To assess plant cybersecurity in three production facilities representing different business operations, across a medium-size geographic region.
Interviews with stakeholders, plant walkthroughs, and detailed network analysis using proprietary tools.
Personnel and schedule: Three consultants plus support personnel; eight weeks from project start to completion.
Challenges and Results: This very well-known organization has more than one hundred locations, and produces a significant percentage of total global production of several essential chemicals and feedstocks.
We determined that their overall business-risk profile was dominated by normal revenue protection requirements, but also contained a small but not-insignificant national-security exposure because of the societal importance of their products; a significant safety exposure because of the toxicity of some of their materials and products; and a very significant exposure to theft of intellectual property.
In light of this profile, we performed a plant cybersecurity and risk-management assessment based on the IEC-62443 framework. We closely examined three representative facilities.
In addition to ICS and automation cybersecurity, we examined physical plant security; personnel and management processes; logistics arrangements such as railheads, truck and water transportation; and connections with civil infrastructure such as power, water and natural gas feeds.
Most of the industrial-control systems and automation we encountered were very traditional and quite mature, and largely deployed on somewhat-isolated networks following a typical “Purdue” model.
Cybersecurity followed a standard model of coarse-grained ACLs managed remotely by IT staff and deployed at the boundary between the corporate network and the process/control/automation networks, with isolated WiFi.
We determined that this security model was well-implemented and met its original goals, but it left several important goals unaddressed. In particular, it provided very little visibility and monitoring of in- plant networks and equipment.
It also resulted in a suboptimal sharing of operational security knowledge between the IT and production teams. We provided recommendations for process and technology improvements to address these findings.
Our assessment identified a substantial number of rogue devices and previously-unknown applications. These were roughly split between obsolete equipment that had never been fully decommissioned (thus presenting a substantial unmanaged security risk); and systems deployed by automation vendors and other third parties with little monitoring by the owner of the plants. We worked closely with the customer to identify all of these unmanaged systems, and provided a remediation plan for those that were deemed unnecessary or harmful.
The results of our assessment and remediation activities were well-accepted by the client’s senior managers, and were used to refine the company’s global assessment and remediation methodology.
To create and implement a security policy for transmitting IOT data securely to a service provider.
Interviews with stakeholders leading to a technical design and proof-of-concept. Production rollout followed.
Personnel and schedule:
Five consulting engineers plus support personnel; twelve months from project start to completion.
Challenges and results:
In this case, a major global manufacturer determined that it was forgoing very substantial cost savings because of concerns arising from data security and confidentiality. This specifically involved predictive analytics in large-scale assembly robots. The company wished to transmit robot telemetry to a trusted maintenance partner (also a well-known global company), but without leaking information that could be used to infer confidential details about the automaker’s production processes.
The cybersecurity maturity of the automaker was very high, and indeed we discovered no substantial security breaches or rogue devices in their wired, low-latency automation networks. (Their wireless networking, on the other hand, did exhibit a number of weaknesses which were subsequently remediated in a different project.)
The key problem was to enable a digitization effort that would integrate seamlessly with the existing plant architecture (based primarily on Allen-Bradley PLCs and associated industrial controls). Our engineering team worked closely with the automaker’s robotics partner and developed customized security technology that automatically generated subsets of robot telemetry data.
This required analysis and understanding of the actual application data, whereas most cybersecurity approaches consider very little beyond network-level metadata. Our custom software was able to “scrub” sensitive items of data From the robotics telemetry that was transmitted to the automaker’s business partner, while leaving the specific data points that were relevant for predictive analytics.
GLOBAL SERVICE PROVIDER
To assess cybersecurity and business risks in eight facilities representing different business types, across a very large geographic region.
Interviews with stakeholders, plant walkthroughs, and detailed network analysis using proprietary tools and artificial intelligence.
Personnel and schedule:
Four consultants plus support personnel; four months from project start to completion.
Challenges and results:
This well-known organization supplies services to a global footprint of business and government customers, and many of its operations are deemed to be critical infrastructure. We determined that the overall business-risk profile was dominated by cost control and continuity/robustness of operations, with a small national-security component owing to the social importance of their services. Their service-delivery is highly distributed geographically. As a result, they face an urgent “skills gap” problem because of the impossibility of hiring enough trained cybersecurity professionals to handle the large footprint.
This company is in an industry where rapid technological innovation is a competitive necessity, which means their industrial controls and automation change quite often. They are also leading a number of digitization and IOT initiatives to cut costs and remain competitive. The resulting high rate of change in cyber-physical systems means that new cybersecurity risks are continually appearing, and are very difficult to manage. Their goal in performing a cyber assessment was not only to identify areas of concern, but also to develop more efficient processes for managing cyber-risk.
We performed a plant cybersecurity and risk-management assessment based on the NIST CSF Framework. We closely examined nine representative facilities. In addition to ICS and automation cybersecurity, we examined physical plant security; personnel and management processes; fire safety and access-control systems; and connections with civil infrastructure such as power, water and natural gas feeds.
We determined that this company relied primarily on network isolation for plant security. In a number of cases, particularly high-value processes were well-isolated and self-contained. Other systems depended on connections to corporate networks.
We found a variety of procedural errors and cybersecurity-policy violations which were caused mostly by normal errors as systems and equipment evolved. We detected a large number of unusual network activities which turned out to be mostly benign, but were still surprising in their extent. We recommended process improvements for efficiently monitoring cyberphysical systems using artificial intelligence to overcome the skills gap and cost-effectiveness problems.
We presented our findings to senior leadership and subsequently engaged with the customer to develop more scalable and cost-effective cyber-risk management processes.