Continuing coverage of this week’s Honeywell Process Virtual Technical Experience.
[Note: You can have these posts sent to you via email simply by signing up at the appropriate link. There is normally one post per day, however covering two conferences and a couple of press conferences this week necessitates a little extra coverage.]
Continuing the theme of “remote” and also support and services, Honeywell Process Solutions announced this week Enabled Services program powered by Honeywell Forge. This automation lifecycle services offering focuses on ensuring Industrial Control System (ICS) health, reliability and compliance.
- End-to-end solution enables remote preventive maintenance and support
- Plant operators can reduce number of incidents per year by 40% and improve total cost of ownership
“Honeywell developed the Enabled Services program as a subscription-based service for ICS users dealing with increasing system complexity, an aging industrial workforce and the constraints imposed on plant operations by global health concerns,” said Mark Dean, director of offering management, Honeywell Process Solutions. “Through this Enabled Services offering, Honeywell’s experts can conduct rapid analysis and make fast recommendations to solve the issues and be onsite only when necessary. Honeywell has created a powerful tool for customers to significantly improve maintenance efficiency and redirect expensive resources to high priority corrective maintenance.”
Honeywell estimates it’s Enabled Services solution can deliver increased value by reducing the number of incidents per year by 40%, with a net decrease in total cost of ownership of 15%. These capabilities not only help improve system health, performance and compliance, but also allow customers to redirect existing high skill resources to use more time to work on systems improvements and to focus on their core business.
Based on Honeywell’s step-change Lifecycle Solutions & Services delivery model, which responds to customer-driven feedback from around the world, the Enabled Services solution is designed around three key pillars:
- System health and performance – in other words, what is going wrong in the plant
- System compliance — why it is going wrong
- Prescriptive maintenance and remediation – how the issues can be resolved.
Honeywell’s program uses intuitive and consistent dashboards powered by Honeywell Forge technology, which provides users with real-time intelligence to enable peak performance. It also employs remote connection and/or local data collection, predictive and diagnostic tools, and global resource centers – all to support improved operational and business performance.
Enabled Services remote support capabilities were specifically developed with security in mind. The services employ protected network connections built on industry recognized standards, such as IEC 62443, to transfer data from the customer’s site to Honeywell’s global resource centers.
Through its proactive approach, Enabled Services offer improved efficiencies compared with ad hoc maintenance regimens, homegrown solutions that compromise migration readiness, and/or delaying service and repairs until assets fail. This comprehensive solution can help company executives, plant managers and control engineers to:
- Understand and improve operational effectiveness and risk profiles
- Leverage operational benefits from systems, applications and people
- Focus efforts on core competencies by deploying suitably skilled resources
- Improve the health, security and stability of control assets
Honeywell’s Enabled Services offering includes two levels of support to meet diverse customer requirements. Enabled Services Enhanced employs fully connected systems and offers continuous insights on system health, performance and compliance with actionable recommendations. Enabled Services Essential is intended for a non-connected system and offers less frequent updates.
I have known Eddie Habibi, founder and CEO of PAS (now PAS Global) for about 20 years. So I’ve followed the development of his company for that long. There was alarm management, and process safety, and process asset management. And the company grew at a typical pace for the market.
Then he went all-in on process control system cybersecurity. He accepted some investment money, hired some pros in the field, and combined security with what the company was already known for.
The results are in the latest press release from PAS Global LLC where it announced a 45% increase in term revenue year-over-year and increased market recognition of its solutions.
In March 2019, the company introduced an expanded Cyber Integrity offering with risk analytics for continuous operational technology (OT) endpoint security. Following this milestone, the company marked record growth in the adoption of this solution across multiple geographies and verticals including the United States, Europe, and the Middle East with leading organizations in the chemicals and oil & gas industries, in particular.
A Fortune 50 independent petroleum refiner was challenged with increasing cybersecurity risks as they deployed connected technology to achieve faster and more efficient production operations. PAS Cyber Integrity was deployed as the foundation for the refiner’s OT cybersecurity program to create an automated, comprehensive, evergreen OT asset inventory and to more quickly identify and remediate security vulnerabilities. What used to take the company months to assess “critical” or “high” ICS-CERT vulnerabilities can now be done in minutes across all refineries.
A global, integrated oil & gas company operating across five continents is pursuing digital transformation to grow its business, enter new markets, and compete more effectively. Underpinning this initiative is a cloud-based analytics platform. The team chartered with this program sought to leverage their multi-vendor industrial control system (ICS) data and ensure reliable data flows from field-level devices to their data lake. They sought a platform-independent solution that could not only deliver this data, but also provide a topological view of assets and site connections, monitor configuration baselines, and manage change. Additionally, the company’s cybersecurity team sought a solution that could provide comprehensive OT asset inventory and rapid vulnerability assessment capabilities. PAS Automation Integrity and Cyber Integrity were selected to address these needs.
A major electronic materials firm with operations in North America and Asia sought to establish an enterprise-wide cybersecurity program on an aggressive schedule to eliminate gaps in visibility and security controls. Cyber Integrity was selected to automatically build a detailed OT asset inventory for each site, identify patch levels across systems, and implement change management workflows. The company now has the inventory and configuration visibility it needs to support digitalization efforts including data lake, 5G, and artificial intelligence initiatives.
“Industrial organizations are increasing investment in cybersecurity solutions specifically built for OT not only to reduce their overall cyber risk but to ensure they can accelerate their digital transformation efforts safely,” said Eddie Habibi, Founder and CEO of PAS. “We are pleased to be working with a growing list of global companies who are leveraging PAS Cyber Integrity to give them the foundation they need for managing industrial cyber risk.”
The company also saw significant year-over-year growth in purchases of its operations management and process safety solution, PlantState Suite.
“Of equal importance is the work we do to help companies improve process safety through effective operations management,” Habibi added. “We are pleased to have been recognized once again as the market leader for both alarm management and safety lifecycle management. This is a testament to the hard work of the PAS team over many years and the confidence our customers place in our solutions.”
PAS cybersecurity and process safety management solutions are installed in more than 70 countries in over 1,450 industrial facilities for over 535 customers, including 13 of the top 15 chemical companies, 13 of the top 15 refining companies, 7 of the top 20 power generation companies, 4 of the top 5 pulp and paper companies, and 3 of the top 5 mining companies in the world.
Internet of Things installations along with industrial control systems constitute well known cybersecurity vulnerabilities within industrial plants and operations. CyberX, the IoT and industrial control system (ICS) security company, announced the availability of its “2020 Global IoT/ICS Risk Report” designed to sharpen awareness and knowledge of this critical area.
The data illustrates that IoT/ICS networks and unmanaged devices are soft targets for adversaries, increasing the risk of costly downtime, catastrophic safety and environmental incidents, and theft of sensitive intellectual property.
Some of the top findings noted that these networks have outdated operating systems (71 percent of sites), use unencrypted passwords (64 percent) and lack automatic antivirus updates (66 percent).
Energy utilities and oil and gas firms, which are generally subject to stricter regulations, fared better than other sectors such as manufacturing, chemicals, pharmaceuticals, mining, transportation and building management systems (CCTV, HVAC, etc.).
Now in its third year, CyberX’s “Global IoT/ICS Risk Report” is based on analyzing real-world traffic from more than 1,800 production IoT/ICS networks across a range of sectors worldwide, making it a more accurate snapshot of the current state of IoT/ICS security than survey-based studies.
Including the data presented in previous reports, CyberX has now analyzed over 3,000 IoT/ICS networks worldwide using its patented M2M-aware behavioral analytics and non-invasive agentless monitoring technology.
Recommendations Focus on Prioritization and Compensating Controls
The report concludes with a practical seven step process for mitigating IoT/ICS cyber risk based on recommendations developed by NIST and Idaho National Labs (INL), a global authority on critical infrastructure and ICS security.
Experts agree that organizations can’t fully prevent determined attackers from compromising their networks. As a result, they recommend prioritizing vulnerability remediation for “crown jewel” assets — critical assets whose compromise would cause a major revenue or safety impact — while implementing compensating controls such as continuous monitoring and behavioral anomaly detection (BAD) to quickly spot intruders before they can cause real damage to operations.
“Our goal is to bring board-level awareness of the risk posed by easily-exploited vulnerabilities in IoT/ICS networks and unmanaged devices — along with practical recommendations about how to reduce it,” said Omer Schneider, CyberX CEO and co-founder.
“Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are highly motivated and capable of compromising our most critical operational systems,” said Nir Giller, CyberX GM, CTO and co-founder. “It’s now incumbent on boards and management teams to recognize the risk and ensure appropriate security and governance processes are in place across all their facilities to address it.”
Summary of Key Findings
- Broken Windows: Outdated Operating Systems. 62 percent of sites have unsupported Microsoft Windows boxes such as Windows XP and Windows 2000 that no longer receive regular security patches from Microsoft, making them especially vulnerable to ransomware and destructive malware. The figure rises to 71 percent with Windows 7 included, which reaches end-of-support status in January 2020.
- Hiding in Plain Sight: Unencrypted Passwords. 64 percent of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise additional systems simply by sniffing the network traffic.
- Excessive Access: Remotely Accessible Devices. 54 percent of sites have devices that can be remotely accessed using standard management protocols such as RDP, SSH and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets. For example, during the TRITON attack on the safety systems in a petrochemical facility, the adversary leveraged RDP to pivot from the IT network to the OT network in order to deploy its targeted zero-day malware.
- Clear and Present Danger: Indicators of Threats. 22 percent of sites exhibited indicators of threats, including suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices and malware such as LockerGoga and EternalBlue.
- Not Minding the Gap: Direct Internet Connections. 27 percent of sites analyzed have a direct connection to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.
- Stale Signatures: No Automatic Antivirus Updates: 66 percent of sites are not automatically updating Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX routinely finds older malware such as WannaCry and Conficker in IoT/ICS networks.
Years ago I dabbled in machine vision integration. It was fun and creative. My customers and I did some pretty cool quality control applications. So I maintain a liking for the technology even though the price of the hardware plummeted and ease-of-use skyrocketed. So, I bring you this interesting news.
Honeywell is collaborating with Papertech to develop and market TotalVision, a connected, camera-based detection system for the flat sheet industries. The system enables customers to identify and resolve defects on the production line, improving quality and efficiency. The fully integrated total quality control solution is designed for flat sheet and film processes in which surface detection and production break monitoring capabilities are critical for competitive success. This new solution is designed for paper, pulp, tissue, board, extruded film, calendaring, lithium-ion battery, copper and aluminium foil producers.
Combining Honeywell’s ExperionMX technology with market-leading Papertech’s TotalVision defect detection and event capturing capabilities, the solution provides a single-window operating environment for all aspects of process and quality control. Customers benefit from faster root cause determination of runnability and quality problems, thereby saving significant time in lost or downgraded production. When integrated with connected offerings such as Honeywell QCS 4.0, system data and analytics can be accessed anytime, anywhere, from any device.
“Honeywell represents an ideal collaborator for Papertech as our industry-leading WebInspector WIS and our WebVision web monitoring system (WMS) single platform TotalVision camera system seamlessly integrate with Honeywell’s quality control systems for a range of industries,” said Kari Hilden, CEO of Papertech Inc. “We look forward to working with the global Honeywell team and their customers.”
Honeywell will continue to support existing camera system users with parts and services, while offering an easy migration path to the new solution. Given the collaborative nature of the agreement, customers can choose to take a single party, single-window approach or to engage with Honeywell and Papertech separately.
“As the world moves from plastic to biomaterial-based packaging, and from hydrocarbon-based transportation to electric vehicles, flat sheet producers are under increased pressure to ensure output consistently meets a variety of performance and safety requirements,” said Michael Kennelly, global business leader for sheet, film and foil industries, Honeywell Process Solutions. “By bringing together Honeywell’s core strengths of measurement, control, connected applications and services in flat sheet production with Papertech’s leadership in web monitoring and inspection systems, we uniquely provide customers with that capability along with industry-beating lifecycle costs.”
Papertech is the global industry-leading machine vision system supplier for a range of web-based production lines with more than 1200 TotalVision installations in 42 countries. It is part of the IBS Paper Performance Group, a company with a more than 50-year history in delivering papermakers a full range of proven machine efficiency and product quality optimization solutions.
For more information visit Honeywell Quality Control Systems and Papertech TotalVision solutions.
Cybersecurity as a concept or even as a term didn’t exist when I discussed the future of connected control systems devices with my customer, a senior control systems engineer for an automotive component manufacturer in the 1990s. He was aware of potential problems of connectedness when he told me, “I will never run a wire from a control system in this plant.”
Today? Everything is connected. Cybersecurity is a known, if sometimes devalued, challenge. How much do organizations understand the risk exposure of IoT devices? Deloitte and Dragos, Inc. share top risks to organizations in current IoT environment.
- In the digital age, cyber is everywhere. Cyber risk now permeates nearly every aspect of how we live and work. Organizations should better understand how to manage the risks created by known and unknown Internet of Things (IoT) and Industrial IoT (IIoT) devices.
- Security-by-design saves time: it takes longer to retroactively fix issues than it does to do it correctly the first time when building the product.
- Security-by-design reduces cost: it costs more to mitigate the risk of vulnerability exploitation than to implement security in the beginning.
- According to a recent Deloitte poll, nearly half of respondents (48%) realized it is imperative, when developing or deploying secure-by-design connected products and/or devices, that both of these conditions exist:
- o DevSecOps embedded throughout the design/acquisition, implementation, and deployment lifecycle.
- o Cross-functional technology that includes teaming with legal, procurement and compliance across pre- and post-market deployments.
Why it matters?
The number of cyberattacks, data breaches and overall business disruption caused by unsecured IoT/IIoT devices are increasing because many companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies. IoT and IIoT are a set of business and technology innovations that offer many compelling benefits, but they also present significant cybersecurity risks and a greatly expanded attack surface. Mitigating these risks by understanding IoT/IIoT platform security can help organizations realize greater potential and benefits of these innovations.
Why is security-by-design important?
Deloitte and Dragos are teaming on a number of client initiatives to help organizations embed a security-by-design approach and to manage the risk of industrial control systems (ICS) and operational technology (OT) environments by enabling them to better monitor and assess threats. Organizations can benefit from a better understanding of threats in this environment, which can then be used to develop and embed cybersecurity strategies into organizational and technology strategy.
Security-by-design (for designing an IoT/IIoT product) is about incorporating cybersecurity practices by default into the product’s design as well as (for onboarding an acquired IoT/IIoT product) incorporating cybersecurity practices by default into the environment in which the IoT product is implemented.
Beyond securing ICS and OT systems, this combination of cyber risk services and technologies can provide a more complete picture of an organization’s ICS and OT threat landscape through active monitoring that can better inform scenario planning and response.
The following top risks were outlined by leaders from Deloitte Risk & Financial Advisory’s cyber practice and Dragos in a recent Deloitte Dbriefs webcast, The Internet of Things and cybersecurity: A secure-by-design approach:
Top 10 security risks the current IoT environment poses
- Not having a security and privacy program
- Lack of ownership/governance to drive security and privacy
- Security not being incorporated into the design of products and ecosystems
- Insufficient security awareness and training for engineers and architects
- Lack of IoT/IIoT and product security and privacy resources
- Insufficient monitoring of devices and systems to detect security events
- Lack of post-market/ implementation security and privacy risk management
- Lack of visibility of products or not having a full product inventory
- Identifying and treating risks of fielded and legacy products
- Inexperienced/immature incident response processes
“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind. Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.”
– Sean Peasley, a partner in Risk & Financial Advisory and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP
“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing. There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable.”
– Robert M. Lee, CEO at Dragos Inc.
About the online poll
More than 4,200 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, “The Internet of Things and cybersecurity: A secure-by-design approach” held May 30, 2019. Answer rates differed by question.
A majority (81%) of respondents indicated that information security is accountable for the securing of connected products in their organization. The information security team is still primarily where boards look to drive their cyber agenda but as the 2019 Future of Cyber survey indicates, cyber is becoming everyone’s responsibility. It is critical to understand that if you are the plant manager you likely have the responsibility to the safety and liability of the operation. But the challenge is that everyone does have a role to play. Ultimately, the CEO is going to be held accountable.
Organizational confidence in security
How confident are respondents that their organizations’ connected products, devices, or other “things” are secure today? Not very. More than half
of respondents (51%) were somewhat confident, while 23% were uncertain or somewhat not confident, with only 18% feeling very confident in their organizations’ ability to secure connected products and devices. This may be as a result of there being an overall lack of standardization across industries for security and awareness of cyber risks and connected devices.
Guidance for security-by-design
A positive revelation in the results was when 41% of respondents indicated that they look to industry and professional organizations for guidance in driving security-by-design within their organizations. Another 28% said that they look first to regulatory bodies and agencies that set the standards; and 22% indicated their leading practices were developed internally for providing that guidance in driving security-by-design.
According to Peasley and Lee, it is a favorable strategy for organizations to understand leading practices and standards of peer organizations first, and then look to the regulatory bodies that are starting to shape standards and regulations and help inform the standards and regulations that are to come.
These results conflict with another question regarding whether their product teams use a defined set of product cybersecurity requirements as input for requirements selection. Twenty-eight percent use an industry defined framework, and 41% indicated a custom framework, while 30% of respondents indicated “No” that they didn’t use a defined set of requirements. The results of this question indicate there is still much work to do across the industry to influence and inform on standards for cybersecurity.
Considerations for organizations
• Understand the current state of product security and develop a cyber strategy: Whether designing connected products or acquiring such products to implement internally, assess how products, including the data they produce, are protected and develop a cyber strategy to drive improvement.
• Establish security-by-design practices: Integrate security-by-design into the design of the product itself or into the design of the ecosystem architecture, through requirements, risk assessments, threat modeling and security testing.
• Set the tone from the top: Ensure the right people are engaged and have ownership of the process – from leadership to the relevant product security subject matter experts to the product teams.
• Have a dedicated team and provide them with ample resources: Don’t expect enterprise security teams to cover missions without adding new resources for them; build a dedicated team that has product-based experience and provide training as needed to increase knowledge.
• Leverage industry-available resources: Rather than developing and providing unique questionnaires to your device vendors, use publicly-available industry resources.
• “Secure IoT by design: Cybersecurity capabilities to look for when choosing an IoT platform”
• According to the recent Deloitte “2019 Future of Cyber” survey, there are notable gaps in organizations’ abilities to meet cybersecurity demands for the future. Results from the survey indicate that many cyber organizations are challenged by their ability to help better prioritize cyber risk across the enterprise (16%). To see additional results the Future of Cyber survey, download a copy.
The Dragos ICS asset identification, threat detection, and response platform distills decades of real-world experience from an elite team of ICS cybersecurity experts across the U.S. intelligence community and private industrial companies. Dragos’ offerings also include threat hunting and incident response services, and Dragos WorldView for weekly threat intelligence reports. Dragos is headquartered in the Washington, DC area.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500 and more than 5,000 private and middle market companies.