Cyber security was not considered a serious issue in manufacturing industries until 2010, when a new computer worm Stuxnet was unleashed on certain industrial control systems. What kind of cyber security risks do industries face, and are they all about hacking? These are some of the questions that Mr Rick Kaun, Business Manager, Industrial Cyber Security, at Honeywell Process Solutions, US, answers in an interview with Business Line .
The company recently formed a new industrial IT solutions group to help industries in the manufacturing and process space protect themselves from cyber threats.
How would you define an effective cyber security system for industrial controls?
There are different aspects to this, but security really is a programme. It is not necessarily a technology or tool in itself because you can install technologies but if you do not keep them up-to-date then you do not get the value from them.
An effective security programme is a combination of proper technologies applied intelligently, but maintained and managed over time through the application of policies, procedures and training of the people.
So we find that a lot of our clients sometimes have difficulty with the second half. They can put in technology but having the ability to keep it up-to-date and derive value out of it is a challenge.
That’s why we are working more and more towards assisting the client through partnerships, where we help them deploy the technology upfront. But the real value for both the sides is to make sure that someone is keeping an eye on the technology and keeping it up-to-date.
What are the industries where cyber security threats are typically high?
It depends on the motivation of the threat source. So if we take the example of the Americas which had 9/11 and the Eastern blackout, they went and ranked their critical resource sectors by order of how long you could live without that service. So water was considered number one.
That being said, if you think your threat source is a foreign nation, usually they don’t go for the water control but something that makes an impact like a chemical refinery in a high populated area.
So at the end of the day it depends on the motivation of the source and nine out of ten threats, actually, are non-directed or inadvertent. So somebody introduces a virus or they didn’t do a backup on their systems and, thereby, lose production. The motivated attacker, while becoming more prevalent, is still very small.
How fatal can lack of cyber security get?
Thankfully, I am not aware of any security lapses that would have resulted in fatality, but we had a client who lost 18 hours of production over a single little virus.
The Browns Ferry Nuclear facility had a security programme but their communication wasn’t up to speed. They rebooted two systems that reported the water levels on the reactor to the safety system. When they went offline, the reactor thought there was no water and shut down the whole facility. And nuclear reactor shutdowns don’t come back all that quick. So they lost 3-4 days of power production.
And there are a host of other scenarios. One of our field service guys just finished battling a latest virus outbreak resulting in going three months offline. And they are spending an inordinate amount of time chasing that problem in a facility as opposed to doing their job of making good quality products. So depending on how you measure the impact, everything from a nuclear facility shutdown to day-to-day hassles for months are all examples.
Besides providing security, how would you sum up the benefits of having a good cyber security system in place?
It is not necessarily only about the hacker that you are trying to protect your systems from, although it is a very important aspect. The true value of putting up a proper security programme is the ability to run your facility in a safe, reliable and expected manner for years.
Any threat to that mandate is considered a risk. So when you look at cyber security, some of the traditional controls that we put in place are not necessarily security management — half are back-ups. If you do not have a back-up and you have to build the system from the scratch and lose production, or you are not operating the plant the way you are supposed to, then we failed to protect you.
I can’t tell you how many people turn on their back-ups but never check to see if they actually ran or how they worked. So that check-back, that human factor, is where the real value is, because you will go much longer between incidents, if there are any, by having a proper programme. And really, the measure is how quick you can detect, contain it, recover and go back to normal operations. If you can make that small, we win.
How frequently will you have to update your products to keep up with changing technologies or new threats?
We and most guidelines, recommend an annual assessment of some sort. Some of the more sophisticated organisations will take that annual assessment. But instead of checking everything every year, they may well do an external penetration test or they may look at a recovery disaster drill or something.
But in some way or form they regularly measure and assess through different forms or phases with help from outside or inside and benchmark what it should be and what it is. The difference is where there is room for improvement.
How seriously is cyber security being taken by industries?
If you look at the North American power as an example, everybody is scrambling to comply with regulations on cyber security but nobody is really taking it serious enough as to how you will manage and maintain it over time.
If you look at the pressures on these organisations, with less people more regulations, more complexity and technology, if you don’t have a plan to keep up-to-date you are going to fall down.
To me, the next trend in cyber security as it moves from anti-virus to white-list is this: the bigger solution that we can give to our clients (besides staying on top of emerging programmes) is, instead of looking at spot solutions, see how it fits in their master plan. How they run that plan for 20 years securely and at what points they have to update those technologies will be what matters.
(This correspondent’s trip was sponsored by Honeywell Process Solutions.)