Cybersecurity is no longer a secondary requirement in the industrial controls’ world. In a glass manufacturing operational technology environment, completing a risk assessment is the first step in building a reliable and robust cybersecurity program and should be the starting point for defining requirements, explains Eurotherm’s Param Chana.
The advent of Industry 4.0 and the rapid adoption of the Industrial Internet of Things (IIoT) is giving rise to many new opportunities, as long as processes are well protected. Several glass producers have been targeted by cyberattack over the past few years with costly results. Being prepared is key to protecting a glass business and the first step is to carry out a cybersecurity risk assessment (CRA) considering the operational environment. The CRA provides an understanding of the company’s cybersecurity risk posture by identifying gaps and key risk areas that need to be remediated. The cybersecurity service provider can then make recommendations and advise on a roadmap to achieve the objectives.
In the case of Eurotherm cybersecurity services, the CRA is a non-invasive high-level assessment carried out by an independent team of Schneider Electric OT cybersecurity experts. Working to industry best practices and standards such as ISA/IEC 62443, NERC CIP, CFATS and ISO 27001, the CRA helps define the highest risk areas to prioritize first. Recommendations are also made to help priorities the cybersecurity budget. Typically, most of the service can be delivered remotely, with a resulting report that includes prioritized recommendations to simplify the justification of resources. Within the assessment, cybersecurity experts will conduct controls-related network discussions incorporating a review of control areas, for example, network architecture, Industrial Control System (ICS) system components, cybersecurity policies and procedures, and physical security procedures.
Param Chana is Global Service Business Development Manager at Eurotherm.
Eurotherm’s longstanding close connection with the glass industry, providing complete distributed control system (DCS) solutions for glass furnaces, as well as hot end control for flat, container, pharmaceutical and fiberglass, enables a good understanding of these operational technology (OT) environments. The Eurotherm DCS is typically based on the T2750 PAC (programmable automation controller), which offers scalable, redundant, distributed control and monitoring for cost-effective optimized process control. User-access and communication robustness features with tamper-resistant data recording and archiving can aid improved cybersecurity as part of a “defense in depth” strategy.
In preparation for a CRA, the type of information required includes current cybersecurity policies, cyber program objectives, applicable standards, and existing cybersecurity tools and technologies. OT network diagrams showing ICS layers and zones, and labels displaying locations of critical assets on the network are also needed; as well as identification of the personnel and stakeholders most familiar with the OT network layout, equipment and assets, from an OT, cyber and technical knowledge point of view. The cybersecurity assessment has two parts; the assessment with report, and the consultation services to discuss the results in depth and create a tangible roadmap for the next steps.
There are varying levels of risk assessments available, including: Core, (Cybersecurity Risk Assessment – a high-level gap assessment); Enhanced (a detailed assessment aligned to the 15 control areas in IEC 62443); and Optimized (a customer assessment that typically focuses on a deep dive of a high-risk environment, system or process).
The risk assessment includes a documentation review, of items such as network diagrams, current cybersecurity policies and program elements. Remote interviews are carried out with key OT and cybersecurity stakeholders. Then the cybersecurity expert’s analysis identifies key risk areas, gaps and recommended steps for remediation in a report, which provides a starting point to prioritize future cybersecurity initiatives.
The CRA includes a deep dive on the results of the cybersecurity assessment, during which the independent Schneider Electric cybersecurity experts will provide detailed recommendations and step-by-step guidance, as well as a Q&A session, time frame for implementations, and budget estimates. Workshop sessions can help define a blueprint for cybersecurity and prioritize which areas to address first, based on resources, covering cyber training levels of ICS personnel, documented incident response procedures, lifecycle management policies and procedures, and access controls.
After implementing cybersecurity improvements, control systems can be further protected by ensuring the operation and applications are always current and up to date by using managed cybersecurity maintenance services, such as the Eurotherm software patching service, which can be offered as part of a Sales Level Agreement (SLA). Personnel cybersecurity training can also be provided to reduce the chance of cybersecurity incidents resulting from human error.
An effective industrial cybersecurity strategy is typically based on a defense in depth approach to achieve multiple layers of physical and digital protection. Ideally, cybersecurity should be designed-in, but Eurotherm recognizes that existing control systems require consideration too. Control and data acquisition products normally reside in the process control level behind a firewall but to support a defense in depth strategy, the Eurotherm product range includes features that help protect processes from being compromised by cyberattacks. The resilience of existing products and systems can also be improved through services.
The Eurotherm product ranges include communication robustness and user access features, helping to protect production processes from being compromised by cyberattacks as part of a defense in depth strategy. For example, Secure File Transfer Protocol (SFTP) provides secure file transfer over a Secure Shell (SSH) connection. Data is encrypted before transmission to prevent sensitive data, such as username, password and production process data from being disclosed over the network. In Eurotherm products that support this feature, SFTP can be used to archive recorded data, for instance, process values, alarms, messages, and batch information over a network, helping to protect data transfer in accordance with the IEC 62443 guidelines.
Achilles is an independent certification that demonstrates the robustness of products when subjected to a wide range of demanding communication conditions. The Eurotherm control and data acquisition products with Achilles Certification have communication robustness features, for example, algorithms that can detect excessive network activity and help to ensure that a device’s resources are prioritized on the essential functions of the control and/or recording strategy. The IEC 62443 standard states that industrial control systems should be able to authenticate and authorize human users. Some regional cybersecurity requirements and guidance also no longer allow the use of hard-coded user passwords, therefore IoT capable devices must have the functionality to create unique passwords or prompt a new user to set a password before they have access. Eurotherm products are available with password-controlled user access features to aid defense in depth strategies in industrial control systems. Typical features include Ethernet communications, and FTP server functionality disabled at instrument start-up until an Engineer account password has been created. Operator and Supervisor accounts are disabled until unique passwords have been created, and well-known recovery/backdoor passwords are not supported – all helping to limit access only to authorized job roles for improved cybersecurity.
For companies not sure where to start or that need help implementing a cybersecurity strategy, Eurotherm’s experienced and qualified experts can assess glass producers’ unique situations and requirements, helping them meet cybersecurity challenges with targeted solutions that fit their needs.
About the author:
Param Chana is Global Service Business Development Manager at Eurotherm.
The full version of this article appeared in the September/October 2022 glasstec issue of Glass Worldwide alongside a broad cross-selection of editorial covering all areas of production and processing.