Expert Interview: How low can you go? Establishing real-time protection for Level 0 and 1 assets

Cyber protection for Purdue Model Level 0 and 1 control system assets—that’s the topic industry veteran, Mark Baggett, discusses at the fall Industrial Control Systems Joint Working Group (ICSJWG) meeting hosted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

As he prepares for his presentation and trip, we caught up with Baggett to discuss his insights from the frontlines and today’s best practices for industrial control system (ICS) cybersecurity.

Let’s start with a little history. You presented at the ICSJWG before, what do you remember about the first time you presented?

The first time I presented was around 2015. I’m a control systems guy and for that presentation, we tried to ship a simplified live industrial control system environment to the meeting. Needless to say, that didn’t work so well. But it would have been great to show the group what I was talking about using real industrial equipment. It takes on a different meaning when you can see firsthand the connection between digital factors and physical processes. Everyone knows it’s important in theory. But seeing it, as we see it in the industry, really takes that importance to another level.

What’s changed since the first time you presented?

In general, ICS cybersecurity has gained a lot of traction over the last few years. It’s evolved, and it needed to. Today, most in the industry know about ICS cybersecurity where four-five years ago, you still had to explain the difference from IT cybersecurity to people. Now you see it covered in mainstream media publications, various industry bodies have adopted an ICS cybersecurity practice. There are now regulations for various industry verticals. There’s also a lot more in terms of options to secure industrial control systems, at various levels of success. We’ve seen quite a few high-profile attacks since then too.

Just did a Google Trends check. Comparing full years, global searches for “ICS Cybersecurity” increased 237% from 2015 to 2018. In your experience coming from the industry, how have industrial operations evolved?

I’ve spent my career in the industry. I’ve been on the vendor side at Honeywell, in-house at Total, and designed, engineered and implemented control systems for the industry’s biggest players like BP, Shell, Exxon and ConocoPhillips among others. I have installed industrial control systems for 30 years but once I realized these systems could be hacked, I felt an obligation to the industry to fix this problem that I helped create. In ways, that’s where the industry is at; we’ve relied for decades on control systems in operations without a thought to cyber-securing them because back then, it wasn’t a risk. Today, it is. We’re all going back to address the issues we created and prepare for future risks as we look to adopt new Industrial Internet of Things (IIoT) technology.

What about ICS cybersecurity in industrial operations, has that evolved as well?

It has but we have further to go. Over the years, I’ve gone to many sites. The more places I go, the more I am convinced: no control systems are protected until you have verification for such!

On that note, let’s discuss your presentation. What do you mean by “how low can you go”?

A defense-in-depth cybersecurity strategy has become status quo for many. And that’s good, it’s progress. But it’s not enough. Cybersecurity must be approached as the industry has done with control systems and operational technology (OT) networks. When we looked at control systems to automate industrial processes, we focused on three main aspects: ongoing operability, stopping and restarting. ICS cybersecurity should address the same questions in context:

1. How do you maintain operability during a cyber attack?
2. How do you safely bring down operations when compromised by or under a cyber attack?
3. How do you recover and restore operations after the attack?

A decade ago, we’d point to the control and safety instrumented systems to answer both of those questions. Today, we’ve seen both attacked and fail to operate as intended. When today’s adversaries breach the business network, Level 2 and down to Level 1 of the OT network, Level 0 is the last line of defense. Protecting Level 0—the field devices controlling physical processes like temperature, pressure, flow, level and speed—should be at the core of any industrial cybersecurity process. Few OT cybersecurity strategies get that low. But that’s really where we need to focus.

What do you think is the biggest risk for the future?

Our industrial control systems are already penetrated. My biggest fear is the hackers are just waiting to make one major attack that will affect us all. We’ve seen it with other areas in industrial operations. Think about all the health, safety and environmental incidents over the years to get HSE/EH&S practices to where they are at today. And even in that area, we have more work to do. My fear is cybersecurity is going to take the same course of development, with similar if not worse consequences.

To wrap it up, what’s one message for the industry and attendees at this fall’s meeting?

The hackers are on our control systems, it is up to us to find out how to stop them from doing any harm.

About Mark Baggett

With over 30 years of experience, Mark’s an industry veteran and industrial control systems (ICS) expert. His expertise stems from the energy sector where he’s designed, engineered and implemented control systems for the industry’s biggest players including BP, Total, Shell, Exxon and ConocoPhillips among others. Mark’s experience spans the globe with ICS projects across Europe, Asia-Pacific and North America.

As VP of ICS at Mission Secure, Mark leverages his expertise to help operations assess current systems, vulnerabilities and potential attack vectors, providing guidance and recommendations to mitigate cyber risks and implement a secure cyber architecture. Mark’s managed cybersecurity projects for oil rigs, refineries, pipelines, manufacturing plants and chemical facilities. He’s routinely invited to speak on ICS cybersecurity, most recently presenting at a U.S. Homeland Security/FBI joint taskforce meeting. Mark holds a bachelor’s degree in Secondary Education and frequently teaches control system training courses at San Jacinto College located in Pasadena and Houston, Texas.