Cyber protection for Purdue Model Level 0 and 1 control system assets—that’s the topic industry veteran, Mark Baggett, discusses at the fall Industrial Control Systems Joint Working Group (ICSJWG) meeting hosted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
As he prepares for his presentation and trip, we caught up with Baggett to discuss his insights from the frontlines and today’s best practices for industrial control system (ICS) cybersecurity.
The first time I presented was around 2015. I’m a control systems guy and for that presentation, we tried to ship a simplified live industrial control system environment to the meeting. Needless to say, that didn’t work so well. But it would have been great to show the group what I was talking about using real industrial equipment. It takes on a different meaning when you can see firsthand the connection between digital factors and physical processes. Everyone knows it’s important in theory. But seeing it, as we see it in the industry, really takes that importance to another level.
In general, ICS cybersecurity has gained a lot of traction over the last few years. It’s evolved, and it needed to. Today, most in the industry know about ICS cybersecurity where four-five years ago, you still had to explain the difference from IT cybersecurity to people. Now you see it covered in mainstream media publications, various industry bodies have adopted an ICS cybersecurity practice. There are now regulations for various industry verticals. There’s also a lot more in terms of options to secure industrial control systems, at various levels of success. We’ve seen quite a few high-profile attacks since then too.
I’ve spent my career in the industry. I’ve been on the vendor side at Honeywell, in-house at Total, and designed, engineered and implemented control systems for the industry’s biggest players like BP, Shell, Exxon and ConocoPhillips among others. I have installed industrial control systems for 30 years but once I realized these systems could be hacked, I felt an obligation to the industry to fix this problem that I helped create. In ways, that’s where the industry is at; we’ve relied for decades on control systems in operations without a thought to cyber-securing them because back then, it wasn’t a risk. Today, it is. We’re all going back to address the issues we created and prepare for future risks as we look to adopt new Industrial Internet of Things (IIoT) technology.
It has but we have further to go. Over the years, I’ve gone to many sites. The more places I go, the more I am convinced: no control systems are protected until you have verification for such!
A defense-in-depth cybersecurity strategy has become status quo for many. And that’s good, it’s progress. But it’s not enough. Cybersecurity must be approached as the industry has done with control systems and operational technology (OT) networks. When we looked at control systems to automate industrial processes, we focused on three main aspects: ongoing operability, stopping and restarting. ICS cybersecurity should address the same questions in context:
A decade ago, we’d point to the control and safety instrumented systems to answer both of those questions. Today, we’ve seen both attacked and fail to operate as intended. When today’s adversaries breach the business network, Level 2 and down to Level 1 of the OT network, Level 0 is the last line of defense. Protecting Level 0—the field devices controlling physical processes like temperature, pressure, flow, level and speed—should be at the core of any industrial cybersecurity process. Few OT cybersecurity strategies get that low. But that’s really where we need to focus.
Our industrial control systems are already penetrated. My biggest fear is the hackers are just waiting to make one major attack that will affect us all. We’ve seen it with other areas in industrial operations. Think about all the health, safety and environmental incidents over the years to get HSE/EH&S practices to where they are at today. And even in that area, we have more work to do. My fear is cybersecurity is going to take the same course of development, with similar if not worse consequences.
The hackers are on our control systems, it is up to us to find out how to stop them from doing any harm.
With over 25 years of experience, Mark’s an industry veteran and industrial control systems (ICS) expert. His expertise stems from the energy sector where he’s designed, engineered and implemented control systems for the industry’s biggest players including BP, Total, Shell, Exxon and ConocoPhillips among others. Mark’s experience spans the globe with ICS projects across Europe, Asia-Pacific and North America.
As VP of ICS at Mission Secure, Mark leverages his expertise to help operations assess current systems, vulnerabilities and potential attack vectors, providing guidance and recommendations to mitigate cyber risks and implement a secure cyber architecture. Mark’s managed cybersecurity projects for oil rigs, refineries, pipelines, manufacturing plants and chemical facilities. He’s routinely invited to speak on ICS cybersecurity, most recently presenting at a U.S. Homeland Security/FBI joint taskforce meeting. Mark holds a bachelor’s degree in Secondary Education and frequently teaches control system training courses at San Jacinto College located in Pasadena and Houston, Texas.