Ashish Modi, Business Head, Lifecycle Services and Solutions, India, Honeywell Process Solutions, discusses security risks and threats in the industrial sector and Honeywell’s approach to cyber security
How can you measure the current risk level as far as cyber-threats are concerned in process industries?
The security of automation solutions and networks has become a critical component of plant safety, ensuring that all assets - physical, intellectual and people - are protected. There is also an increase in the demands placed on plant personnel for emphasis on leveraging new and existing technology to improve uptime, availability and reliability which places additional pressures that must be addressed. In recent years, the cyber threat landscape has been evolving at an alarming pace with a sharp increase in incidents of targeted malicious attacks on process facilities. This has prompted industry to create standards and governments to build regulations to help define best practices and frameworks to counter. These pressures have led many industrial organizations to deploy cyber security solutions and services to objectively and regularly monitor and continually assess their risk exposure.
Honeywell offers cyber security vulnerability assessments that examine the three core facets of an organization’s cyber security – People, Process and Technology. Honeywell experts assess users’ current cyber security policies, procedures and technologies and provide them with a roadmap for securing their industrial network. The security assessment would indicate the gaps between what a company desires and what technical controls it uses today.
The outcome of the security assessment includes a report of gaps and recommendations and an overall ranking of the security level and maturity rating of a company compared to others in the industry. Knowing where you are security-wise can help you start a more focused approach to cyber security for the future.
Honeywell Industrial Cyber Security Solutions also focuses on protecting customer's automation investments besides availability, reliability and safety of industrial control systems and plant operations.
What are the sectors that are particularly vulnerable to attacks? Are these industries prepared to deal with such attacks?
Cyber Security is a critical aspect for all process industries including oil & gas, refining, pulp & paper, industrial power generation, chemicals and petrochemicals, biofuels, life sciences and metals, minerals and mining industries. Losses in case of a cyber attack can be significant for any organization regardless of which sector it belongs to. Organizations have long understood that there is a difference between protecting facilities and data, and protecting processes that are operated or controlled with information technology. Security measures that are appropriate for data networks could be disastrous if a compromised process threatens to damage productivity, capital assets, and possibly human life.
In order to cut costs and improve operational efficiencies, industries tend to look at safety and process systems that can integrate with common technologies. In many cases, however, they fail to foresee that this approach opens doors to potential cyber-security issues. Attacks on a cyber-system may involve only the cyber components and their operation, but the impact can extend to the physical, business, human and environmental systems to which they are connected.
Most industries in India do not have a security plan in place to tackle cyber-attacks and hence will find it difficult to deal with such attacks. It is important that they are made aware of the cyber landscape and high risks they are exposed to and put a cyber-security system in place that will help curb such attacks.
What is Honeywell’s play in the Cyber Security domain? How can you help industries deal with anonymous attacks?
Honeywell believes that automation network security and performance is a critical component of plant safety in the process industries hence its Industrial IT Solutions focuses on protecting process industry facilities from the growing risk of industrial cyber security threats and vulnerabilities. The portfolio includes scalable tools, services, best practices, and support from Honeywell's global army of network- and security-certified personnel that secure users' critical infrastructure and deliver a more predictable and safe environment – regardless of control system vendor or location.
Honeywell’s risk management solutions are customized to process control environments in a phased manner:
Phase 1: Assess - Honeywell experts assess users’ assets against industry standards, regulatory requirements and best practices to identify vulnerabilities and to offer a phased approach to ensure industrial cyber security.
Phase 2: Remediate - Honeywell’s Industrial IT Solutions focuses on minimizing vulnerability to cyber events, improving system performance and reducing the impact and recovery time of an incident.
For example, Application whitelisting provides protection to each individual node. It keeps a list of files allowed to run on PCs as well as those allowed only to execute and nothing else. Application whitelisting will block all files not approved on the system. Say, the IT personnel of a plant have threatened to install a malware infested USB stick in to the plant’s systems, then how does one protect the plant. In such a scenario, application whitelisting allows the system to only read USB stick of a certain serial numbers and if necessary can lock down a node saving the entire system from an attack.
Phase 3: Manage - Honeywell experts address the ongoing management of systems and technology and implementation of workflows and procedures outlined in the Remediate phase.
Phase 4: Assure - involves program monitoring to assure industrial IT is operating as expected and as required by regulation.
Honeywell has also developed a cyber-security dashboard that will give plant operators and maintenance personnel an immediate overview of the facility’s cyber security status. With the dashboard, one can quickly see if workstations and servers in the process control network have the latest antivirus, firewalls, and patches installed to help their network avoid cyber-attacks. If something is wrong, the software generates warnings so appropriate personnel can take immediate action.
Has Honeywell taken steps to ensure elimination of unnecessary interconnectivity between sensitive data and insecure networks among end-users?
Most asset operators would already have established corporate security policies governing such interconnectivity. Honeywell would comply when there is one. However, it is not uncommon to find the security policies more suited to for use at the corporate IT systems than for the process control networks. When such gap exists, Honeywell Industrial Cyber Security would provide consultation on the adaptation and fine-tuning required ensuring compatibility and applicability in the plants.
How do you ensure that SCADA systems are up-to-date and secure from cyber-attacks?
Ensuring that the operating systems patches and hot fixes are updated regularly, as well as making sure that anti-virus protection is installed at all end-points and similarly kept updated – these are fundamental counter-measures today that substantially reduce the attack surface of the SCADA and DCS systems. Having said that, there might still be vulnerabilities that cannot be possibly addressed by these end-point protection measures. Poor security practices like sharing administrator passwords or unauthorized use of personal broadband, thumbdrive-modems are some examples of user’s behaviour where technology-based preventive measures can only have limited effect. This is where cyber security assessment can help provide a complete risk assessment of the plant where vulnerabilities are also looked at from the human-behaviour and operational-process perspective aside from just scanning for technology-weak points.
Are your customers regularly trained to ensure that they can deal with various cyber-attacks?
Consciousness of imminent risk and awareness of what measures are necessary to counter them are always the first step towards establishing a sustainable cyber security program to address cyber-attacks. Honeywell Industrial Cyber Security team regularly conducts cyber security workshops to educate customers as well as to provide updates on the latest cyber security development in the region and globally, particularly on the local regulatory compliance requirements that are beginning to take shape in the respective governments in APAC.
Do you conduct regular security audits across end-users that have taken up your services? Do you have a robust incidence response plan? Please share some details with us.
There is a growing realization among Indian customers that the cyber Security threat is real. We see that many customers are asking for regular security audits as a mean to assess the risk of the plants. At this juncture, the single most critical cyber security need among industrial control systems owners in India is to address the immediate weakness and vulnerabilities that are present in their plants systems and operations.
Honeywell Industrial Cyber Security team is part of the same technology group that supplies, implements and maintains process solutions, including Experion® Process Knowledge System (PKS), TotalPlant™ Solution (TPS), and other related systems.
Because of this relationship, they work synergistically with the service operations counterpart to resolve discovered security gaps promptly with remedial actions, while maintaining objective independence.
Customers appreciate this internal synergy as it helps keep the confidentiality of the assessment results confined only to those involved with the DCS/SCADA systems, reducing the risk of unauthorized access to sensitive information.
Honeywell’s cyber security assessment service philosophy focuses on assisting customers with the discovery of hidden vulnerabilities before they are maliciously exploited and addressing immediate security gaps. As a pre-emptive measure, this service aids customers in preparing for security audits, board reporting, or regulatory inspection.
Are there any lags in the way critical infrastructure is being protected in India? What are your recommendations towards strengthening some of the policies that have been laid out by the government?
Critical infrastructure is considered the backbone of the nation and its protection is of supreme concern. At present, the industry is not prepared to handle such attacks because of the absence of a comprehensive cyber security approach though the legal and law enforcement agencies of the country are gradually but surely keeping pace with the rapid growth of Internet penetration in India and the world.
Indian organizations need to focus on two areas: First, Instrumentation department within organizations need to educate themselves on this subject and then step up measures. There is a need to understand potential vulnerabilities in their control systems. Further, Industrial Control Systems (ICS) owners should join hands with industry leaders and consider engaging ICS-experienced cyber security specialists to conduct assessment on their systems and operations to detect any cyber vulnerabilities that are of immediate exposure for urgent remediation. The assessments will also serve to ascertain the state of cyber health so that the next counter-measures that are viable within operational limitations can be determined. Second, IT department needs to take the lead and start looking beyond security at enterprise level i.e. they need to partner with maintenance and operations departments within an organization to proactively address industrial control system security.
Organizations should also not be content with current regulations or standards; what is needed is a willingness to think beyond the bureaucracy of compliance and the realization that cyber security is really about ensuring safe, reliable, and expected system behavior. With this mindset, industries can embrace an effective security philosophy and develop a long-term strategy for its implementation — regardless of any current or impending regulatory requirements. This allows an organization to plan a security rollout that will succeed in terms of its effectiveness, employee support and financial cost.
How can process industries integrate foolproof cyber security programs within their business strategy?
Cyber security is a continuing journey so, organizations must determine their acceptable risk level and continuously revaluate. They, in fact, should integrate their cyber security programs into their business strategy but while doing so, they should be abreast with the latest cyber security technology and adhere to international best practices. A comprehensive cyber-security management system, a scientific approach, incorporation of the best automation technology offers an effective solution for the growing cyber-security challenges in today's operating environment. Ensuring and managing their control systems’ OS patch (software designed to fix problems or update a computer program or its supporting data) and regular anti-virus updating will also help.
Are there any global models that you think can be replicated in India?
Cyber Security is a focus area for most countries and it is important that the government, academia and industries work collectively with the Information Technology department and Control Engineering departments within organizations to develop cyber security solutions that will help keep potential cyber threats and challenges at bay. In fact, these can be considered as significant growth catalysts for nations to achieve high economic growth, welfare and empowerment.
India has rolled out quite a few initiatives and is gradually gearing up for a comprehensive cyber security measures. For effective management of such cyber-attacks it should be ready to learn from global models by bringing about a systematic approach based on well-researched industrial cyber security standards. This would mean adapting to newer technologies that have worked in other countries and joining hands with the security agencies for regular monitoring of the cyber security programme.