Four Common Challenges to DCS Cybersecurity

PB 25 Rockwell newlogo 400

February 23, 2021

By Tim Mirth, PlantPAx Platform Leader, Rockwell Automation

Just as most people haven’t crossed paths with sophisticated criminals in their everyday lives, most industrial automation users have not had to face major cyber threats from bad actors. Many manufacturers and producers don’t know how vulnerable their systems are – and unfortunately, the ramifications of an attack go deeper than lost product.

Threats and bad actors are out there – just ask the 18,000 companies affected by the recent SolarWinds hack, or the industrial and energy-producing facilities targeted by the Stuxnet malware attack on PLCs in 2009. Manufacturers and producers are increasingly facing cyber threats, particularly ransomware, as well as data breaches. In fact, more than half of respondents to a recent survey reported a data breach in the year prior.

As plants become more interconnected and dependent on the Internet, and as digital transformation becomes less of a buzzword and more of a norm, vulnerabilities increase and risks compound. At a plant, an attack could mean lost product, unscheduled downtime, worker safety issues, losses of confidential and/or proprietary information, and sometimes negative consequences on the company’s public image.

In order to truly mitigate risk, every producer needs to be proactive about knowing what risks are out there, understanding their unique vulnerabilities, and prioritizing mitigation tactics from there. The bottom line? Don’t just assume you are safe from cyber attacks – you must be proactive to protect your system. Attackers constantly evolve and so must you.

DCS cybersecurity: Assess your risk

When it comes to a distributed control system (DCS), plant managers and engineers know cybersecurity is essential. How can you help ensure your system is secure? And how can you do that if you don’t know all the nuances of your system?

For security, people often immediately think to create strong passwords and are aware of the need to implement software updates and patches in our everyday computing environments. But cybersecurity for a process system – which contains any number of products including, but not limited to: controllers, networking, HMIs, advanced analytics, and maybe most importantly people – requires a more comprehensive plan.

That plan should take into account not just the IT/data management side of things – computing, software and hardware – but also OT, or operational technology, cybersecurity. OT systems, like a DCS, control the physical aspects of the plant and have special requirements beyond typical IT security measures.

To protect a system, you need to have an accurate inventory of all the pieces and interfaces that make up the system and understand any vulnerabilities they have. A risk assessment led by a trusted third-party partner can make a huge difference, as it’s easy to miss the things that are right in front of us. This assessment will help producers find vulnerabilities and allow the site to understand what level of risk they can tolerate.This will allow them to make the best choices for threat mitigation in their company.

Four common challenges to improving security

Securing a system can seem extremely daunting, but there are generally accepted countermeasures that will improve your security posture. The ever-increasing connectivity of automated plants provides unprecedented visibility into systems, resulting in advanced analytics and data that can help improve processes, create efficiencies and increase profitability. But that connectivity can leave systems exposed and vulnerable to threats.

Plant decision-makers exploring DCS-related cybersecurity improvements may face one or more of these common challenges:

  1. 1. Open systems. When the Stuxnet computer worm struck and spread easily throughout control systems, it highlighted just how open those systems were. Open protocol networks are a historical hallmark of distributed control systems and are usually considered a huge benefit. But the additional avenues of risk associated with online, connected control systems may leave producers more vulnerable. The Zone and Conduit model can help mitigate the threat and keep critical assets segmented from most vulnerable areas. This also allows for open networks from being exposed to the easy avenues of attack. Managed firewalls are an important part of protecting open systems.
  2. 2. Legacy equipment. Every plant has equipment of varying vintages, and many manufacturers take a piecemeal approach to upgrading their system. That means a new PLC might be on the same network as a computer running Windows XP. These older machines, especially if they have not been updated in many years, are potential entry points for viruses, worms and hackers. This is where a risk assessment can expose a vulnerability and develop a strategy to strengthen them. In larger plants you may not even know there is still an obsolete operating system on your network. Replacement is critical, but if it is not possible, some protection could be gained with network segmentation building layers of defense.
  3. 3. Evolving workforce. Employee turnover internally and at external partners and vendors is another big challenge for producers. Turnover for system integrators in particular is often extremely high. The people who have access to your plant and systems are an important piece of the overall cybersecurity puzzle. Breaches can be caused by innocent mistakes as well as those with nefarious intentions. Do you know who manages user accounts and system access for your company? Are there any accounts that have remained active and unused for years? Adhering to international standards and managing your users as part of a cybersecurity strategy can help mitigate risk.
  4. 4. Unknown ROI. It can be difficult enough to get management buy-in for investments when the return on investment is clear. With cybersecurity or any risk mitigation initiative, it’s less about how much money the company will make and more about what you don’t want to lose. Cyber attacks can cause losses of production and uptime, communications, information and, worst-case, safety of workers. With a proper risk assessment, vulnerabilities, risks, mitigation strategies can be evaluated and allow producers to ask: What risk are we will to accept? What will it cost to make the changes needed to feel comfortable in our risk posture? It may not be as expensive as you think to make changes, and the opportunity cost for not protecting is too great to pass up implementing even some simple measures. Determine your risk posture and protect your most vital assets.

Secure your system for the outcomes you need

Threats can come from every direction and the more layers of defense we implement, the more likely we will mitigate true risks and not become a statistic. When it comes to system security, the real goal is to improve your risk posture. Here are some important ways to get the outcomes you need:

  •    –   Producers can level up their system security by ensuring their DCS adheres to international standards. The ANSI/ISA-62443-3-3 standard provides security guidance for industrial automation and control system requirements. This standard is considered by many industrial cybersecurity experts to be the global standard for now and the future. Because it was written by multivendor/user security experts in industrial automation it has specifically addressed the idiosyncrasies of our industry.
  •    –   It’s important to partner with reputable system vendors who have built their products and systems with the intention that they can be secured as needed by end users.
  •    –   An evolving plan will be needed to properly secure your DCS. Select a plan that keeps these three favorable outcomes in mind and won‘t trap you from making the progress you need to run your business: enhanced overall security, flexibility and digital transformation.

Find a trusted partner to help you navigate cybersecurity

If you’re like many producers, you may not realize the true breadth of the threat landscape. You may not know just how vulnerable you are. Fortunately, trusted providers are looking out for their producer customers – helping them to be both proactive and reactive in the face of continuing and evolving cyber threats.


Related Articles

Changing Scene

  • Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

    Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

    Recently, Tri-Mach Inc. was thrilled to announce the addition of a new 45,000 sq ft. facility. Located at 285 Union St., Elmira, ON, this facility expands Tri-Mach’s capabilities, allowing them to better serve the growing needs of their customers. Positioning for growth, this additional facility will allow Tri-Mach to continue taking on large-scale projects, enhance product performance testing, and provide equipment storage for their customers. Read More…

  • HELUKABEL Group Builds New Facility for Automation Cable Solutions

    HELUKABEL Group Builds New Facility for Automation Cable Solutions

    The HELUKABEL Group recently announced it is going to build a new facility in Haan, Germany that will house its robotic dress pack and drag chain system subsidiaries under one roof. The new building will also serve as the headquarters of HELUKABEL’s Rhine-Ruhr sales branch, and is planned to be completed by 2025. Robotec Systems’ core business is robotic dress pack solutions and has been a HELUKABEL subsidiary since 2012 operating out of Duisburg, a suburb of Duesseldorf in northwest Germany. Read More…

Sponsored Content
Fire Protection for Lithium-ion Battery Energy Storage Systems

Lithium-ion storage facilities contain high-energy batteries combined with highly flammable electrolytes. In addition, they are prone to quick ignition and explosion in a worst-case scenario. Such fires can have a significant financial impact on organizations. Rapid detection of electrolyte gas particles and extinguishing are the key to a successful fire protection concept. Since December 2019, Siemens has been offering a VdS-certified fire protection concept for stationary Li-ion battery storage systems.

Click HERE to learn more.

For a Multiplied Value Unified


During the last few years, the Excelpro Group has welcomed AIA Automation, Envitech Automation and Conrad Lavoie Electrical, all of which have become ‘Member of the Excelpro Group’.

It was with great excitement that in November of 2022, Excelpro announced that these three companies officially became Excelpro. This decision is part of a strategy to enhance the Excelpro Group’s brand in its market.

These companies already collaborate on various client projects. This merger brings together the complementary strengths of the employees and ensures a global synergy of the activities throughout the Group.

Read More

Service Wire Co. Announces New Titles for Key Executives

Bruce Kesler and Mark Gatewood have been given new titles and responsibilities for Service Wire Co.

Bruce Kesler has assumed the role of Senior Director – Business Development. Bruce will be responsible for Service Wire’s largest strategic accounts and our growing Strategic Accounts Team.

Mark Gatewood has been promoted to the role of Vice President – Sales & Marketing. In this role, Gatewood will lead the efforts of Service Wire Company’s entire sales and marketing organization in all market verticals.

Read More

Modern Niagara Partners with Global Sustainability Platform Worldfavor

Worldfavor is a global sustainability platform, digitizing and automating the collection, calculation, aggregation and visualization for analysis and reporting of ESG data. Now, Worldfavor is proud to welcome Modern Niagara as a new customer. Modern Niagara is the first Canadian construction company to partner with Worldfavor.

“Worldfavor was founded to be the best platform for sharing, accessing and gaining insights from corporate ESG information. Worldfavor’s mission is to make sustainability mainstream and with that we offer solutions to accelerate sustainability through the value chain. Modern Niagara is the first Canadian construction company to partner with Worldfavor. 

Read More

JMP Parent Company, CONVERGIX Acquires AGR Automation, Expanding Global Reach

Convergix Automation Solutions has completed the acquisition of AGR Automation (“AGR”), a UK-based provider of custom, high-performance automation design and systems integration primarily to the life sciences industry.

Following Convergix’s acquisitions of JMP Solutions in August 2021 and Classic Design in February 2022, AGR marks the third investment in Crestview’s strategy to build Convergix into a diversified automation solutions provider targeting the global $500+ billion market, with a particular focus on the $70 billion global systems integration and connectivity segments. Financial terms of the transaction were not disclosed.

Read More

Latest Articles