I have known Eddie Habibi, founder and CEO of PAS (now PAS Global) for about 20 years. So I’ve followed the development of his company for that long. There was alarm management, and process safety, and process asset management. And the company grew at a typical pace for the market.
Then he went all-in on process control system cybersecurity. He accepted some investment money, hired some pros in the field, and combined security with what the company was already known for.
The results are in the latest press release from PAS Global LLC where it announced a 45% increase in term revenue year-over-year and increased market recognition of its solutions.
In March 2019, the company introduced an expanded Cyber Integrity offering with risk analytics for continuous operational technology (OT) endpoint security. Following this milestone, the company marked record growth in the adoption of this solution across multiple geographies and verticals including the United States, Europe, and the Middle East with leading organizations in the chemicals and oil & gas industries, in particular.
A Fortune 50 independent petroleum refiner was challenged with increasing cybersecurity risks as they deployed connected technology to achieve faster and more efficient production operations. PAS Cyber Integrity was deployed as the foundation for the refiner’s OT cybersecurity program to create an automated, comprehensive, evergreen OT asset inventory and to more quickly identify and remediate security vulnerabilities. What used to take the company months to assess “critical” or “high” ICS-CERT vulnerabilities can now be done in minutes across all refineries.
A global, integrated oil & gas company operating across five continents is pursuing digital transformation to grow its business, enter new markets, and compete more effectively. Underpinning this initiative is a cloud-based analytics platform. The team chartered with this program sought to leverage their multi-vendor industrial control system (ICS) data and ensure reliable data flows from field-level devices to their data lake. They sought a platform-independent solution that could not only deliver this data, but also provide a topological view of assets and site connections, monitor configuration baselines, and manage change. Additionally, the company’s cybersecurity team sought a solution that could provide comprehensive OT asset inventory and rapid vulnerability assessment capabilities. PAS Automation Integrity and Cyber Integrity were selected to address these needs.
A major electronic materials firm with operations in North America and Asia sought to establish an enterprise-wide cybersecurity program on an aggressive schedule to eliminate gaps in visibility and security controls. Cyber Integrity was selected to automatically build a detailed OT asset inventory for each site, identify patch levels across systems, and implement change management workflows. The company now has the inventory and configuration visibility it needs to support digitalization efforts including data lake, 5G, and artificial intelligence initiatives.
“Industrial organizations are increasing investment in cybersecurity solutions specifically built for OT not only to reduce their overall cyber risk but to ensure they can accelerate their digital transformation efforts safely,” said Eddie Habibi, Founder and CEO of PAS. “We are pleased to be working with a growing list of global companies who are leveraging PAS Cyber Integrity to give them the foundation they need for managing industrial cyber risk.”
The company also saw significant year-over-year growth in purchases of its operations management and process safety solution, PlantState Suite.
“Of equal importance is the work we do to help companies improve process safety through effective operations management,” Habibi added. “We are pleased to have been recognized once again as the market leader for both alarm management and safety lifecycle management. This is a testament to the hard work of the PAS team over many years and the confidence our customers place in our solutions.”
PAS cybersecurity and process safety management solutions are installed in more than 70 countries in over 1,450 industrial facilities for over 535 customers, including 13 of the top 15 chemical companies, 13 of the top 15 refining companies, 7 of the top 20 power generation companies, 4 of the top 5 pulp and paper companies, and 3 of the top 5 mining companies in the world.
I asked PAS founder and CEO Eddie Habibi about his pivot to cybersecurity during our conversation this week. It’s not a pivot, he corrected me. Cybersecurity is a natural progression from all the work PAS has done since its founding.
(Read to the end to learn about further security threats.)
Fighting Cyber intrusions begins with data
“Cybersecurity starts with knowing everything in the system from level 0 forward. This creates a baseline for change management. (PAS product) Integrity had that already, so we built analytics, visualization, and reporting on top of it,” he added.
Everybody on OT side looking for diversified information, security is fundamental, know what you have, know your vulnerabilities, address them. Golden baseline, so you can manage change
Supply chain (reason PR firm reached out), If you have a six sigma process but if your suppliers don’t then you don’t have the full value. Cyber is the same way. If I know everything I need to do but if DCS vendor sends patch with malware, then I’m in trouble anyway.
PAS is seeing customers in sectors they’ve never worked in before. While once PAS was focused on working with one supplier, now it works with more than 80 different systems and brands.
I asked about corporate awareness and concern. Habibi said pressure is coming from boards of directors who are concerned about risk and liability. “I haven’t seen anything this serious for a long time. It’s as serious as safety was in the ‘90s.”
USB as a Threat
This was almost a #DUH moment when I saw the press release from Honeywell. USB media devices pose a significant and intentional cybersecurity threat to industrial control networks.
Raise your hand if you already knew that. However, Honeywell used a remote monitoring technology to document the threat.
Data derived from Honeywell technology called Secure Media Exchange used to scan and control USB devices at 50 customer locations showed that nearly half (44 percent) detected and blocked at least one file with a security issue. It also revealed that 26 percent of the detected threats were capable of significant disruption by causing operators to lose visibility or control of their operations.
Keep watching the cybersecurity space for more action. Already this week, I wrote about two different approaches to industrial cybersecurity. Here is the story of an investment so that a company with history can pivot and go deeper into this market segment.
PAS has been known improving alarm management and control system asset integrity. It has moved aggressively into the cybersecurity area through leveraging existing technology and hiring talent. It has announced a $40 million growth investment by Tinicum, L.P. and certain affiliated funds managed by Tinicum Incorporated (“Tinicum”). Tinicum is a private investment partnership focused on late stage investments in manufacturing, energy, technology, media, and infrastructure.
This funding round will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, its flagship cybersecurity software product. Cyber Integrity protects critical infrastructure from risks associated with rising industrial internet of things (IoT) adoption, malicious cyber attacks, and insider threats.
“Critical infrastructure is vulnerable to outsider cyber attacks and to malicious or unintended insider actions,” says Trip Zedlitz, partner at Tinicum. “The cyber assets that matter most—the ones primarily responsible for safety and production in power generation plants, chemical facilities, and refineries—are some of the most insecure systems in the industry today. We invested in PAS because they secure this class of endpoints in a way that no other ICS cybersecurity software solution in the market can do, and they help companies comply with a growing regulatory and standards landscape that includes NERC CIP, NIST, and IEC 62443. With a strong management team and the rising global demand for critical infrastructure cybersecurity, we are excited about our investment in PAS.”
Industrial control systems have a responsibility for running critical infrastructure safely and reliably. These systems have traditionally relied on complexity, air gapping, and perimeter-based defenses to remain secure. Such strategies have proven largely unreliable and porous. PAS Cyber Integrity deciphers the complex, proprietary configurations of control systems giving companies complete visibility into critical cyber assets. It also identifies unauthorized changes, exposes vulnerabilities, drives compliance, and helps facilities recover rapidly in the event of a worst-case scenario. Cyber Integrity works across the heterogeneous automation environment, providing enterprise scalability, performance, and platform independence.
“PAS has a 23-year tradition of making industrial process facilities safer and more reliable,” says Eddie Habibi, founder and CEO at PAS. “Our deep expertise in control systems and production-centric approach to securing ICS give us a formidable competitive advantage. The investment from Tinicum enables us to expand our security solutions portfolio, strategically increase our global reach, and continue protecting our customers from an ever-evolving threat landscape.”
Signal Hill served as the exclusive financial advisor to PAS on the transaction. In conjunction with the investment, Plant Automation Services, Inc. (“PAS”) has reorganized under the new name PAS Global, LLC.
Industrial Control Systems (ICS) Cybersecurity risks have become so public that CEOs and Board members are sponsoring projects within their companies and raising visibility of the issue.
PAS Inc. CEO Eddie Habibi and General Manager of Cybersecurity and CMO David Zahn shared that news with me during a conversation this week regarding the release of a new version of PAS Cyber Integrity (5.0).
They further pointed out that this high-level visibility serves to push the long-promised IT/OT integration and cooperation into more meaningful relationships.
A final point concerned approaches to ICS cybersecurity. Most companies and consultants focus on the networking access side of the equation. PAS also looks at such automation assets as patch management, inventory management, and workflow.
The latest release of Cyber Integrity boasts enhanced support for workflows and security policies, automating a closed-loop patch management process, and provides enhanced dashboard capabilities. Says the company’s press release, “Cyber Integrity helps companies better mitigate operational risk from malicious attacks or inadvertent control system changes through automated inventory management, patch management, change management, and backup and recovery.”
“Patch management for today’s control systems lack critical capabilities required to help industrial organizations meet cybersecurity best practices and regulatory standards,” says Peter Reynolds, Senior Analyst at ARC Advisory Group. “Among other issues, plants often have poor visibility into which assets require patching; lack integrated processes that drive testing, implementation, or mitigation; and cannot easily access auditable evidence of a patch management process. ARC supports the development of solutions such as PAS Cyber Integrity that are designed to address these types of patch management issues in mission-critical industrial environments.”
Cyber Integrity works across the heterogeneous control environment found in plants providing enterprise scalability and performance. It enables industrial companies to:
- Gather and maintain an accurate inventory of IT and OT cyber assets,
- Automate patch processes throughout the enterprise,
- Monitor for unauthorized change to cyber asset configurations, and
- Implement a program for system backup and recovery.
The latest release also includes an entirely new dashboard that makes it easier for end users to process actionable information, as well as for management to quickly understand the state of ICS cybersecurity.
“The great contradiction within ICS cybersecurity is that the assets most valuable to plant operations and safety are often the most vulnerable,” says David Zahn, Chief Marketing Officer and General Manager of the Cybersecurity Business Unit at PAS. “Inventory management and change management are essential components of a cybersecurity strategy that address this contradiction. By offering patch management within Cyber Integrity, we now provide cybersecurity and operations professionals the ability to identify, address, and audit a process that had traditionally fallen short. Along with our new dashboard, workflow, and policy capabilities, companies have everything they need to harden ICS cybersecurity and streamline compliance efforts.”
Further information can be found on the PAS blog:
“Is Your House In Order?”
“The Risk of Not Knowing”
“What Happens When You Get That Call?”