By Pat Dixon, PE, PMP
President of DPAS, (DPAS-INC.com)
When a bear chases a group of people in the woods, you don't need to be faster than the bear. Your need to be faster than the slow people.
That is one approach to network security. Your budget is not infinite and eliminating every possible vulnerability may be impossible. But being the most vulnerable target is a big problem.
Last week I attended a meeting of the Project Management Institute (PMI) which featured the founder of a cyber security company. He shared some war stories about some very damaging incidents in cyber security. He said there is a huge global shortage of network security personnel, and the number in the United States is about a half million positions that are not filled.
His presentation addressed the broad information technology (IT) domain. The industrial domain is a subset of the broad IT domain and is specialized because it contains operational technology (OT). OT is unique because it requires determinism, and therefore utilizes some proprietary operating systems and technologies.
Serendipitously, after the PMI event last week I listened to the January 23 episode of "Control Amplified". Since 2018 this podcast has provided monthly or biweekly episodes covering topics in automation. Most episodes are brief, ranging from 10 to 15 minutes. The Jan 23, 2025, episode is 34 minutes long. It is an interview of Joe Weiss, who is an industry veteran focused on cyber security in automation. Joe has been an evangelist for prioritizing security for quite some time. He is concerned that there has not been sufficient attention paid to security, and suggests there are significant omissions when security is addressed. Specifically, Level 0 and 1 device were singled out as lacking in security.
A reminder about the Purdue model describing the levels in an industrial network:
Level 0 - Instrumentation: the physical connection to the process for obtaining data and taking action
Level 1 - Digitization: the devices that convert signals to digital form and process logic
Level 2 - Supervisory: the control network and applications that rely on deterministic processing, such as HMI, historical data, and advanced controls
Level 3 - Manufacturing Execution System: the interface between the lower deterministic layers (operational technology) and the non-deterministic enterprise layer (Enterprise Resource Planning)
Level 4 - Enterprise Resource Planning: the non-deterministic financial and management applications for the enterprise
A reasonable question is whether every level requires security in its design, and if so to what extent?
- Imagine a "dumb" Level 0 sensor measuring pressure and providing a 4-20 milliamp signal. What security would it require? There is nothing digital in it, so security does not apply.
- Now imagine a smart "digital" sensor that is remotely accessible. It has processing and memory, and could even have logic in it. If that sensor is used in an interlock or control loop, a remote connection might allow someone to hack it and give it a false reading, which would be dangerous.
- However, if that same smart sensor is physically wired to a Level 1 controller, and that controller is on a Level 2 control network, is it sufficient to secure Level 2? Some control networks are proprietary and have security in the design, which can isolate any Level 0 or 1 devices from security concerns.
Therefore, considering different implementations of Level 0 devices the security requirements can differ.
Nearly every project I have worked on in my career involves network communication. I have performed security audits for critical infrastructure (power plants) complying with North American Electric Reliability (NERC) standards. I managed projects to audit security patches and network vulnerability for federal government agencies. During one of my projects, I witnessed a malware attack in progress that we killed by pulling the internet connection out of the switch and recovered from a backup. I have seen facilities such as municipal and federal utilities that air gapped their system (no physical connection outside the building) to isolate them from security threats. I consider myself sensitive to these threats.
I have also seen way too many industrial control networks with Windows 95 machines with no passwords and no security patches. I have seen thumb drives plugged into Level 2 devices without considering the possibility of a virus on that drive, which happened with Stuxnet. I have seen server rooms with no lock on the door. I still have a key fob from a facility I last visited 8 years ago that doesn't seem interested in having it returned.
While many facilities have significant vulnerabilities, some may have gone too far. There is a major producer in industry that had a severe ransomware attack. They responded by tightening up their security. Sometime afterwards I had to visit a facility because they said the instrumentation system no longer worked. When I arrived, I found there was nothing wrong with the instrumentation system. The new cyber security approached killed OPC communication, preventing anything from the instrumentation to get to the network historian where they looked at the data.
In our industry we have a lot of facilities that need better attention to security. As stated, there is an under supply of qualified network security resources. It becomes more difficult when you need people that understand both the broad IT technology and the OT technology (such as OPC) that make the system work. It needs to be understood by decision makers that network security is the cost of doing business. If the right investments are made in the right resources, you can shed some anxiety and focus on selling production.
Don't be the most vulnerable facility in industry. Make the bear chase someone else.
