Podcast: Cybersecurity -- Don’t Get Caught In Your Underwear

Oct. 19, 2022
Episode two uncovers tools needed to ramp up a sound program.

Back for more questions on cybersecurity best practices is Matt Malone, ICS/OT Cybersecurity consultant at Yokogawa. A graduate of Texas A&M, Matt embarked on an eight-year career in the U.S. Navy as a salvage diver and bomb disposal technician. He completed two combat deployments and returned home to Texas where he caught the cybersecurity bug and has since devoted his career to learning everything possible about how to secure industrial control systems against cyber-attacks.

Q: Out the door, anti-virus and anti-malware, is that software enough?

A: Oh, sadly, no. And I don't say no to kind of bash any malware program or endpoint protection program because those are great tools. But in the same way that if you're a king sending an army out to battle, you're not going to have your soldiers just wearing a helmet and storming the battlefield in a helmet and their underwear. You need a true defense in-depth program set up. And yes, endpoint protection, anti-malware, anti-virus, whitelisting, those are fantastic solutions, but it's not the end all be all. You need to make sure you've got everything from head to toe as far as that program is concerned. And I'll say this because as soon as I say that I can throw the laundry list of all the cybersecurity solutions you should have or which ones are going to be right for your DCS, but I want to take one step back and saying, you don't have to do them all today.

On the last episode , we talked about the cybersecurity roadmap, the path you're going to take, that this is something that we're going to have on our shoulders for the life cycle of our plant. With that being said, I'm not going to suggest that anybody do a $10 million CapEx program and in one year install every cybersecurity solution under the sun on their DCS now. No, let's get our assessment done. Let's identify our risks and our vulnerabilities. If we have any type of quantitative assessment coming out of that, let's look at that well to help us prioritize. And then from there, okay, year one, we've got anti-virus and whitelisting that we're going to do. Then we can set back and we can budget for year two. Year two, we're going to talk about firewall management. We're going to update all our routers, all of our switches, if we need to update our firewalls, we'll take a look at that. Year three is going to be this solution and things like that.

Q: You bring up a very sound plan. Folks get worried that they do have to jump in and throw everything at it at once. Doing this a little bit at a time really helps them get their arms around it and ramp up to where they need to be. Implementing policies and procedures lays the framework for an entire facility. Can we talk a little bit about that and what areas should these types of documents cover?

A: Absolutely. Probably the easiest one for everybody to identify is going to be your login, your password and login for your workstation, your engineering workstation, things like that. For the folks that are on the IT side, this is going to be really easy for them to identify with because they've seen this before. They know that setting up some domain controllers for active directory, and then I can set all of my group policy objects regarding logins, failed login attempts, password linked strength, things all like that. And I can set that up and I can shoot it down and I can update all of my engineers and my operators and they know what the drill is and things like that. Then I can also set up what my logging is going to be for the reporting, for the alerting, failed attempts, resetting, a reset password attempt or request, things like that.

That's a quick and easy one everybody's probably pretty familiar with. For some of the more in-depth ones, you want to take a look at my recommendation anyway, unless you're in a certain industry that provides a different type of standard, would be to take a look at the security level structure within ISA 62443. So that will help you also develop your program in a way that says, okay, after our last assessment, we can expect this type of a malicious actor, and so we should protect ourselves from that type of attack. And that could be security level one, which is just accidental intrusion from the insider, or it could be security level four. Okay, no, this is a very high-profile site. We should expect some type of nation state backed malicious actor or actors, and we need to have this thing set up. The equivalent of the Fort Knox within.

After you've gone through and you've selected, okay, we want to be at security level two. Then you can look at every one of those security requirements and it's going to have, okay, this is the bare minimum to meet this security level, then it's going to have a requirement enhancement if it's needed to go above that security level. And it lays it out. I understand this is a podcast, but this is more of a visual exercise and so I can provide some more materials like that, or you can go to the ISA website itself and it lays it out very, very distinctly about how to develop those policies and procedures in accordance to how you want your cybersecurity posture set up.

[Editor’s note: You can access ISA/IEC 62443 Series of Standards here.]

Q: Now thinking about this, are there any turnkey solutions that can be put in place right away once all of this starts moving?

A: Absolutely. Some of the more vanilla flavor of those would be like Windows server update service or Central Patch Management. If you're not on a Windows, if your servers and your machines aren't running Windows. But that's fairly easy to install even on an OT network. You don't have to wait for an offline period. Now, the thing about that though is you have to be careful of is some of those patches that are going to be sent out by Windows may or may not be tested by the OEM provider for your DCS. One of the things that Yokogawa does is that for our turnkey patch management solution, we do all the patch testing and the releasing on our own. So our clients don't even have to worry about that. They know that whenever a Windows patch is sent down to them from us, that it's already tested, already been approved. All they have to do is upload it whenever they get the chance. That machine is now good to go for the latest patch that's been sent out.

Another good turnkey solution is going to be Central AV, same deal. We recommend based on the layout, typically one jump server is going to be the only thing it's going to need to be installed, and the cool thing that we can do at Yokogawa is we can put that AVOS, that central AV server and the central patch management server co-located. And so for folks on the DCS side, they know that space is always going to be at a premium. I've only got so much rack space or so much server room space. And so for something like this, this is a way we've kind of figured out, all right, we can put both these together, only one more additional machine. We're not going to be taking up any more space, and like you said it's turnkey. We're in, we're out, and now you've reduced your risk in this area.

Q: Now I want to get a little specific here, and I'm not sure if you're able to answer it, but I'm going to toss it out there and we'll see where it goes. Yokogawa worked with Shell Secure Plant to design procedures and implement managed services. Can you give us any insight or lessons learned from that project?

A: Oh, of course. So now the Secure Plant initiative and the follow-on projects were fantastic because this was just one of those hand in glove relationships with the end user. This was a tailor-made suit for the client. And it wasn't just Shell coming in and saying, "Hey, we want you"... They didn't just throw the ball over the fence and tell us to do something with it. It was very much a partnership, and the feedback and the communication was probably the biggest takeaway about this and the technology that was developed was really downstream of that relationship. If we didn't have that trust, if we didn't have that communication and that camaraderie, then it may have been a busted project. But because everybody was able to work together and communicate effectively, then it really just, like I said, all the successes were really kind of downstream of that kind of partnership.

The other thing I meant to say is that because cybersecurity is this journey, it's this process, this initiative was started 2014, 2015, and it was one of those things that it just a day at a time, a step at a time, and now I want to say it's implemented in 45 or more plants across the globe. Because we started small. We worked together and we started figuring out what is going to be not just the right fit, but the best fit in terms of these policies and procedures, this technology. We also worked with other OEMs with that, and I just, I can't say enough about the partnership that developed all this.

Traci: And I think the partnership is important. Folks can buy things certainly, but they are there for learning from the experts in the field who see this all the time and getting the right fit and the best fit and starting smaller, also important. I so appreciate all the time you put in on this and making sure that we don't get caught in our underwear as you pointed out. And in our final episode in the cybersecurity series, we're going to talk a little bit about personnel. On behalf of Matt and the team at Yokogawa, I'm Traci Purdum, and this is Solution Spotlight.