Eric Byres, CTO and vice president of engineering for Tofino Security Products, a Belden brand, warned attendees of The Automation Conference Tuesday that air gaps—physical gaps between control networks and business networks in manufacturing companies—are a myth. If people believe they have reliable air gaps, he said, that gives them “an unrealistic posture.”
“If you think you’re isolated at all, you’re kidding yourself,” Byres said. “There’s no process outside the nuclear industry that I’ve ever seen that’s properly isolated or truly isolated.”
Emphasizing that modern industrial control systems (ICS) or SCADA systems are only getting more complex, Byres said and that there are multiple potential ways into a plant system, and “focusing security efforts on a few obvious pathways—such as USB storage drives or the enterprise/ICS firewall—is a flawed defense.” He said that improving defense-in-depth strategies is the only realistic solution.
“You cannot stop traffic, but you can detect it quickly, isolate it, and deal with it,” Byres said. “You should know within seconds when an infected PC comes in. Just like the human body does—detect it, isolate it and neutralize it.”
Members of the Ask the Experts Panel on Ethernet on the Plant Floor fielded a number of technical questions during their track session, and ended with cyber security advice.
Rob McGreevy, vice president of platform and applications for Invensys Wonderware, urged listeners to have a set of documented security processes and educate the teams on it. “And stay on top of it,” he said. “Cyber security is a constant, evergreen process.” He also urged process engineers to “rely on your IT team; start internally and pull in resources from there.”
Eddie Lee, director of marketing for Ethernet hardware maker Moxa, agreed that cyber security is definitely a process. One bad practice and a key pitfall, he said, is “managing the outliers. People get caught up in the worst-case scenarios and get overwhelmed with how to secure everything. Then they do things like leave passwords on a Post-It note on the HMI screen. Take a practical approach to the process so it’s continually improving.”
Brian Oulton, director of marketing for Belden, who acquired Tofino Security a couple years ago, reminded attendees that “defense in depth, and a lot of what you see in the press on cyber security, is coming from the best of the best: the big companies, the high risk industries, the critical infrastructure. So cyber security gets scary.” What he tells the Belden sales staff, he said, is that “if we talk too complex, customers will do nothing. So talk simple and beg your customers to do something.”
Oulton followed his own advice and ended with this message for end users in industrial companies: “Don’t let the complexity make you freeze. Do something.”