NCSAM 2019 Perspectives on ICS & OT Cybersecurity: Helping organizations ‘protect’ operations

October is National Cybersecurity Awareness Month (NCSAM). The annual collaborative effort between government and industry aims to raise awareness about the importance of cybersecurity and ensure all have the resource to be safe and secure.

Led by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), this year’s theme—OWN IT. SECURE IT. PROTECT IT.— stresses personal accountability and taking proactive measures. At Mission Secure, cybersecurity is what we do. In support of NCSAM 2019, we’re taking an operational technology (OT) and industrial control system (ICS) approach to this year’s theme.

Own ICS. Secure OT. Protect Operations.

Interview with Mark Baggett, VP of Industrial Control Systems, on helping organizations “PROTECT OPERATIONS”

(ICYMI | Check out building awareness, owning Industrial Control Systems and securing OT.)

To wrap up NCSAM 2019, we dive into the goal of OT cybersecurity: to help operations prepare for and protect against cyber attacks.

This week, we sat down with industrial control system veteran, Mark Baggett, as he discussed his experience in the field, insights and current gaps in protecting control systems in today’s digital era. With more than 25 years of experience in oil and gas, Mark’s designed, engineered and implemented control systems for the industry’s most prominent players, including BP, Total, Shell, Exxon and ConocoPhillips, across Europe, Asia-Pacific and North America.

For organizations in oil & gas, maritime, critical infrastructure and defense, the ultimate goal is cyber resiliency—to ensure the safety and security of operations in the face of a cyber attack.

Let’s start with your background and experience as an industrial control system veteran. How have industrial control systems and operations evolved through your time in the industry?

When I first got into this industry, control systems were managed by an operator looking at a board. The operator would literally look at these individual single-loop controllers on a panel. If something didn’t look right, the operator would walk into the unit and take a physical reading of that pressure or temperature because they didn’t trust their instrument on the wall.

Now, wind the clock forward. We, personally and as an industry, took that process across a plant and put it into control systems. Today, we have operators that have been in place for 20 years, and all they’ve seen is a computer screen. They trust that emphatically. And we’ve moved that whole control room away from the systems, sometimes out of the plant itself. Sometimes the control room is two miles from the actual plant. So, the operator can’t walk outside and look at those pressure or temperature readings.

Before, operators would leverage all their senses to keep a pulse on the plant. They’d hear a particular sound the pipe makes as chemicals go through it and could tell by that sound that their plant was running correctly. Now, operators are two miles away from the plant. They don’t know the sounds or smells of a plant as before. All today’s operators know is what is on the screen. And if someone were to get into that data and modify the operator’s screen, the operator would have no choice but to believe it. Operators have no choice now. That’s where the problem lies.

There’s some discussion about the similarities between safety and cybersecurity. What connection do you see between the two?

Safety and cybersecurity go hand-in-hand. Safety is all about making sure your process is in balance, in control. Cybersecurity is doing the same thing; it’s making sure you can count on what you see on the screen. Cybersecurity is keeping the plant’s processes in control. Cybersecurity accentuates safety because it’s also looking at your safety systems to ensure they’re working correctly. If your safety system is hacked and doesn’t work correctly, you’ve lost your protection for your control system. They work hand-in-hand.

They also help each other. Safety systems and control systems weren’t built for cyber protection. They were purpose-built. A safety system is built for safety control; a control system for plant control. Neither were built for cyber protections; that’s not their world, and they don’t understand that world. But if you do cybersecurity correctly, safety controls and cybersecurity controls can protect each other.

The industrial internet of things (IIoT) is another hot topic in the industry. How are organizations adopting these types of technologies? What do you think the future will hold?

The whole concept about IIoT is delivering more and more information to more people—the distribution and utilization of data. But in the control system world, we like control. Operators and plant personnel want to control the OT network. And with IIoT, we have to give up some of that control to let more individuals look into our systems and access OT data.

Let’s take your house as an example. Your parents, grandparents, siblings and cousins want to have access to your home, which is the OT network in this instance. It may be okay for them to have access, but you still want to be able to control it. You want to be able to let them have access when they need it as opposed to giving them unlimited access. The OT world is in a similar spot. IIoT technologies and companies want information from control systems, but OT should be able to control when they access it, not 24/7. Right now, unlimited access is the only option we have because that’s what we’ve always done. If somebody needs access, you give them access. The problem is that company or individual now has access to your control systems, and the more people with the ability to access OT systems, the more potential something will go wrong.

In that scenario, cybersecurity can and should be a form of control. We’re going to control the operational world, and we’re going to use cybersecurity as a means for establishing that control. Our systems will be locked down, so you have to ask me for permission anytime you want into the OT network. We can use cybersecurity as a way of enhancing control.

Some have commented that we’ll need a catastrophic incident for cybersecurity to be actioned. Where are organizations today? And where do they need to go?

For most board of directors at these large companies, cybersecurity is a very serious problem. They understand it. The challenge is getting that urgency and concern driven down to the lower levels. The message is getting diluted as the buzzword of the week. The board of directors delegates the problem to the C-level; the C-level reviews and passes it down to somebody else, assuming they'll address the concern. But if cybersecurity goes by the wayside and the board doesn’t bring it back up, then it gets dropped. Lower levels figure it was just the buzzword of that week.

I’ve been in this industry for 30 years, putting in control systems. Personally and professionally, I’d hate to think that something catastrophic would have to happen to address cybersecurity as an industry adequately. But I also know cyber incidents have happened at some companies. And companies still have not been able to drive the cybersecurity message down to their employees yet. They can’t convince them. Companies are putting money aside for cybersecurity, but they can’t convince employees at the OT level that it’s important enough to address. So maybe when we can verify a significant incident is 100% due to a cyber attack, individuals will take notice. I hate to think that. But I’ve also worked in this industry for my entire career, and I never thought it could even happen until I saw it firsthand.

Before I started looking at control system cybersecurity, I gave Dr. Rick Jones a programmed control system, a PLC, to try to access. Four days later, Dr. Jones calls me and says, “I’m in.” In disbelief, I asked him what he meant. I didn’t give him any passwords, or anything about the software. I didn’t provide him with anything besides the physical device. I pushed further, asking him if he could get into the controllers or changing any of the tuning parameters. Tuning parameters are essential because they control the valves. For example, if you have a car in the Indianapolis 500, the car is tuned for long-distance races. It’s turned differently than say a drag strip car. The drag strip car is only going a quarter of a mile, so you’re going to tune and treat that car differently for its specific situation. That’s what tuning parameters do in a control system. So if you start changing the tuning parameters of a PLC, you change the controls in the process. Dr. Jones could get to that level of access in four days. He could start changing those parameters without any software, any knowledge or booklets of the system. He hacked my PLC. And it made me realize that all the systems I put into plants and out in the field over the last years were also susceptible. If somebody has access to the network, they can get into control systems. And the big firewall IT put up, if they got past that, then they’re in my network. So industrial operations are really susceptible.

When you look at cybersecurity in plants, you compare that firewall with having protections down at the PLC level controlling tuning parameters or other critical process functions. And that’s why you need protection at the 0-1 level because you can’t rely on a firewall to take care of all cyber risks. You can’t count on the third or fourth levels anymore as we have been.

On that note, what’s one tip for securing industrial control systems from cyber threats?

Protect Levels 1 and 0. Protect your safety systems.

It goes back to cybersecurity and safety. Secure the field and safety systems so they can do their jobs. Make sure that nobody gets into it and corrupts the data or stops the system from operating. Make sure safety systems work in case something does go wrong.

Own ICS. Secure OT. Protect Operations.

About Mark Baggett

With over 30 years of experience, Mark’s an industry veteran and industrial control systems (ICS) expert. His expertise stems from the energy sector where he’s designed, engineered and implemented control systems for the industry’s biggest players including BP, Total, Shell, Exxon and ConocoPhillips among others. Mark’s experience spans the globe with ICS projects across Europe, Asia-Pacific and North America.

As VP of ICS at Mission Secure, Mark leverages his expertise to help operations assess current systems, vulnerabilities and potential attack vectors, providing guidance and recommendations to mitigate cyber risks and implement a secure cyber architecture. Mark’s managed cybersecurity projects for oil rigs, refineries, pipelines, manufacturing plants and chemical facilities. He’s routinely invited to speak on ICS cybersecurity, most recently presenting at a U.S. Homeland Security/FBI joint taskforce meeting. Mark holds a bachelor’s degree in Secondary Education and frequently teaches control system training courses at San Jacinto College located in Pasadena and Houston, Texas.