Providing cybersecurity context, encouragement, protection and detection for users in multiple process industries
There’s no way to go it alone on cybersecurity. Because no one knows everything, even the most informed and competent end user is going to need help from someone more know-how and information about a certain device, software, best practice or other protection their process or facility requires.
Mere mortals usually need cybersecurity help just to get started. Fortunately, there are many well-informed and generous sources, who can provide history, education, encouragement and solutions to make cybersecurity projects workable, efficient, thorough, cost-effective and reliable over the long term.
We spoke to an E Tech Group executive about cybersecurity: how do they handle securing a facility’s network and operations, and how IT and OT must be managed to minimize malfunctions and associated downtime. E Tech Group is an Ohio-headquartered integration and automation firm with 18 locations covering all of North America.
IT vs OT to Ethernet & IIoT
Laurie Cavanaugh, Business Development Director at E Tech Group, reports that cybersecurity’s recent evolution is a natural outgrowth of operations technology (OT) and information technology (IT) learning to work together and speak each other’s languages.
Cavanaugh explains that OT and IT must cooperate on their organization’s overall cybersecurity assessment, which will give a true reading of its OT assets, PLCs and unmanaged devices, as well as its network topology, managed switches, firewall protections and IT-related components.
IT/OT assessments don’t only identify weak points in the network and prioritize the fixes they need; they help modernize automation platforms, which eliminates the risks that obsolete hardware poses. Moving to a plant-wide IIoT-driven control system offers an easier-to-understand IT-OT dialect.
Un-flatten Your Network
To beginning addressing some of the IT-based tasks that cybersecurity requires, individual process and site characteristics can show what gaps need to be filled, and point the way to the most suitable and effective remedies. The first step of any program must be taking an initial inventory: you have to know what you have. This provides the evaluator with an opportunity to do a risk assessment in tandem with the audit.
A common feature of many facilities’ networks is that they’re “flat”, meaning that everything is connected on a single network – production and corporate functions are all connected. The new, more secure and effective approach is to put space between the two and instead monitor all types of traffic across the network via automation software that determines traffic patterns, authorization, and alerts of analogous traffic.
Detection Tools Reduce Insurance Cost
Back at E Tech Group, Cavanaugh reports it recently worked on cybersecurity with a large metal processing company, and discovered that 80% of its in-cabinet switches were unmanaged, and 40% of its PLCs were non-compliant with cybersecurity requirements. Plus, it was running old DeviceNet protocol and other obsolete systems that were exposed, and it didn’t know if the HMIs on its control network, which typically require access via a VPN, were also exposed to the Internet and vulnerable.
“This company began to move on cybersecurity when it realized its insurance provider raised premiums and reduced coverage after a review of two manufacturing sites. Having a cybersecurity plan in place, and acting on the remediation recommendations, helped them have a new conversation with the insurance company,” says Cavanaugh. “Similarly, other users like water/wastewater utilities are talking more with each other about cybersecurity, and working amongst themselves, where they used to be less likely to share best practices.”
Resolving the IT vs OT Conflict & the Obstacles it Presents
Tim Ingalls, cybersecurity expert at E Tech Group, adds that cybersecurity is also ramping up among the biotechnology firms it serves, but they must also resolve conflicts between costly processes that can’t be interrupted and IT-based demands to periodically shut down networks for patching.
“Most biopharmaceutical systems are also validated, so they can’t be altered whenever users desire. They should also be built with network layers, demilitarized zones (DMZ) and barriers around everything to reduce risk,” says Ingalls. “Microsoft famously applies patches on Mondays and Tuesdays, but if a planned patch from IT requires a production system to be revalidated, then OT will likely need to sequester and delay it until it can be applied safely.”.
“Sometimes IT is afraid of OT, so we bridge gaps, runs scans on the OT side, address their trust issues, and encourage them to acknowledge that they didn’t get along in the past. This helps them decide who’s responsible for what from the top floor to operations. This also means determining what’s in IT’s bubble of responsibility and what isn’t, and many organizations are still trying to answer these questions.”
The original version of this article was authored by Jim Montague and originally appeared in Control Magazine, December 2021.