity.
Experts concur that the first step is having a cybersecurity plan. And that is where many users stray. They either do not have a plan, or the plan only deals with threats when they occur. The right plan includes how to identify assets at risk, how to protect them, how to detect incursions, how to ensure compliance, how to recover from a breach, and how to respond.
“The power industry should be concerned about cybersecurity as it is a real risk,” said Scott Affelt, President of consulting firm XMPLR Energy. “At the same time, they can’t put the organization on hold while they wait to get secure.”
He noted that the number of connected devices will double over the next few years, exceeding 20 billion by 2020. More than half of those connections will be machine-to-machine, flowing automatically across business systems. This opens a wide highway to hackers into those systems. He advised the industry to introduce cybersecurity into management processes, and to make a comprehensive plan.
The elements required are:
• Making an inventory of all assets to identify those at risk
• Setting up a strength-in-depth strategy composed of many layers of protection
• Detecting incursions that find a way through those defenses
• Complying with regulations, such as North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
• Determining how to recover when a breach occurs
• Unearthing any and all points of a breach
• Hardening the organization against further incursions.
A new report by Markets and Markets found that the CIP market will grow from $110 billion in 2017 to $153 billion by 2022. The network security segment is projected to grow the most during that forecast period. The various network security solutions include identity and access management, risk and compliance management, encryption, firewall, antivirus/antimalware, intrusion detection systems, and intrusion prevention systems. Network security solutions safeguard the critical systems network from malware, ransomware, viruses, worms and other attacks.
The physical security segment, though, is expected to have the largest market share and dominate the CIP market from 2017 to 2022, due to growing instances of physical attacks and natural disasters on industrial plants, oil fields and ports.
“It is vital to prioritize assets and all related risks,” said Affelt. “Focus on key assets, engage all employees and educate them so they help you in watching out for threats.”
Some 91% of security incidents come in via what is known as phishing. This is where hackers send out malicious emails posing as legitimate communications. They may pretend to be from suppliers, manufacturers, people within the organization, clients and financial firms. The goal is to get the person to click on a link or open an attachment. And presto, the bad guys are inside.
Being asset-centric, the good news is that power producers and utilities are less at risk than other industries, such as financial services. But initiatives, such as smart metering, remote monitoring, IoT, and the cloud are changing that.
“You can’t eliminate risk, you can only manage it,” said Affelt. “Being compliant does not equal being secure. It requires tight collaboration between IT and operational technology (OT) staff.”
Roger Grimes, Defense Evangelist at cybersecurity training firm KnowBe4, called attention to recent revelations of successful Russian-sponsored attacks against power grids in various countries, and a growing real-world threat by North Korea and other hostile countries. This served to make energy companies more aware of the threats they face. “For over two decades, management at energy companies in the U.S. and elsewhere thought they were doing okay on computer security,” said Grimes. “They knew they had lots of weaknesses and vulnerabilities, but a lack of big attacks gave a false sense of security.”
He noted that 90% or all successful data breaches are accomplished by social engineering. This involves phishing emails that take the guise of benign messages from banks, suppliers, or other trusted sources. “Energy companies should focus on preventing social engineering and phishing,” said Grimes. He recommends security awareness training. KnowBe4 offers systems to detect and prevent phishing, as well as training users to greatly lower the incidence of breaches. This involves grading user susceptibility to phishing followed by education to increase awareness.
“A good place to start is to gain executive support backed by funding to manage cybersecurity,” said Dee Kimata, Cybersecurity and Collaboration Operations Center Product manager at ABB’s Power Generation & Water business. “There must be an organizational commitment to define baseline security requirements, and then to routinely measure yourself against those baselines.”
Some of the actions of the plan require collaboration, assessment and the establishment of procedures. Others can be set up automatically. ABB uses a lifecycle support model for industrial cyber security: identify, protect, detect, respond. On the protect step, for example, you can automate patch management, backup and virus protection.
Kimata also recommended a defense-in-depth approach consisting of multiple complementary layers. This includes tools, such as firewalls, network anomaly detection, phishing protection, security awareness training and behavioral analytics. She added that compliance mandates, such as NERC CIP often serve as the driver for organizations to begin facing the necessities of cybersecurity. “The key to management of an incident is how effectively an organization can recover and with minimal impact,” said Kimata. “Processes must be in place to respond adequately to incidents.”
OEMs are responding, as well. MHPS has developed its Tomoni control system. It incorporates a great many cybersecurity protections, as well as the use of handhelds, voice recognition and artificial intelligence (AI). You can ask the system how the plant is and receive a verbal response. “In the past, you discovered an intrusion and dealt with the aftermath,” said Paul Browning, CEO of MHPS. “Nowadays, AI can recognize anomalous behavior and shut off access to prevent intrusions before they occur.”
Asset-centric industries such as power generation and oil & gas have a lower risk profile than other industries when it comes to cybersecurity. However, risk exists and must be managed.
There is currently a lack of visibility into cyber threats related to control systems. Several power generation and control specialists are partnering with IT firms to bring greater cybersecurity smarts into the industry. Dragos, the developers of the Dragos Industrial Controls Systems (ICS) threat detection and response platform, is collaborating with GE to help owners and operators more effectively detect and respond to industrial cyber security threats. Benefits are said to be broader threat detection and response capabilities, greater insight into ongoing threats, cybersecurity training and practical guidance for industrial engineers.
Similarly, cloud vendor Amazon Web Services (AWS) and OSIsoft are working together. OSIsoft’s PI System transforms operational data streams from sensors, devices and industrial processes into realtime insights to save money, increase productivity or create connected products and services. Over 1,000 utilities, 90% of the world’s largest oil and gas companies and 65% of the Fortune 500 industrial companies, rely on the PI System in their operations.
Quick Starts for AWS lets you stand an OSIsoft PI System on AWS. In addition, PI Integrator for Business Analytics delivers PI System data to AWS to reduce time and cost of bringing operational and IoT data to AWS for sharing or analytics. Enhanced connectivity and data sharing can also accelerate digital transformation and shrink the OT-IT gap. It is said to reduce the time consumed by data preparation in analytics projects by over 90%. AWS Quick Starts for the PI System consists of templates, reference architectures and other technologies for quickly managing a fully functioning PI System in the Amazon cloud. It can be used to monitor remote or isolated assets and integrate analytics into operations, such as running day-ahead pricing scenarios at oil and gas operations or conducting plant-to-plant comparisons.
Attacks have occurred. An incident a few years ago tricked operators at Iranian nuclear plant into believing their systems were normal when a centrifuge was breaking down, said Michael Kanellos, IoT Analyst at OSIsoft. It knocked out 20% of Iran’s centrifuges. In 2015, Ukraine’s grid operator got hit with a similar virus. And last year, Saudi Arabia’s oil industry was hit with a similar virus. Hackers are coming up with tools that create artificial data that manipulate equipment (turn it off or on, for example) or manipulate data coming off a system to prompt an engineer or other party to take an action that is not in their interest, i.e., remote systems might be overheating but everything looks normal.
“Malware can present power plant operators with wrong data,” said Kanellos. “But by combining data from OSIsoft and Dragos systems, it is possible to detect patterns that indicate suspicious behavior.” Facilities worried about their systems being accessible over the network can set up what is known as a one-way diode, said Kanellos. Data can be sent from the facility to the cloud, but it is impossible for anything from the cloud to come back into the enterprise. The diode converts digital information from the plant into optical signals before sending it to the cloud. There is no equivalent optical converter to send data from the cloud back to the plant. A diode can cost $30,000 or less, said Kanellos. “This technology, currently used in nuclear facilities, oil refineries and other highly sensitive sites, is coming to power plants,” said Kanellos. “Waterfall, a diode company, is working with CNA Hardy to give a premium insurance discount to those who implement a data diode. We also recommend data encryption.”
OSIsoft is working with Lawrence Berkeley Lab on research that compares network data, using physics to detect discrepancies. It is also collaborating with Aperio, which takes a slightly different tack. It analyzes reams of historical data and looks for anomalies. It does not care about the value of the data as much as unusual variations. If something rises 10° rapidly, for instance, it might be flagged as synthetic. Likewise, he said, Dragos offers similar services on attacks from the inside.
Compressor Controls Corp. (CCC) has released an upgrade to its turbomachinery controls platform. Known as Total Train Comprehensive Release version 14.1, it is focused on improving cybersecurity defense around turbomachinery. The upgrade process is done without loss of data or process disruptions. Its familiar Human Machine Interfaces (HMIs) will operate without change.
“The new features strengthen cybersecurity awareness and response capabilities,” said Rich Hall, Vice President of Product Management and Marketing at CCC. “We’ve implemented a cybersecurity program that complements good industry practices, such as separation of turbomachinery controls and protection systems to provide improved security.”
Cost of a breach
Many plants balk at the high cost of security systems. What is not realized is that it is far more expensive to suffer an attack. According to 2018 research conducted by the Ponemon Institute, the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. Making security investments can help ensure that anything that resides on a network is safe.
Security is also one of those investments that is never finished. Some think they can buy some software and be done with it. But that is only the beginning. It takes trained personnel, keeping systems up to date, and vigilance throughout the facility. With modern plants running thousands of devices connected through the Internet of Things (IoT), the successful convergence of OT and IT has become a business imperative on the executive- management agenda.
Voith and Kudelski are partnering to help integrate and secure systems across both IT and OT. They are offering advisory services to provide the framework for putting the right safeguards in place using a managed security services model. This will combine expert analysis, threat monitoring, intelligence sharing, and rapid detection and response to threats to protect the plant around the clock. Kudelski delivers contextual threat intelligence and predictive security, while Voith provides OT expertise and tech support on the ground at the customer site.
Digital transformation is the buzzword of the moment. Many companies are engaged in strategies to more closely integrate various digital data pools within the organization. Analyst firm International Data Corp. is forecasting the global spend on digital transformation will reach nearly $2 trillion in 2022. But while digitalization has a host of benefits, it exposes energy producers, utilities, OEMs and oil & gas companies to far more potential risk.
Tina Stewart, Vice President of Strategy at Thales eSecurity said basic security measures such as encryption are in use by fewer than 30% of organizations deploying cloud, big data, and IoT applications. Further, those most aggressively pursuing a digital strategy run the highest risk of a data breach. “Organizations need to take a fresh look at how they implement data security and encryption in support of their transition to the cloud and meeting regulatory and compliance mandates,” said Stewart.
Sidebar: How the Bad Guys Attack
It is surprisingly easy to find email addresses. There are even data exchanges that cybercriminals use to buy and sell email lists, passwords, and other security credentials. In the past, they were used to send scam emails to large numbers of people. Promises of millions from Nigerian bank accounts, lottery winnings, and other schemes tricked more than a few out of their savings.
These days, organizations are regarded as juicer targets. Hackers use phishing or spear phishing to compromise security. Phishing emails are fairly easy to spot, although they still achieve success. Spear phishing is the preferred avenue of attack into corporations. It is really the same as phishing only its highly targeted rather than “spray and pray.” The cybercriminals go after a top exec, or someone in finance with access to funds or corporate secrets. The goal is to dupe the person into transferring money, giving out bank details, or granting access to intellectual property files. The U.S. FBI has recently issued alerts to top management organizations about this threat as hundreds of millions have been stolen in this way.
KnowBe4 recommends training of employees on how to spot phishing emails. Before training, the company sends out a simulated phishing attack to determine open rates. After training, it continues to send out these emails and reeducate employees until the open rate is considerably lowered. This type of approach is one industrial companies should consider as a way to harden their security perimeter. A cyber criminal does a ‘deep search’ for email addresses of your organization on the Internet. They find all publicly available email addresses