Cyber security for energy infrastructure

In this article, published early in December in Panel Building and System Integration,  Martyn Williams of Copa-Data UK discusses cyber security in the energy sector, and the IEC 62443 certification of their “zenon” energy automation software:

Stakes are high in the energy sector. In fact, it is one of the only industries in which cyber security is entangled with public safety and environmental concerns. Digitalisation in this sector provides huge efficiency benefits, but also presents risks. Cyber criminals are now looking for gaps in security measures, and IoT devices can provide an opportunity to infiltrate these networks.

The arrival of ISA/IEC 62443-4-1:2018

In 2017, Energy UK called for a collaborative approach to cyber security in the industry. One of the objectives was to encourage security vendors to work closely with operators to ensure products are fit for purpose.

During the same period the Cyber Security in the Energy Sector report by the Energy Expert Cyber Security Platform (EECSP) was released. The group identified 39 gaps in energy cyber security that were not covered by existing legislations. Alongside calls from trade associations like Energy UK, the report demonstrated a need for a flexible framework that addresses and mitigates current and future security vulnerabilities in energy automation.

Shortly following this, the ISA/IEC 62443 series of standards were released. Developed by the ISA99 committee as American National Standards, ISA/IEC 62443 was also adopted globally by the International Electrotechnical Commission (IEC).

What does this mean for the energy sector?

Prior to this new standard, products and services for energy automation could not be certified in relation to secure product development. The new IEC 62443 standard therefore creates the basis for comprehensive security. For the first time, the standard provides a baseline to unite all perspectives — that of the component supplier, system integrator and equipment operator.

TÜV SÜD, part of the German Association for Technical Inspection, recently awarded the new ISA/IEC 62443-4-1:2018 security standard to Copa-Data, for its software development, quality assurance and support processes used for energy automation software, zenon.

Certifications like these are particularly beneficial for the UK energy sector as entire power grids are often networked using HMI and SCADA systems powered by software like zenon. Energy grids are increasingly using centralised software to visualise and control their operations, linking critical infrastructure and the cyber world.

While this connectivity is valuable, it automatically increases cyber security risks in all networked equipment. Therefore, it is necessary that the software at the centre of it all is trusted – and this trust is certified by a third-party standard.

Intense audit

What exactly does a company need to earn IEC 62334 certification? The certification requires companies to check the potential weaknesses of their automation and control technologies, and then demonstrate they have developed effective protection measures.

The requirements are very comprehensive, and in the case of Copa-Data, required the formation of a Security Management Team (SMT) to demonstrate exceptional security issue management for the duration of one zenon release. In particular, the team introduced threat models to search for structural vulnerabilities from the point of view of an attacker.

For system integrators, achieving the certification requires testing of integration processes and the assessment of implemented IT security functions. The relevant documents will be scrutinised by the assessor, and an on-site audit plan is put in place. Next up are intense interviews, procedural assessments and technical checks.

The certificate is only considered current for one year, ensuring security in product development is regularly assessed. Businesses must re-certify annually. This guarantees that new and emerging cyber threats and loopholes are consistently managed and therefore are not able to infiltrate the software.

Power grids may be fast becoming digital jungles, but as with every trek, the best voyagers are equipped smartly and prepared for the worst. To secure their networks in today’s turbulent energy sector, it is vital that operators are armed with software that is designed in line with current industrial IT security guidelines.

Cybersecurity and Biopharma in Ireland

Cyber-attacks are an inevitable part of modern life, so cyber-security is a major focus for process control and automation systems on plants everywhere, and particularly in the biotechnology and pharmaceutical industry. The ISA in Ireland is organising a one-day conference in Cork in April, to explore the solutions and concerns which uniquely affect control and automation systems used across Ireland today. The conference will also cover automation systems within the manufacturing, transportation and other critical utilities.

ISA Ireland has assembled some of the world leading speakers on this topic including those from some leading Control and Automation suppliers.

SIEMENS – ROCKWELL – EMERSON – YOKOGAWA – ABB

They all agree that the growing threat from cyber-attacks on the control systems running your manufacturing plants and critical infrastructure is not going to go away, and the threats are continually evolving. Such systems that cannot be shut down when under a cyber-attack need extra levels of protection.

This ISA Ireland conference will be held at the Rochestown Park Hotel, in Cork, on 13^th April. It is focused on preventing or mitigating the damage that a cyber-attack will have on your control and automation systems. We will highlight the nature of the threat, how your systems and infrastructure can be better protected, and methods used to minimise attacks on your business. The presentations will give you an understanding of how the control system manufacturers are designing protections into the existing and future control system to reduce these threats, and explain practical steps that can be used to design-in safety measures.

Emerson biopharma investment at NIBRT Dublin

Emerson Automation Solutions is providing automation software and Delta distributed control systems valued at USD 1 million to Ireland’s National Institute of Bioprocessing Research and Training (NIBRT) to help train next-generation workers on the latest technologies designed to optimise pharmaceutical production.

Mike Train, executive president of Emerson Automation Solutions, explained “NIBRT is leading the way in helping Ireland, its universities, and Europe meet the demand for the skilled biopharmaceutical manufacturing workforce the industry needs.” This collaboration with NIBRT follows a 2016 NIBRT study of the biopharma manufacturing industry in Ireland that found more than half of respondents have a high degree of difficulty recruiting and developing bioprocess engineers.

The planned Emerson Room at the NIBRT facility will simulate an innovative bioprocessing environment and feature a fully operational DeltaV system to provide real-life training in a safe environment.  Martin Shanahan, CEO of the IDA Ireland, said: “The biopharmaceutical industry is extremely important to Ireland, and is worth over €uro40 billion in annual exports. It is essential that we continue to provide the appropriately skilled workforce capable of operating these state-of-the-art processing plants for many years to come. Emerson’s significant investment will help us support this continuously evolving industry.”

Dominic Carolan of NIBRT; Mike Train of Emerson Automation Solutions; and Martin Shanahan,  of IDA Ireland, at the NIBRT facility in Dublin

Process plants as weapons of war

Malware over the Internet has replaced the large gunboat that was despatched in previous times – say 200 years ago – to send a message to the heart of a rival nation, indicating that relationships were becoming a little frosty. Then submarines and ICBMs were introduced, as less vulnerable to counter-attack – and providing hidden strength to be activated when necessary. The same applies to malware, in that once it is in place the weapon can be hidden and dormant until required. However, with any new missile system or weapon, the routing, targeting and performance of the latest versions have to be tested, and often this testing can be observed and monitored.

For any nation or group with an evil intent against another, this gives a major opportunity to cause chaos or damage to the infrastructure or manufacturing operations of a target country. This was seen in 2010 with Stuxnet, the Malware targeted at Siemens controllers in Iranian nuclear centrifuge installations. The source of the virus (officially) was never traced, but it was thought to have been from Israel, possibly with support from the USA. So Iran saw the effectiveness of this approach, and then developed the Shamoon virus, which caused major damage to all networked PCs at Aramco in Saudi Arabia in 2012. A further variant of Shamoon was unleashed in 2016/17, targeting ordinary computer systems around the Persian Gulf, as well as in Saudi Arabia.

Following these events, many cyber-security service businesses and departments appeared, in addition to those which were developing anti-virus systems to protect computers from hacking by fraudsters and criminals. Both of these types of company monitor any new attacks and intrusions, and normally report that state sponsored hacking is known to have originated from Israel, Iran, Russia, USA, and North Korea. Indeed some of the most active hacking has been from a Russian group known as Sandworm, particularly disrupting networks and systems in the Ukraine starting in 2014. Malware called ‘Industroyer’ was used in 2016 to cause a power blackout in Kiev, by modifying the ABB configuration files in the electricity supply grid network systems.

The latest attack

Two such cyber-security service businesses are FireEye and Dragos, based in the USA. In December 2017 they reported on a new attack (actually seen several months before) delivering malware into an un-named petrochemical plant control system in the Middle East. Others have reported this malware was most likely to have been developed in Iran and targeted at a Saudi Arabian installation. The FireEye investigation team from their Mandiant subsidiary found that the plant safety system, a Triconex SIS, had caused an unexpected safety shut-down. Triconex is a company within Schneider Electric, following their acquisition of the Invensys Group: their triple-redundant safety systems protect major hazardous installations such as petrochemical plants. They also are the ultimate shut-down safety system for many nuclear power plants around the World, including most of those in China.

FireEye called the malware they found “Triton” – it is also known as Trisis. The implication of their report was that the Triton attack framework gained remote access to an SIS engineering workstation, sought out the Triconex controllers, and tried to inject new commands into their operations. It seems that the workstation (on site) was in programme mode at this time, hence opening a potential window. There was no indication that the malware used any vulnerability in the Triconex system or its program code. In fact the triple redundant safety system reacted properly: the new single instruction did not pass the built-in validity checks, and so Triconex shut down the plant operations safely, as is the requirement of such a safety system.

FireEye interprets that this attack, which shows persistence, the lack of any clear monetary goal, and the technical resources necessary to create such an attack framework, as suggesting the origin is a well-resourced ‘nation-state’ actor. Either this current attack is reconnaissance development testing of part of what would need to be a significantly expanded multi-point approach to penetrate and control Triconex, or at a minimum it is designed to be economically disruptive to the target plant. Other commentators have suggested that Triton could prevent the Triconex SIS from carrying out its safety function, and drive the plant to destruction. Whilst this is unlikely, and not supported by current knowledge, the malware is undoubtedly aimed at the safety system, and Triconex is the omnipresent safety system used in most of the hazardous plants across all countries, whatever the origin of the plant control system.

A unique ubiquitous target?

Industrial control systems – for petrochemical plants, nuclear and other power stations, water treatment plants, power grids – are standardised across the World, so that they can accept inputs from equipment from many manufacturers: this is good, because there are no monopolies. It is also bad, because anyone can learn how to access these systems. While there are maybe ten major DCS suppliers worldwide, the SIS supplier base is much smaller – there are two or three suppliers. Of these, Triconex is by far the largest supplier, making them a very tempting target for anyone intent on world domination!

This article was written for and first published in my column in the February 2018 issue of the South African journal of Instrumentation and Control, a magazine from www.technews.co.za

Thales promotes Cybersecurity business line

The following review article was published in the May 2014 issue of the INSIDER Newsletter:

The Thales Group occupies one of the major office developments on the outskirts of Basingstoke in the UK: the building was known for many years as Thales Missile Systems, from the name on the outside – it was not a company that immediately sprung to mind as an expert in control systems and information technology. Over the past year the attitude from within Thales seems to have developed, and has recently seen much more information flow in press releases and meetings discussing their business. Last autumn saw the launch of a new ‘Cyber Integration and Innovation Centre’, and the associated business activity, housed within this building, a GBP2m ($3.2m) facility with fully isolated and screened computing laboratories, designed to allow improved cyber security and testing for critical national infrastructure, governments and companies.

Screened, because the centre has over 6000 pieces of computer malware, that can be used to test mirror copies of client networks, and where managed cyber-attacks from one lab onto an adjacent lab can be used to train staff how to protect systems, spot vulnerabilities and respond to breaches, including mass ‘Denial of Service’ (DOS) attacks.  “We can model networks for clients in a safe environment so we can upgrade, update and change things before they go live. This is particularly important in safety critical industries, such as a nuclear power station,” said Sam Keayes, a Thales vp, now presumably within a new business division formed recently known as the Critical Information Systems and Cybersecurity business line. Using equipment and technology from strategic partners like Spirent, Encase, FireEye and Mandiant, Cevn Vibert, the centre manager, commented that Thales experts can pick up and mirror a site computer system, bringing the whole infrastructure back to the lab, to stress test it against cyber-attack, jitter etc. This is a very necessary service when Thales systems run the majority of the world’s air traffic control, and their encryption is used to protect 80% of the world’s bank transactions, which include 3.7Bn transactions per annum via BACS.

Thales is a French owned group, which was originally called Thomson-CSF. The only slight problem with the simpler name is that it is pronounced “Talliss”. Their acquisition of the original business of Ferranti Computer Systems allows the claim that they have been providing technical support for the UK fleet of nuclear power stations for the last 25 years, which is a continuing responsibility, as the service life of these stations continues to be extended.

Based on Ferranti expertise

Here I have to admit that even your editor is not old enough to know the history behind some of the businesses that make up the current Thales Group. For that sort of archival knowledge we have to go back to Wikipedia, and even to Andrew Bond, the Founding Editor of the INSIDER, who remembers the original UK based DCS manufacturers and vendors from the 60s and 70s – Ferranti, Kent and GEC Elliott.

Ferranti was formed in 1882 as Ferranti, Thompson (yes- that Thompson) and Ince. Much later the company played a major part in WW2 in the development of radar, and gyro gunsights for the Spitfire. In 1949 they produced their first multi-input battlefield situation information system. At the same time they started to develop computer systems: eventually the Government under Tony Benn organized an industrial consolidation which led to the set-up of ICL, International Computers Ltd, in 1968. This deal restricted Ferranti to the industrial computing market, rather than the commercial, and Ferranti developed the Argus range. In 1987 Ferranti purchased International Signal and Control (ISC) in the USA, a defence contractor, whose business turned out to have been based on illegal arms sales. ISC was prosecuted for fraud, and this forced Ferranti into bankruptcy in 1993.

The Ferranti Computer Systems operations were acquired out of administration by Syseca, the IT arm of the French Group Thomson-CSF. Thomson then changed its name to Thales, and Syseca became Thales Information Systems.

The other UK producers 

Andrew Bond sees the rest of the UK history of DCS manufacturers as intertwined with the career of the late Tony Benn MP, who became Minister of Technology in the Labour Government of 1964-70, and secretary of State for Industry from in the 1974-79 administration. George Kent needed rescuing in 1974, possibly because of the strains of the investment in their new DCS, the P4000, and Benn wanted Arnie Weinstock’s GEC to take them over, out of the two options available: but his worker democracy approach backfired, and the workers voted to opt for Brown Boveri, as a better choice for their new owners. Following the Brown Boveri merger with ASEA in 1988, the P4000 became just another of the original control systems within the ABB group.

Meanwhile GEC under Arnie Weinstock was not enthusiastic about process instrumentation or automation, and already had business links with Fisher valves, so with Benn’s encouragement put all the GEC automation interests into a joint venture with Fisher, which included their own DCS and the systems made under license from ICI, Imperial Chemical Industries, which they had developed for their own plants. GEC had acquired the Elliott Brothers business within English Electric in 1968. Monsanto had acquired Fisher Controls in 1969, and much later sold the business to Emerson in 1992: at some time in this period Weinstock backed out of the JV and sold out from any involvement in process automation.

Ferranti Argus computers

The Argus was first developed for military duties – in 1958 used for the ground-based control of Bristol Bloodhound missiles – and were also offered as industrial control computers from the 1960s into the 1980s, for factory and plant automation. They were widely used across Europe and in the UK: typical installations for the Argus 500 were in chemical plants for process control – and nuclear power stations, for process monitoring. The first such Argus sale in 1962 was to ICI, for a soda ash and ammonia plant in Lancashire. Another significant application was for Police command and control installations, where one of the most famous was in Strathclyde: here maps were provided by using a 35mm slide projected onto a VDU screen. The Argus 500 was one of Ferranti’s best-selling products, particularly to oil platforms in the North Sea in the 1970s.

The Argus 600 was an 8-bit machine, and the Argus 700 used 16-bit architecture, whose design started in 1968, and they were in production until the mid-1980s: these are still operational at several British nuclear power stations in control and data processing applications.

Current declared activity

Thales do not mention a significant part of their business activity – a necessary culture, developed over the years since WW2, because of involvement with military projects. This ethos remains, in particular in not declaring where security, cyber-security, and emergency management resources might be deployed, whether military or commercial. However, there is an interesting parallel between Thales and EDF, of France, who now owns all the operational nuclear power plants in the UK. Thales is quoted as a long term delivery service partner with EDF. Following the Fukushima event in Japan, EDF-Energy NGL undertook a rigorous assessment of the resilience of its fleet of UK nuclear power stations, against the highly unlikely occurrence of an extreme weather or other natural event. Part of a suite of safety enhancements resulting is the provision of a mobile emergency response capability that could be deployed should such an event occur.

Thales committed to provide 5 sets of a containerised DCIS (Deployable Communication and Information Systems) for this duty by 31st March 2014. As a nuclear emergency response capability, each DCIS provides a transportable and deployable containerised unit to monitor critical plant systems and relay essential data through a resilient communications network, to provide emergency response decision makers with the information that they need to make the best possible decisions.

Separately, Thales has a co-operation agreement with Schneider Electric for the development of cybersecurity solutions and services to protect command-and-control systems from cyber-attack in customer installations in France. This includes computer attacks launched from plant management systems, unauthorised access across wireless networks and malware introduced via USB memory sticks.

Critical national infrastructure protection also includes work with oil and gas installations, petrochemical plants and pipeline systems. Thales quotes their integrated security protection systems with perimeter and access control, using CCTV etc, for twelve of the SABIC sites, and advise that Aramco refineries have similar high technology systems, supplemented by video motion detectors – the Ras Tanura complex is another site where there is such a perimeter security system.

Crisis management systems

The authorities and forces responsible for public safety and security must contend with increasingly frequent and wide-ranging incidents, from crime and accidents to natural disasters and crisis situations. This is one of the areas Thales sees as a major activity area and strength of their capability. Thales has developed a new solution incorporating the key conventional functions — situation awareness, management of command information and crisis management system resources — combined with new modules, such as advanced decision support and asset coordination. These systems are quoted as deployed in the Ciudad Segura (secure city) project in Mexico, the crowd flow and density monitoring systems in Mecca, and the BDSP public security database for the Gendarmerie Nationale in France, with systems that incorporate the deployment of sensors in UAVs. There are many more examples that cannot be quoted. Whilst in the process industry we are becoming familiar with the iOps concept from Emerson, and the Honeywell Collaboration station, the Thales Command and Control Centre is maybe a couple of grades more advanced.

Part of the suite of labs in the Critical Infrastructure Protection Facility in Basingstoke featured a combined system for perimeter security, CCTV, process control – including a DCS and a PLC (both from well known names) with valves in control loops, fire and gas alarms and access control, which enabled demonstration of the possible effects of a cyber-attack. This has been used to show legislators and management – and train operators about – the vulnerability of such systems. Manager of this facility, Cevn Vibert, explained “Our customers manage mission critical infrastructures and benefit from our holistic integrated security solutions. The market has evolved from discrete bespoke islanded systems to multi-site networked control rooms which require our integrated security techniques. These solutions cover people, operations, security, process, maintenance, business and cyber security for holistic situational awareness. This facility enables Thales to test, educate, demonstrate and explore these innovative approaches to our customer’s real needs.”  It is no coincidence that Thales is exhibiting this part of their technology at International Security and Resilience exhibitions across the Middle East, and are targeting Governments and operators of critical infrastructure projects worldwide.

Regular news on Process Automation and Control topics is presented in the INSIDER monthly newsletter, supplied on subscription by Spitzer and Boyes LLC: Nick Denbow is the European correspondent for the INSIDER. For more information please consulthttp://www.iainsider.co.uk or http://www.spitzerandboyes.com

Good news story on cyber-security vulnerability

In a new post on his blog themanufacturingconnection.com, Gary Mintchell highlights a success story in sorting out a cybersecurity vulnerability. This was perhaps refreshing and unusual in that for once the experts at the security services company who found the problem, IOActive (see http://blog.ioactive.com), and the hardware supplier co-operated positively and sorted out the problem, with patches made available in 3 months.

Gary comments:

“Cybersecurity experts, and especially the media that reports on cybersecurity vulnerabilities, often love to just point fingers at companies. Seldom do they acknowledge a good response.

The IOActive security services company announced on 9th January that it had uncovered multiple vulnerabilities in the Siemens Scalance X-200 Switch Family. These Ethernet switches are used to connect to Industrial Control Systems (ICS) components like Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs). The switches enable remote diagnostics and simplified configuration through a common web browser.

Senior security consultant for IOActive, Eireann Leverett, discovered two vulnerabilities in the switches. Both vulnerabilities were discovered in the web server authentication of the product. The first vulnerability could allow an attacker to perform administrative operations over the network without authentication, gaining access to critical services. The second vulnerability could allow an attacker to hijack web sessions over the network without authentication.

“Siemens ProductCERT were professional, courteous, and did not adopt an adversarial attitude when I contacted them about the vulnerabilities. Consequently, we were able to clarify the vulnerabilities quickly, and they produced a patch within three months,” said Eireann Leverett, senior security consultant for IOActive. “I challenge other ICS vendors to match this timeline for security patching in the future.”

Speedy Response

As soon as IOActive notified the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the vulnerabilities, Siemens ProductCERT wasted little time resolving the issue.

Leverett added, “The speed at which Siemens ProductCERT responded to the notification of these two vulnerabilities is something to be applauded. IOActive has always pushed vendors to respond when they receive notifications on vulnerabilities in their products. Siemens is the perfect example of how companies should respond when addressing these issues.”

Siemens ProductCERT is a team dedicated to accepting and handling security issues and vulnerabilities within their products. They co-ordinate with external and internal security researchers and work closely with the company’s product teams to develop fixes. ProductCERT publish the fixes as soon as they have been tested and credits the researchers who discovered the issues. The very existence of this team illustrates Siemens serious commitment to handling security issues smoothly and quickly.

Siemens has addressed both issues by providing a firmware update for the affected products.”

This sort of story might not make the headlines that the normal cyber-security failures achieve, but such a positive result is well worth repeating, to show that Siemens in particular takes such notifications seriously.

Safety ‘awards’ by exida

None of the many press releases issued by seemingly reputable automation and instrumentation suppliers that relate to awards made by readers of various magazines will ever be found on this website. Nor will the others, issued regularly for various “achievements”, usually awarded by market research companies. These are all tainted with commercial negotiations and bias, and occasionally actually linked to cash transactions.

But where does exida rank in this spectrum of organizations that announce awards for technical excellence? Why would a safety consultancy want to make an award at all? Surely it might make potential clients believe that they would only ever recommend one safety system? This is very difficult to understand. But Emerson, not exida, is now telling us that exida has singled out their system for an award.

The text of the Emerson release says (in italics):

“Emerson’s DeltaV safety instrumented system (SIS) has been granted the 2013 Safety Award by exida, the global leader in functional safety and cybersecurity certification for the process industries. exida recognized the DeltaV safety instrumented system with its safety award for the logic solvers category, citing the system’s Electronic Marshalling and CHARMs technologies. 

“exida recognises the importance of excellence in functional safety,” said William Goble, exida principal partner. “Through extensive analysis of the nominated products, we believe DeltaV SIS with Electronic Marshalling has the ability to play a key role in the continuous journey of making the world a safer place.”

Founded in 1999 and with offices around the world, exida is a key player in testing and assessing automation safety products. The agency is a leading certification body and serves on the international committees that write safety standards.

Goble noted that exida is in a unique position to review safety products from many different manufacturers. The safety award gives the agency an opportunity to recognize products that stand out in meeting functional safety standards. 

“The DeltaV SIS architecture is what I would call a hybrid,” said Goble. “It combines the best attributes of many different architectures into one. Also, its flexible design gives users all the different I/O types they need, and allows them to pick levels of redundancy and safety so they can make trade-offs between costs and the essential parameters of availability and safety.” 

Goble said cyber security is a big consideration – noting it was not even a topic of discussion in safety systems just a few years ago. “It’s something a lot of people are now having trouble retrofitting,” Goble said. “The DeltaV SIS with Electronic Marshalling and CHARMs technology was built with security as an important part of the design.” 

“It’s gratifying to receive this recognition from the experts,” said Emerson process systems and solutions president Jim Nyquist, who accepted the award. “It affirms that we accomplished our goal of reducing complexity while meeting or exceeding the stringent functional requirements of systems safety.”

Two thoughts come to mind, reading the text and seeing the Emerson explanation of what the exida business consultancy does in terms of functional safety. First, if the award is in the logic solver category, how does this relate to the Electronic Marshalling and CHARMS – surely this just routes the inputs and outputs of the wiring to the logic solver. Secondly, where Mr Goble discusses cyber-security, we can accept that cyber security is a big consideration in discussions about safety systems currently: but has exida now developed sufficiently to be a testing and expertise centre in cyber security aspects as well?  Undoubtedly cyber-security is mentioned on their own website introduction. His later statement about DeltaV SIS being built with security as an important part of the design, one assumes is talking about cyber-security, since a safety system by definition has security as a major feature: so how is this relevant to the logic solver award to DeltaV SIS?

I look forward to anyone contributing views in relation to this sort of “award”.

Nick Denbow

Yokogawa and McAfee partner for industrial automation IT security

Yokogawa and McAfee have announced the signing of a partnership agreement to offer holistic and value-added IT security solutions for the industrial automation world.

Building on Yokogawa’s strong global track record in delivering control system solutions, and McAfee’s cyber-security expertise, the partnership addresses the imperative of digital threats to industrial control systems.

In particular, the partners will collaborate to offer Yokogawa customers seamless solutions to avoid gaps between different IT systems, across proprietary solutions and expanded communication channels (e. g.  IP, wireless and mobile) and running common operating systems and applications.

The growing number of cyberthreats targeting industrial environments

According to McAfee’s recent threats report, cybercrime, “hacktivism” and cyber-warfare are on the rise worldwide, and are growing ever more sophisticated. Governments, large enterprises, small business, and home users face a wide range of digital threats, and recent prominent cases of industrial sabotage and espionage have escalated these concerns.

Today’s cyber-security threats mean that industrial control system users and suppliers alike must be increasingly vigilant against current and future intrusions, as human safety and environmental impacts are directly at stake.

Special emphasis on industrial environments running critical infrastructure

While today’s process control systems can take advantage of advanced general-purpose IT to reduce costs, improve performance, enable interoperability with APC, MES and other systems, and add other important new capabilities, the very same technologies have made today’s industrial control systems increasingly vulnerable to security intrusions – malicious or otherwise – from both within and outside the plant.

Organisations tasked with running critical infrastructure such as oil and gas pipelines, chemical plants, power stations, and water treatment facilities must look at holistic security systems across two disparate, yet interconnected zones: enterprise IT and industrial control systems.

Holistic approach combining Yokogawa’s industrial experience and McAfee’s cybersecurity expertise

McAfee solutions provide resilience, efficient compliance measures, and real-time intelligence for changing threat environments, along with the power of real-time visibility and centralized management through a single platform.The combination of this expertise with Yokogawa’s domain knowledge provides a more holistic approach, resulting in the provision of more value-added industrial automation solutions.

This partnership addresses the issue that industrial process control systems typically have a three to five times longer lifecycle than typical commercial systems. Since both system technology and cyberthreats are ever-changing, automation system suppliers must embrace a life-cycle approach to industrial cyber-security.

“Security measures for control systems are indispensable. Yokogawa is continually making stringent efforts to provide our customers optimum with control system security solutions, starting with the development of highly secure instruments and systems and extending to the provision of operational support services,” said Nobuaki Konishi, Vice President of Yokogawa’s IA Systems Business Division: “This partnership will allow us to combine our technology and plant security knowhow with McAfee’s technology to enhance the security of our products and our line-up of security solution services covering the entire lifecycle of our customers’ plants.  This will include the integration of anti-virus software with industrial control systems used in the process industries”.

“Businesses are looking for integrated security solutions, moving from simply securing components to understanding and measuring the security of a business system as a whole”, said Wahab Yusoff, vice president for McAfee South Asia. “That is why we feel strongly about this opportunity to work with Yokogawa as a leading global supplier of industrial control systems with a history of nearly 100 years of growing expertise and experience.”

 

Dropbox security breach revealed

Dropbox’s Vice President of engineering has admitted that the spamming of many of the cloud service provider’s clients in recent weeks has been traced to an employee password re-use breach: Cryptzone says this highlights the dangers of using the same password for both business and personal usage.

“Most governance experts – ourselves included – will tell you to use different passwords for different systems, but this case is one of those “wake-up-and-smell-the-coffee” moments for IT security professionals, as it shows the need to also keep passwords separate for work and personal internet activities,” said Grant Taylor, European Vice President of Cryptzone, the IT threat mitigation specialist.

“We would go further and argue that people should not be using Dropbox for many business purposes. CISOs and compliance managers would be horrified to know that confidential data was being moved out of the organisation’s sphere of control. Free services by their very nature don’t have the features to facilitate corporate control and management.”

The problem here, the Cryptzone European VP says, is that members of staff, particularly the young, tend to blur the lines between work and play – and whilst it is perfectly understandable for them to use the convenience of a service like Dropbox to access work files at their leisure, their managers need to explain that when it comes to corporate data, such practices simply are not acceptable in today’s regulatory environment.

If corporate information is moved to personal accounts in contradiction to corporate policies, you’re dead in the water as far the boss is concerned. Apart from disciplinary action for the individual, their employer could be looking at investigation from regulatory bodies possibly resulting in severe fines. So when seeking to improve work/life balance, don’t just think convenience, think risk, he says.

Dropbox says it has plans to roll out additional security measures that should help users protect their Dropbox accounts even if users (or employees, assumedly) lose account passwords, including two-factor authentication (Dropbox says this will be coming “in a few weeks”), and new automated mechanisms to help identity suspicious activity, as well as a page that lets users examine all active logins.

New and enhanced drivers for KEPServerEX

Kepware Technologies has announced the release of KEPServerEX 5.8, a major upgrade that includes new drivers, and several new features aimed at helping existing customers on Kepware’s support and maintenance program to improve their business operations, performance, and security.

To expand existing connectivity, KEPServerEX now features a new Allen-Bradley ControlLogix Unsolicited Driver, which greatly expands connectivity for plant wide optimization.  Also included in this release are advanced communications and infrastructure improvements to more fully integrate with Fisher ROC and ROC Plus Controllers providing customers with enhanced interoperability.  

Accompanying the KEPServerEX 5.8 release are updates for Kepware’s LinkMaster 3.0, RedundancyMaster 2.0 and ClientAce 3.5.  LinkMaster and RedundancyMaster are now fully supported on Windows 7/Vista and Windows Server 2008/2003 and have incorporated the same Kepware licensing and service support model as KEPServerEX V5. ClientAce 3.5 has been updated to include support for Visual Studio 2010 and contains additional sample code.

“Kepware customers expect us to deliver robust products and services based on our continuing commitment to research and development and focus on quality,” said Tony Paine, president and ceo of Kepware Technologies.  “The release of KEPServerEX 5.8 reflects our on-going efforts to enhance our products for our existing customers and allow them to solve their ever changing business challenges.”

KEPServerEX 5.8 also includes the addition of Modbus Channel Serialization, enhanced Device Level Communication Diagnostics to aid with performance tuning and assist with troubleshooting.  For security and regulatory control, KEPServerEX now delivers optimized event logging, finer user management control and allows the user to control whether or not client applications can directly access device memory.

Kepware Technologies has developed a wide range of communication and interoperability software solutions for the automation industry. Kepware solutions allow the connection of disparate software and hardware systems, providing applications with quality, ease of use, and high performance. In-depth experience with software design, development, support, and maintenance allows Kepware to provide high-performance communications software without sacrificing quality and ease of use. See more on www.kepware.com.

Security segmentation protection using Innominate mGuard firewalls.

Innominate mGuard firewall installation

ZF Sachs, an international automotive supplier for drive and chassis components, headquartered in Schweinfurt in Germany, has permanently improved the security of its industrial networks, by introducing a decentralized security architecture with industrial firewalls.

The requirement for stronger security in the production plants was primarily because of virus problems in the office network. Compared to the manageable risk of an office computer infection, the risk potential for production facilities was considered to be significantly higher. In order to minimize the risk of possible disturbances or even production downtimes through faulty accesses or malware, ZF Sachs decided to implement additional security precautions.

Decentralized security philosophy

The task of the new security architecture was to protect the production plants from both undesirable external and internal accesses and limit the spread of infiltrating virus attacks.

Sealing off the office network from the production network was considered to be the most suitable strategy; this was carried out with a large firewall and structured security architecture (defense in depth), with which critical individual systems could also be safeguarded. The control and filtering of network traffic through firewalls took on a key role. More perfectly organized and distributed protection, along with the greater degree of flexibility for a typical industry network design and lower investment/operating costs: all these factors argued in favor of a decentralized architecture with firewalls. The segmentation through VLAN-compatible switches into logically separated segments was evaluated and rejected, as virtual LANs were considered to be too difficult to control from a security point of view.

The automation technology and machine maintenance departments were responsible for the implementation, in coordination with the IT department. Along with the use of virus scanners in the production area, the most important measure became the segmentation of the production network into small and manageable machine networks. The assignment was conducted spatially based on building zones with additional Profinet components for individual installations. A total of 40 decentralized machine networks were implemented and each of these subnetworks was secured by an mGuard firewall from Phoenix Contact and Innominate.

“We evaluated different firewall security products under two main criteria. Industrial suitability with an extended temperature range was particularly important to us. We also needed a solution that could be integrated – as flexibly as possible and with a low level of complexity – into our automation component environment,” says Asmund Hey, head of automation technology for ZF Sachs technical services, in explaining the choice of the mGuard security solution.

Setting up decentralized firewalls

The implementation of the decentralized security architecture was based on the network structure plan. This describes the individual network segments and contains specifications concerning which device is attached to which port, as well as which IP addresses, MAC addresses, firmware version and product designations are given.

“To ensure that the decentralized architecture with 40 individual machine networks did not lead to greater configuration and operative effort, we first developed a basic set of common firewall rules for all subnetworks as an overriding control. The implementation was relatively simple,” reports Asmund Hey. For the rollout, the master parameters were read out from a memory chip upon start-up and applied to the subnetwork. This meant that most of the requirements were already covered. Only individual rules had to be added for special cases, e.g. for controller access to office server shares.

A three-month introductory and learning phase followed start-up, allowing any missing accesses or ports to be included. “During this phase, we realized how important a careful network architecture plan is. The more time invested here, the smaller the correction effort will be later. We also discovered the advantages of central device management,” says Asmund Hey, listing the most important experiences gained during the start-up.

Automation technology requirements

Various requirements need to be taken into account when setting up the decentralized security architecture. The production facility with Profinet components needed to be sealed off from disturbances from the network. The “8HP” (a torque converter for 8-gear automatic transmissions) requires TCP/IP communication on the level of Profinet protocols. In the process, a good deal of IP addresses had to be managed and a clear segmentation and sealing-off were necessary for the field bus components. As a jitter period of less than a microsecond is given for the response time behavior of the components in real time, they had to be consistently sealed off in a network to prevent disturbances like the typical broadcast. Therefore a dedicated network segment was reserved for the 8HP. A further requirement was 1:1 NAT (network address translation) for DNC (distributed numerical control) machines. This concerned the software for the distribution of the DNC programs running in the office network. Since the mGuard components support 1:1 NAT, no adjustments to the internal address space of the machines were necessary for the software.

Setting up port forwarding was a further important requirement, as central databases had to be accessed from the outside in the plant stations. Strict outgoing rules were also necessary. The spatial separation of plants leads to a distribution of the software and process data, which must then be centrally merged again on a server. Access to the central server is enabled through rules in the central firewalls, but any other uncontrolled access is prevented.

Decentralized firewalls have increased security

The mGuard security solution has been used at ZF Sachs for two years now. The decentralized firewalls in new plants or in plants with Profinet components are now equipped to protect against disturbances. “The decentralized networks run smoothly. There is nothing that halts the automation technology and operation continues largely without maintenance. We also successfully protected several older machines without virus protection from disturbances and attacks. Thanks to the segmentation, any virus brought in by a technician has not been able to spread into the network,” says Asmund Hey in summing up his experiences. And he has a good comparison, as the virus problem continues to be present in the office area or in old machines without firewall protection. Asmund Hey emphasizes that a secure production flow is also guaranteed when other network components fail. If this is the case, the firewall protects the plants from disruptive broadcasts or defective packages.

“The experiences we’ve had with the launch, operation and the security standard attained through the decentralized firewalls have all been very good. This is probably also due to the excellent support provided by Innominate. The response times are short, and if we have ideas or improvement suggestions, these are normally included in one of the next versions,” says Asmund Hey in describing the collaboration.

Further improvements are planned

One of the extensions under way now is setting up a central administration for the decentralized machine networks. Goals include standardization to the largest extent possible, uniform configuration and an easier administration of the networks. To this end, the Innominate Device Manager (IDM) is being introduced, which provides the status information of all administered components for a central monitoring. Finished configurations or updates can be transferred from the IDM to the decentralized firewalls. And a high degree of automation for the configuration of individual devices can be obtained through its template and inheritance technology.

Another project is related to the use of mGuards for remote maintenance. The plant manufacturer, but also the internal test equipment design, requires remote maintenance access. The employees at ZF Sachs have longstanding experience with remote maintenance. Through the new security architecture with the machines behind the firewall, however, a new solution needs to be found that is aligned with the altered security rules. The secure remote access via VPNs is therefore a highly interesting additional benefit provided by the mGuard protection.

About ZF Sachs

As the driveline and chassis components division of ZF Friedrichshafen AG, ZF Sachs AG is headquartered in Schweinfurt / Germany and employs a staff of 16,500 workers around the world. For more than 100 years, ZF Sachs has been a renowned partner of the automotive industry. Its products are not only used with traditional applications in cars, commercial vehicles, rail, construction and agricultural technology, but also in motorsports.