Four Common Challenges to DCS Cybersecurity

PB 25 Rockwell newlogo 400

February 23, 2021

By Tim Mirth, PlantPAx Platform Leader, Rockwell Automation

Just as most people haven’t crossed paths with sophisticated criminals in their everyday lives, most industrial automation users have not had to face major cyber threats from bad actors. Many manufacturers and producers don’t know how vulnerable their systems are – and unfortunately, the ramifications of an attack go deeper than lost product.

Threats and bad actors are out there – just ask the 18,000 companies affected by the recent SolarWinds hack, or the industrial and energy-producing facilities targeted by the Stuxnet malware attack on PLCs in 2009. Manufacturers and producers are increasingly facing cyber threats, particularly ransomware, as well as data breaches. In fact, more than half of respondents to a recent survey reported a data breach in the year prior.

As plants become more interconnected and dependent on the Internet, and as digital transformation becomes less of a buzzword and more of a norm, vulnerabilities increase and risks compound. At a plant, an attack could mean lost product, unscheduled downtime, worker safety issues, losses of confidential and/or proprietary information, and sometimes negative consequences on the company’s public image.

In order to truly mitigate risk, every producer needs to be proactive about knowing what risks are out there, understanding their unique vulnerabilities, and prioritizing mitigation tactics from there. The bottom line? Don’t just assume you are safe from cyber attacks – you must be proactive to protect your system. Attackers constantly evolve and so must you.

DCS cybersecurity: Assess your risk

When it comes to a distributed control system (DCS), plant managers and engineers know cybersecurity is essential. How can you help ensure your system is secure? And how can you do that if you don’t know all the nuances of your system?

For security, people often immediately think to create strong passwords and are aware of the need to implement software updates and patches in our everyday computing environments. But cybersecurity for a process system – which contains any number of products including, but not limited to: controllers, networking, HMIs, advanced analytics, and maybe most importantly people – requires a more comprehensive plan.

That plan should take into account not just the IT/data management side of things – computing, software and hardware – but also OT, or operational technology, cybersecurity. OT systems, like a DCS, control the physical aspects of the plant and have special requirements beyond typical IT security measures.

To protect a system, you need to have an accurate inventory of all the pieces and interfaces that make up the system and understand any vulnerabilities they have. A risk assessment led by a trusted third-party partner can make a huge difference, as it’s easy to miss the things that are right in front of us. This assessment will help producers find vulnerabilities and allow the site to understand what level of risk they can tolerate.This will allow them to make the best choices for threat mitigation in their company.

Four common challenges to improving security

Securing a system can seem extremely daunting, but there are generally accepted countermeasures that will improve your security posture. The ever-increasing connectivity of automated plants provides unprecedented visibility into systems, resulting in advanced analytics and data that can help improve processes, create efficiencies and increase profitability. But that connectivity can leave systems exposed and vulnerable to threats.

Plant decision-makers exploring DCS-related cybersecurity improvements may face one or more of these common challenges:

  1. 1. Open systems. When the Stuxnet computer worm struck and spread easily throughout control systems, it highlighted just how open those systems were. Open protocol networks are a historical hallmark of distributed control systems and are usually considered a huge benefit. But the additional avenues of risk associated with online, connected control systems may leave producers more vulnerable. The Zone and Conduit model can help mitigate the threat and keep critical assets segmented from most vulnerable areas. This also allows for open networks from being exposed to the easy avenues of attack. Managed firewalls are an important part of protecting open systems.
  2. 2. Legacy equipment. Every plant has equipment of varying vintages, and many manufacturers take a piecemeal approach to upgrading their system. That means a new PLC might be on the same network as a computer running Windows XP. These older machines, especially if they have not been updated in many years, are potential entry points for viruses, worms and hackers. This is where a risk assessment can expose a vulnerability and develop a strategy to strengthen them. In larger plants you may not even know there is still an obsolete operating system on your network. Replacement is critical, but if it is not possible, some protection could be gained with network segmentation building layers of defense.
  3. 3. Evolving workforce. Employee turnover internally and at external partners and vendors is another big challenge for producers. Turnover for system integrators in particular is often extremely high. The people who have access to your plant and systems are an important piece of the overall cybersecurity puzzle. Breaches can be caused by innocent mistakes as well as those with nefarious intentions. Do you know who manages user accounts and system access for your company? Are there any accounts that have remained active and unused for years? Adhering to international standards and managing your users as part of a cybersecurity strategy can help mitigate risk.
  4. 4. Unknown ROI. It can be difficult enough to get management buy-in for investments when the return on investment is clear. With cybersecurity or any risk mitigation initiative, it’s less about how much money the company will make and more about what you don’t want to lose. Cyber attacks can cause losses of production and uptime, communications, information and, worst-case, safety of workers. With a proper risk assessment, vulnerabilities, risks, mitigation strategies can be evaluated and allow producers to ask: What risk are we will to accept? What will it cost to make the changes needed to feel comfortable in our risk posture? It may not be as expensive as you think to make changes, and the opportunity cost for not protecting is too great to pass up implementing even some simple measures. Determine your risk posture and protect your most vital assets.

Secure your system for the outcomes you need

Threats can come from every direction and the more layers of defense we implement, the more likely we will mitigate true risks and not become a statistic. When it comes to system security, the real goal is to improve your risk posture. Here are some important ways to get the outcomes you need:

  •    –   Producers can level up their system security by ensuring their DCS adheres to international standards. The ANSI/ISA-62443-3-3 standard provides security guidance for industrial automation and control system requirements. This standard is considered by many industrial cybersecurity experts to be the global standard for now and the future. Because it was written by multivendor/user security experts in industrial automation it has specifically addressed the idiosyncrasies of our industry.
  •    –   It’s important to partner with reputable system vendors who have built their products and systems with the intention that they can be secured as needed by end users.
  •    –   An evolving plan will be needed to properly secure your DCS. Select a plan that keeps these three favorable outcomes in mind and won‘t trap you from making the progress you need to run your business: enhanced overall security, flexibility and digital transformation.

Find a trusted partner to help you navigate cybersecurity

If you’re like many producers, you may not realize the true breadth of the threat landscape. You may not know just how vulnerable you are. Fortunately, trusted providers are looking out for their producer customers – helping them to be both proactive and reactive in the face of continuing and evolving cyber threats.


Related Articles

Changing Scene

Sponsored Content
The Easy Way to the Industrial IoT

The way to the Industrial IoT does not have to be complicated. Whether access to valuable data is required or new, data-driven services are to be generated, Weidmuller enables its customers to go from data to value the easy way. Weidmuller’s comprehensive and cutting-edge IIoT portfolio applies to greenfield and brownfield applications. Weidmuller offers components and solutions from data acquisition, data pre-processing, data communication and data analysis.

Visit Weidmuller’s Industrial IoT Portfolio.

ADVANCED Motion Controls Takes Servo Drives to New Heights (and Depths) with FlexPro Extended Environment Product Line

Advanced Motion Controls is proud to announce the addition of six new CANopen servo drives with Extended Environment capabilities to their FlexPro line. These new drives join AMC’s existing EtherCAT Extended Environment FlexPro drives, making the FlexPro line the go-to solution for motion control applications in harsh environments.

Many motion control applications take place in conditions that are less than ideal, such as extreme temperatures, high and low pressures, shocks and vibrations, and contamination. Electronics, including servo drives, can malfunction or sustain permanent damage in these conditions.

Read More

Service Wire Co. Announces New Titles for Key Executives

Bruce Kesler and Mark Gatewood have been given new titles and responsibilities for Service Wire Co.

Bruce Kesler has assumed the role of Senior Director – Business Development. Bruce will be responsible for Service Wire’s largest strategic accounts and our growing Strategic Accounts Team.

Mark Gatewood has been promoted to the role of Vice President – Sales & Marketing. In this role, Gatewood will lead the efforts of Service Wire Company’s entire sales and marketing organization in all market verticals.

Read More

Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

Tri-Mach Elmira Facility

Recently, Tri-Mach Inc. was thrilled to announce the addition of a new 45,000 sq ft. facility. Located at 285 Union St., Elmira, ON, this facility expands Tri-Mach’s capabilities, allowing them to better serve the growing needs of their customers.

Positioning for growth, this additional facility will allow Tri-Mach to continue taking on large-scale projects, enhance product performance testing, and provide equipment storage for their customers. The building will also be the new home to their Skilled Trades Centre of Excellence.

Read More

JMP Parent Company, CONVERGIX Acquires AGR Automation, Expanding Global Reach

Convergix Automation Solutions has completed the acquisition of AGR Automation (“AGR”), a UK-based provider of custom, high-performance automation design and systems integration primarily to the life sciences industry.

Following Convergix’s acquisitions of JMP Solutions in August 2021 and Classic Design in February 2022, AGR marks the third investment in Crestview’s strategy to build Convergix into a diversified automation solutions provider targeting the global $500+ billion market, with a particular focus on the $70 billion global systems integration and connectivity segments. Financial terms of the transaction were not disclosed.

Read More

Latest Articles

  • How Rittal and EPLAN Achieve Your Automation Goals

    How Rittal and EPLAN Achieve Your Automation Goals

    In the not-so-distant past, planning a road trip meant poring over maps and dealing with uncertainties like road construction, accidents, or bad weather. But with modern technology like GPS navigation, travelers can now anticipate and adjust their routes in real-time. Similar to road trips, the journey of panel builders, machine builders, and system integrators in… Read More…

  • Discussing Vancouver’s Building Emissions By-Law with Schneider Electric’s Emily Heitman

    Discussing Vancouver’s Building Emissions By-Law with Schneider Electric’s Emily Heitman

    The city of Vancouver is the first Canadian jurisdiction to pass a by-law regulating building emissions. The Annual Greenhouse Gas and Energy Limits bylaw will come into effect June 1st, 2024, and requires building owners for large commercial offices, retail, and residential buildings over 100,000 sq ft to report their emissions. The bylaw follows cities… Read More…