Whether cautious or cutting-edge, operational technology (OT) teams need a balanced approach to cybersecurity — one that starts with understanding their current state, collaborating with subject matter experts and building a practical roadmap to success
There can be little doubt that cybersecurity has become a major concern in the chemical process industries (CPI). This is particularly true in operational technology (OT) where a long series of recent, high-profile attacks have alerted everyone that they can no longer rely on cybersecurity by obscurity. Today, everyone is a target, and the most successful OT groups are shifting their focus from hoping they will not be attacked to assuming they will.
However, while OT groups know they need to take cybersecurity far more seriously, the control system is not always easy to effectively secure. Unlike most information technology (IT) systems, OT systems require more rigorous uptime, not just to ensure reliable production and process operation, but also to prevent accidents that could put the safety of personnel at risk.
Yet even with all the complexity surrounding OT cybersecurity, there are always steps CPI companies can take to find the right solutions for their unique environment. In many cases, finding that solution starts with understanding the organization’s tolerance for risk, and adjusting it as necessary to ensure extreme policies do not interfere with production. A wide spectrum of security positions exists across the CPI, from organizations putting almost no security in place to those that chase every new solution in an effort to keep the most cutting-edge technologies front and center across their plants (Figure 1).
FIGURE 1. Whether more stability- or technology-focused, an organization’s cybersecurity goals should focus on threat detection and elimination
As with any choice, extremes are rarely the right answer. However, by defining and understanding the two ends of the spectrum, organizations can better evaluate their own security posture preferences and, by extension, make better decisions when building a cybersecurity strategy for their plants and enterprise.
Pragmatic versus pioneering
On one end of the OT cybersecurity spectrum are the organizations striving to implement solutions to achieve basic protection. These users are the pragmatists — likely the more common tendency across the CPI. Ultimately, highly pragmatic OT teams recognize that the continuous operation of their control systems is paramount. They know that new, untested technologies can disrupt operation, potentially causing unexpected outages across the control infrastructure.
Moreover, highly pragmatic teams deeply recognize that the more systems they put in place, the more systems they will have to maintain. Cybersecurity solutions require updates, and those updates can often require system outages. In addition, each update generates potential for configuration errors that disrupt operation.
As a result, most OT pragmatists put in only the solutions that are proven to reduce their attack surface without any impact on the control system whatsoever. Today, such teams often implement antivirus, firewalls and network segmentation — often based on guidance from trusted, automation solution providers.
This tendency toward implementing the minimum breadth of solutions to reduce cyber-attack surface area not only results in rarely adopting new technologies, but often an unwillingness to change. Typically, highly pragmatic OT teams wait for every solution to be field proven before implementation. In many cases, they need not only cybersecurity and automation industry assurance before trying a new technology, but they also need to see many years of successful operation alongside their specific control system.
For one petrochemical company, pragmatism was a critical deciding factor in its overall cybersecurity strategy. The company’s OT team had some IT experience and knew of a new industrial cybersecurity solution that would work well for their environment, so they began the process of implementation with the intention of being the first in the industry to implement that solution. However, as they entered the engineering stage of their cybersecurity project, they could not get approval from management because they needed a wide variety of successful proven results from other companies in the industry. Until those proven results were available, the team needed to maintain their current solutions.
In contrast to highly pragmatic companies, highly pioneering organizations are on the other end of the spectrum. These companies typically pursue cybersecurity solutions for convenience. Understanding that threats continually evolve, pioneering organizations regularly monitor emerging technologies to ensure they are one step ahead of bad actors. Today, these are the companies pursuing endpoint detection and response, zero-trust architectures and more. They are less common than pragmatists in the CPI, but their strategy is often equally, and sometimes more, effective.
Pioneering OT teams are often “born-digital.” These groups are typically very technology driven, even in the implementation of their automation technologies. They are supported by IT groups who are comfortable in the OT space. Some work closely with their automation solution providers to ensure compatibility with OT systems, while others choose to forge ahead under their own roadmaps by identifying, isolating and eliminating problems as they arise, even if they risk process outages.
Neither pragmatism nor pioneering is a better strategy than the other. They are simply different perspectives to achieving the same goal — deterrence or elimination of business and safety threats from bad actors, while maintaining process uptime. Wherever an OT team finds itself on the spectrum, they can build a reasonable and reliable cybersecurity roadmap to support their operations. The key is understanding the benefits and limitations to each end of the spectrum, and then using that understanding to properly apply solutions that fit the team’s unique cybersecurity needs (Figure 2).
FIGURE 2. Both pragmatic and pioneering cybersecurity teams focus on key strategies of their businesses
Every path is unique
While pragmatism and pioneering are both valid approaches to securing industrial control systems, each has its own benefits and drawbacks in practice.
Because highly pragmatic OT teams wait until they have seen proof of effective, seamless, reliable operation of any new cybersecurity solution before implementation, they have far more confidence that the solutions will work in their given environment. Waiting until any solution is field proven end-to-end means far less risk upon installation. Moreover, that reduction of risk also extends to maintenance, because updates will likely be less frequent and potentially less invasive in a fully developed, tested and proven solution.
Another benefit of a highly pragmatic approach to cybersecurity implementation is that users can feel more confident that their solutions will have a long lifecycle without significant changes. A mainstream solution, such as a firewall, that has been in place for years and has a high adoption rate across industry is unlikely to become part of a rebranding or buyout that may result in significant changes. Even if such a solution were acquired by a new company, it is far more likely that the company would keep it operating in its current state, since the needs of their wide base of users would have been part of the analysis before the acquisition.
OT teams taking a pioneering approach to cybersecurity will find that they too see significant advantages. Being willing to adopt new technologies early means reaping the advantages of new solutions ahead of competitors. As today’s pioneers implement technologies like zero-trust architectures, they gain access to new models of operation that make their cybersecurity tasks faster and more efficient. Such a change can easily put them at an advantage to their competition, who might be limited by more structured approaches to cybersecurity — for example, the access to new models of operation afforded by a pioneering approach to cybersecurity can make it easier to pivot quickly to manufacture different chemicals on demand to meet market needs.
Organizations that support a pioneering approach to cybersecurity also typically support company infrastructure around those investments. Such companies are usually more likely to have a deep bench of internal support — not just for installing and configuring new cybersecurity solutions, but also for maintaining them over the lifecycle.
Yet, just as both pragmatism and pioneering have significant benefits, each approach also has some drawbacks. Often, extremely pragmatic organizations find that by the time they have implemented a new technology, it is no longer as effective as it once was. Cybersecurity is an ever-evolving domain. As solutions emerge, bad actors pivot to navigate around those solutions, or even exploit them. Companies unwilling to implement anything but the most field proven technologies often find that their solutions are significantly less effective.
Such a conundrum can also frustrate users as they discover newer, better solutions that they are unable to use. One example involved an oil-and-gas manufacturer that tried to allow its control system to be connected to multiple, centrally managed systems across different sites. Halfway through a five-day workshop exploring the technology needs, the team decided the solution was too risky, and instead chose to stay fully segmented as they were accustomed to. Though the only cost was time and disappointment, the experience was nonetheless frustrating.
However, pioneering teams also experience their own drawbacks when they are not careful about how much new technology they implement and the strategies for doing so. Being the first to a new technology can come with a price. If a solution is less useful than the team anticipated, they can easily waste money. Even worse, the team may not have the level of protection they anticipated — especially if they rely too much on a new technology — leaving them open to potential threats.
In addition, teams employing new technologies risk that the solutions they employ are acquired and changed by other companies. Cybersecurity is a thriving industry and acquisitions happen regularly. In fact, in many cases, the goal of new companies is to prove out a concept and then be purchased by a bigger entity. With rebranding comes change, and sometimes that change means a solution no longer fits the needs of the organization. In the worst cases, however, some companies simply fail. In such a case, the solutions a company relies upon are no longer supported or even operational, requiring them to make an additional investment to cover new gaps in protection.
Finding common ground
Though pragmatists, pioneers and everyone in between will be on a unique journey, one thing they all have in common is a need to understand their starting point to be effective. Every OT team must have a clear picture of its existing cybersecurity posture. For new plants, this often means performing a risk assessment.
As part of a risk assessment, the OT team determines what types of protections they should be evaluating for their industrial control environment. This starts with defining the risk landscape. Knowing the current threats and common attack vectors is critical to developing effective protection strategies. In addition, the team must also identify what level of exposure is acceptable by the organization, and it must develop strategies and implement technologies to lower the risk surface to that level.
Similarly, existing plants will likely need to perform a cyber assessment. If the control system is in place, the discussion about what risks are acceptable and what protections should be in place will likely already have happened. However, cybersecurity is not static. Risks and technologies change over time, so teams must continually assess their solutions in the face of current threats. The most successful teams set a regular cadence for assessment, identifying the efficacy of existing solutions, and then identifying what more they are willing and able to do to dynamically update their cybersecurity posture across the lifecycle of their control system (Figure 3).
FIGURE 3. Regular assessment is a critical strategy to initiating, monitoring and maintaining cybersecurity readiness
Protection through partnerships
Another similarity between pragmatists and pioneers is that both likely need guardrails on their cybersecurity strategies, especially as they lean closer to either extreme. Many organizations can benefit from partnering closely with their automation supplier to help vet and develop customized solutions that will support both their control system architecture and their unique OT environment.
Many pragmatist teams will immediately implement the field-proven technologies supported by their automation solutions provider. Today, for example, many of these organizations deploy firewalls, antivirus and segmentation solutions that have been in operation for decades, and nearly every automation supplier will have identified these types of fully vetted solutions to work with their control systems.
However, these teams must also be ready to continue working with the automation supplier over the lifecycle of their control solution to continually reevaluate and deploy solutions that prove successful. Solutions like whitelisting, full backup and recovery and more have been in use and trusted for decades and can easily be added to the firewalls and antivirus solutions that pragmatists rely upon, but only if they are dynamic about cybersecurity. Those who set and forget an original array of solutions quickly find themselves at increased risk as threats grow.
Pioneers face an even more critical need to work closely with their industrial control system supplier. The latest and greatest cybersecurity technologies will not always be tested to work correctly with the control system, so the most successful pioneers work closely with their automation solutions partners to document and report any changes to their cybersecurity infrastructure. These teams use existing support channels to find ways to navigate the challenges of integrating new technologies.
In some cases, the supplier and OT team will set a process by which the organization will disable or uninstall the non-vetted software before performing service. Alternatively, the two teams might set agreements that the service team will work on any problems for a certain amount of time before the OT group needs to roll back unsupported technologies. With these, and a wide variety of other agreements, both groups benefit from consultation before starting the project to help identify potential problems, perform validation testing and set guardrails.
The most effective automation suppliers should be enthusiastic to build partnerships for implementing new technologies. Collaboration helps both groups. OT teams gain the benefit of having a clear service strategy and more confidence of support in case anything goes wrong, and the automation suppliers gain new pathways to help validate emerging technologies that may one day be well-vetted enough to be supported by more risk-averse users.
Strategies for success
Navigating cybersecurity solutions for industrial control systems will always be a complex undertaking. Neither pragmatists, pioneers or anyone in between has the recipe to deploy a perfect security structure while still guaranteeing continuous uptime. However, the right strategies exist to build a very effective system customized to an organization’s needs, regardless of the OT team’s place on the pragmatist to pioneer spectrum.
By understanding the organization’s tolerance for risk, knowing the starting point, and partnering with an expert automation solution provider to design, deploy, and maintain the right solutions, any team can make great strides toward improving their cybersecurity posture — one of the most complex challenges of the modern chemical manufacturing era.
Edited by Dorothy Lozowski
Acknowledgement
All figures courtesy of Emerson
Author
Alexandre Peixoto is currently cybersecurity business director of Emerson’s process systems and solutions business (Austin, Texas; Email: [email protected]). In this role since June 2021, Peixoto is responsible for sales and operations of cybersecurity solutions and services for the DeltaV system installed base. He actively provides consultation to customers and stakeholders across the organization to improve their cybersecurity posture while reducing the exposure to cyber-threats, hence increasing process uptime. Peixoto’s 22 years in the automation business include previous roles in engineering, sales, project execution, business management, product marketing and lifecycle services. Originally from Brazil, Peixoto has lived in Australia and Mexico before being transferred to Austin, Texas. He attained his electrical engineering degree from UNIFEI (Itajuba Federal University) with a major in automation and control. He earned his executive MBA degree from the Hankamer School of Business (Baylor University).