Simplifying industrial cybersecurity
The threat of cyber attacks on industrial targets is a major concern, but control engineers are still coming to grips with what is necessary to mitigate risk from cyber security threats. In April, Honeywell Process Systems launched its Industrial Cyber Security Risk Manager system to help industrial organisations with this task. Recently, What’s New in Process Technology interviewed Chee Ban Ngai*, who leads Honeywell’s Industrial Cyber Security business in the Asia-Pacific region, and asked him about the new system.
Is this the first product of its type in the industrial space that you are aware of?
Yes, it is. While there have been products like such in the ICT sector for many years, this is the first time a product of this type has been launched for the industrial sector.
How is it intended to help industrial organisations manage cybersecurity?
The cyberthreats that the industrial sector is facing today are slightly different from those faced by the ICT sector generally. Today, many in the industrial sector find it challenging in managing cybersecurity threats and risk mitigation, and the general lack of resources to look after security as well when compared with the enterprise IT sector. Adding to the complication, cyber attacks today are also more sophisticated and virulent as compared to years ago.
The first thing that needs to be addressed is the awareness of threats, and this can be difficult because of the technical complexity of the issue. So what we needed to do was to make it easier for industrial automation personnel. The Industrial Cyber Security Risk Manager is therefore designed to make it easier for those personnel to monitor, to measure and to manage the security posture of industrial systems and provide actionable intelligence and recommendations so that control engineers can be aware to take the remedial actions and escalate issues where necessary.
Given the level of maturity of these types of products in the ICT security market, and the fact that much industrial control technology today is relying on well-established technologies such as Microsoft Windows and Ethernet, is there a particular reason for developing a new product rather than adapting a mature one?
Honeywell has been providing cybersecurity services in the form of consulting and assessment to industrial organisations and we realised that at the end of the day we needed to find a way to empower the customer more. Usually after the consulting and assessment is over, the customers may find themselves very much on their own. We thought to provide something that is easy for them to use even if they don’t have the deeper knowledge of cybersecurity and security management in-house such that it still allows them to be aware of cybersecurity issues and be able to take action on them more easily for themselves. Products available in the ICT sector tend to require greater IT and cybersecurity knowledge in-house. Such risk management solutions are also very enterprise-specific and not suitable for use in an industrial control system environment.
So does it gather data from the live control systems and assess them for vulnerability to current security threats?
The Risk Manager gathers data from the Windows server systems, and the network switches, as well as security applications such as antivirus, anti-malware and firewalls. It then passes this data through its algorithms to assess the data in accordance to established cybersecurity standards such as IEC 62443 and ISO 27005, as well as current vulnerability information, and gives a broad assessment of the risk level of the plant, as well as the specific threat and impact at the point of vulnerability.
So you’d be looking at best practice configurations, patch levels and similar data?
Different organisations may have different ‘risk appetites’ in relation to cybersecurity threats, so we configure this data into the Risk Manager before we start it running, so that it can compare the risk level against the baseline that has been set.
So you would deploy it with services as well, and it is not left to the customer to configure?
Yes, we provide services to deploy and configure the system. It is an all-encompassing approach to provide the services along with the product to assist the customer in minimising their cybersecurity risk.
Does it provide knowledge on risk remediation, and if so is that limited to mainly HPS technologies such as Experion, or can it also be used with non-Honeywell control systems?
As a matter of fact, Risk Manager is vendor-neutral, because most vendors’ control systems on open architecture would run on Microsoft Windows operating systems and use TCP/IP-based protocols, and they share similar vulnerabilities in relation to system security, patching and malware. So the Risk Manager is capable of monitoring devices regardless of vendor, although our primary targets are Honeywell customers.
There is a lot of attention given to external threats such as hacking and malware, but does Risk Manager provide information in relation to ‘insider threats’ as well?
Yes, we also focus on the internal threats. What we commonly see is more than just threats that come through from the internet, through the ICT systems and on into the control systems. These tend to be very specific, targeted attacks, with a high level of sophistication behind them, and they usually attract high media attention. What we would also want to look at is internal practices. For example, How do the engineers exercise vigilance in their use of the system? What do they do with USB devices?, for example. How do they ensure that an external contractor when accessing the DCS system would not introduce malware into their systems? There is a great need for organisations to better educate their staff and raise their awareness of security issues, so we also provide trainings and workshops to elevate the cybersecurity consciousness as well.
Given that patch management is a more difficult thing to deal with in industrial systems as compared with ICT systems, if it finds, for example, that patches are out of date, how does Risk Manager deal with this? Does it provide a way of balancing the risk of the unpatched vulnerability with the effort and cost associated with remediation, and not throwing up a lot of alarms about unpatched systems?
Risk management is an ongoing process, especially in patch management - it has to start off somewhere. Over time, once it has attained some baseline management level, one would expect less patch-related issues.
What we usually discover on most sites which we audited is that they are usually quite out of date in relation to their patch levels. We would recommend to bring up the anti-malware and security patching up to a baseline level in a way that is acceptable to management. When Risk Manager is implemented it will not be crowded with large amounts of warnings about patches. Other non-patch-related vulnerabilities which may be more critical can be more distinctive then.
What future directions might Honeywell be taking in developing the product further?
Today the Risk Manager is picking up data on backup strategies, endpoint protection such as antivirus and anti-malware, the logon and security policies and system configurations, the network security and patch management. In the future we will be extending the product’s resources to go into more depth into systems.
In acheiving cybersecurity for an OT environment, selecting an experienced solution provider...
It is frequently said that data is required in order to create valuable insights, but before this...
Alan Cunningham of Ovarro answers some questions about the application of software-as-a-service...