How comfortable are you about the cybersecurity of your control systems? Operational Technology (OT) systems such as programmable logic controllers (PLCs) and safety instrumented systems (SIS) are critical to the reliable and safe operation of facilities. These systems must be protected, yet as Information Technology (IT) and OT systems have become more integrated, OT systems have become more vulnerable.
Industry faces many challenges in securing OT systems. Many companies have tried to leverage their IT resources to secure the OT environment. Yet control systems have much longer lifecycles, and use different protocols, than IT products. Common scanning and monitoring techniques for IT can be dangerous when used in OT environments and result in operational downtime or even an environmental or safety incident. Conversely, automation personnel typically lack a full understanding of modern cybersecurity practices, so as a result many security programs fall short of their intended goals.
Industrial network intrusion detection solutions are being deployed, but they are still in their infancy and have limitations. Many security programs stop at the workstation, server, and network device level; they do not cover the control systems due to a lack of understanding. Effective control system security requires a deeper dive into program management at the controller level. Effective security encompasses secure programming practices, managing engineering workstations and their applications, managing endpoint firmware versions, implementing user authentication and access controls at the end device, limiting remote access, and implementing data confidentiality measures. Unfortunately, in many cases, it is not practical or feasible to apply all these techniques.
It is important to build an OT cybersecurity program that meets and is tailored to the business requirements. While many companies offer change management platforms, most access control solutions for PLC and SIS controllers are limited to what the vendor provides. A good example of a vendor’s device level security offerings is Rockwell Automation's FactoryTalk Security, which provides a broader range of coverage including access control, policy management, data access control, and data confidentiality. If an OT environment has a variety of PLC and SIS equipment, it is probably better to target more vendor neutral change management solutions like MDT Autosave. Environments that are primarily composed of a single vendor may have vendor specific solutions that provide additional security features. An example of this would be Rockwell’s AssetCentre which provides host based tamper detection, audit logging, asset inventory, calibration management, and smart device management on top of the typical version control, change management, and schedule based backup and recovery features available from vendor neutral solutions.
Below is an excerpt from a recent webinar on using technology to ensure your PLC/SIS system integrity. In it you will hear where many security programs currently fall short and best practices for when you are building up your controller security.