Customer objective: 
To assess plant cybersecurity in three production facilities representing different business operations, across a medium-size geographic region.

Interviews with stakeholders, plant walkthroughs, and detailed network analysis using proprietary tools.

Personnel and schedule: Three consultants plus support personnel; eight weeks from project start to completion.

Challenges and Results: This very well-known organization has more than one hundred locations, and produces a significant percentage of total global production of several essential chemicals and feedstocks.

We determined that their overall business-risk profile was dominated by normal revenue protection requirements, but also contained a small but not-insignificant national-security exposure because of the societal importance of their products; a significant safety exposure because of the toxicity of some of their materials and products; and a very significant exposure to theft of intellectual property.

In light of this profile, we performed a plant cybersecurity and risk-management assessment based on the IEC-62443 framework. We closely examined three representative facilities.

In addition to ICS and automation cybersecurity, we examined physical plant security; personnel and management processes; logistics arrangements such as railheads, truck and water transportation; and connections with civil infrastructure such as power, water and natural gas feeds.

Most of the industrial-control systems and automation we encountered were very traditional and quite mature, and largely deployed on somewhat-isolated networks following a typical “Purdue” model.

Cybersecurity followed a standard model of coarse-grained ACLs managed remotely by IT staff and deployed at the boundary between the corporate network and the process/control/automation networks, with isolated WiFi.

We determined that this security model was well-implemented and met its original goals, but it left several important goals unaddressed. In particular, it provided very little visibility and monitoring of in- plant networks and equipment.

It also resulted in a suboptimal sharing of operational security knowledge between the IT and production teams. We provided recommendations for process and technology improvements to address these findings.

Our assessment identified a substantial number of rogue devices and previously-unknown applications. These were roughly split between obsolete equipment that had never been fully decommissioned (thus presenting a substantial unmanaged security risk); and systems deployed by automation vendors and other third parties with little monitoring by the owner of the plants. We worked closely with the customer to identify all of these unmanaged systems, and provided a remediation plan for those that were deemed unnecessary or harmful.

The results of our assessment and remediation activities were well-accepted by the client’s senior managers, and were used to refine the company’s global assessment and remediation methodology.