How Honeywell Assesses, Improves Plant Security

The way to determine a company’s required security assurance level (SAL) is to know the risk level against which your company wants to be protected. A security assessment would indicate the gaps between what a company desires and what technical controls it uses today.

As cyber security professionals with extensive knowledge in distributed control systems and information technology, Honeywell investigates the status quo of operational security procedures and technical controls as a first step to improve customers’ cyber security posture.

We refer extensively to the ISA-62443 (ISA99) global series of standards for cyber security for industrial plants, focusing on processes and technology. We also investigate the organization’s maturity related to cyber security. Are all employees committed to cyber security? Or are just one or two engineers trying to keep PCs patched and run anti-virus software? It’s important that everyone have some security awareness. If not, when the expert security knowledge leaves the company, so does the company’s security.

The outcome of our security assessment includes a report of gaps and recommendations and an overall ranking of the SAL and maturity rating of a company compared to others in the industry. Knowing where you are security-wise can help you start a more focused approach to cyber security for the future.

New Dashboard Empowers Operators
Improving situational awareness is critical with cyber security because you can’t fix what you don’t know about. And making sure everyone is able to quickly assess a security situation is a constant goal. So Honeywell is developing a cyber security dashboard to give plant operators and maintenance personnel an immediate overview of the facility’s cyber security status. It should be available mid-2014.

With the dashboard, you can quickly see if workstations and servers in the process control network have the latest antivirus, firewalls, and patches installed to help your network avoid cyber attacks. If something is wrong, the software generates warnings so appropriate personnel can take immediate action.


While experts with plenty of training in cyber security are certainly needed in today’s security-conscious manufacturing environment, it’s also important for a wider range of personnel to have an understanding and know when to take action. With this easily understandable security dashboard, a larger group of personnel watching your plant’s cyber security status will know immediately if something out of the ordinary happens and be able to request help from experts.

While this dashboard is still in the design phase, we are open to ideas from users about what to include and how the dashboard should look. So feel free to comment on this blog site.

Application Whitelisting
Security specialists advocate whitelisting and keep a list of files allowed to run on PCs as well as those allowed only to execute and nothing else. Application whitelisting will block all files not approved on the system. Viruses try to mutate files on a PC to enable the payload to do its sneaky, devastating work. As the virus mutates files, the application whitelisting software notices the checksum of these files to change and block their execution. At the same time, application whitelisting creates a great way to better manage the installation of new software on PCs in the process control network.

Before new applications are able to execute, the application whitelisting needs to approve that particular application; it can’t run without approval. This application is a great way to keep tight control on which software applications are installed on the process network and by whom.

The downside is it will require some additional maintenance work, as each time you upgrade with a patch or add new software, you now have two tasks – installing and managing the whitelisting application. However, you can simplify some of the extra work by setting up pre-approvals for certain vendors. Honeywell has the expertise to configure a whitelisting solution on your process control network and reduce the extra maintenance work as much as possible without jeopardizing cyber security.


Posted in best practices, General, ISA, Security and tagged , , , , , , , . Bookmark the permalink.

Security Top of Mind and Preventive Action Crucial

We hear about cyber incidents every day in the news, but just how relevant are these news stories to your business? If you’re a manufacturer in the United States, the numbers indicate they’re more relevant than you think.

By our best estimates, American businesses have already lost billion as a result of cyber attacks. If we look even closer, we’ll see many of these disruptions end up underreported.
That doesn’t mean today’s manufacturers are oblivious. Security is definitely top of mind. There isn’t one customer I see today who doesn’t proactively ask, “How can Honeywell help us in terms of cyber security?” I think that question is indicative of how people are thinking about security; they are aware but not completely prepared.

Preparation is Key
Security awareness takes preparation and preventive action, not just remediation after the fact. This lack of preventive action is a much bigger problem than people really think it is.
The industry is slowly recognizing that cyber security and safety are now interrelated. That is, a cyber security breach can affect plant safety. We have the opportunity to get ahead of this challenge and avoid having an incident become the motivator for improvement. Similar with safety, increased vigilance along with investments in risk assessments, work practices, and technology, can reduce the exposure to cyber security attacks.

Accidents Most Detrimental
It’s also important to realize that cyber incidents aren’t always targeted attacks on process control facilities. While the big news about cyber incidents centers around noteworthy targeted attacks, the most prevalent issues, and most detrimental to manufacturers (at present), are garden variety malware introduced to the process control environment inadvertently.

More often than not, these incidents stem from a trusted source, such as an employee or a contractor inadvertently bringing a virus into the operation. This could include something as innocent as using a memory stick to transfer files from a desktop to the process control system. If that memory stick was infected by malware, the usage of the device on the process control network would bypass all the network security measures that were established to protect the process control system.

Layer Your Protection
With so much to think about in securing your operations, it is clear prevention is more effective than remediation. Like with safety, establishing multiple layers of protection is essential to reduce the likelihood of malware from interfering with process operations. There are no silver bullets. Vigilance is the most effective weapon is to stay one step ahead of the attacks. Processes and procedures, deployment of security patches, designing the system using a high security architecture, as well as employing whitelisting and encryption technologies, can build the arsenal for end users, giving them a higher level of protection and a deeper sense of security.

Posted in best practices, General, Security and tagged , , , . Bookmark the permalink.

EMET: Mitigations at your Fingertips

Security is top concern wherever you go in the industry these days and at the top of the security to-do list for manufacturers and operators is a solid defense-in-depth program to keep systems secure and running.

One vital tool for a solid defense-in-depth program is Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

EMET focuses on breaking exploitation techniques of typical attacks. It mitigates malware by blocking attack techniques and building exploit mitigations into applications that can provide generic protection for known, unknown, and unreported vulnerabilities.

EMET isn’t just a tool for the enterprise. We have tested and validated Version 3.0, and while it is not a replacement for security protections, it does work together with other protections to provide a defense-in-depth strategy against malware attacks.

In summer 2013, Microsoft introduced EMET 4.0 with attractive features and we will evaluate  and test EMET 4.0 once it gains maturity.

Features Assist Defense-in-depth Strategy
EMET provides end-node protection against Zero Day vulnerabilities and blocks and prevents memory-based attack approaches. Take a look at some more valuable features here:
•    As a mitigation management toolkit, EMET’s built-in list of mitigations makes them easy to enable with no knowledge required about vulnerability.
•    EMET runs at the execution level, which is similar to whitelisting. It engages whenever a file is loaded into memory to be executed. Some EMET mitigations simply change the way a file is loaded into memory.
•    The audit mode feature added in EMET 4.0 provides an excellent opportunity to minimize the risk for a control system because we have to ensure security protections will not crash an application and will not have an impact on the view, or the control of the industrial plant.
•    A key difference between EMET and most other technologies available for protection is EMET uses behavioral containment. It focuses on known attack techniques, such as replacing the return counter on the subroutine. It blocks the technique of the action, but not the malware that is known to do it.
•    EMET provides a framework to manage existing mitigations with much more granularity than available via compiler switches, and provides a couple of new mitigations which aren’t available without EMET.

Challenge is a Good Thing
Yes, there are challenges to implementing EMET into an industrial control system, but only as it presents issues that present additional checks and balances for engineers.  Take a look at some minor challenges here:
•    You can apply mitigations at compile time by using switches, or you can use the centrally managed EMET. The biggest difference is when you assign a mitigation with EMET, that assignment applies to the executable as it is loaded into memory and to every file that application loads into memory.
•    When you assign mitigations to applications running on your PC, EMET will crash the application if it detects an exploit was attempted.
•    EMET does not run as a service and does not attach to an application. It is low-level interface so it does not noticeably impact resources on protected applications.
•    EMET, like anti-virus and application whitelisting, utilizes additional PC resources when loading an image into memory.

Since performance is always important with industrial control systems, we have to extensively validate the impact of EMET on system performance.  Additionally, the risk of EMET blocking critical functionality has to be carefully managed thru proper configuration.  Thus far, EMET has proven to be a valuable addition to a solid defense-in-depth program.

Posted in best practices, Security and tagged , , , , , , , , , , . Bookmark the permalink.

IT, Process Engineers Unite behind Standards

A simple fact of life– manufacturers need to produce product in a productive and profitable manner while ensuring a safe and secure process. Business continuity remains paramount. However, the way to increased profitability often becomes mired in a quagmire of complications between different areas within the process: namely engineering and IT.

While the relationship between the IT and process automation is getting better, manufacturers need to ensure everyone is working from the same play book to avoid security vulnerability. After all, the basic necessity is manufacturers need to generate revenue and keep turning a profit.

With the industry losing over $400 billion a year in cyber attacks, according to what Darius Adamczyk, president and chief executive at Honeywell Process Solutions, said during his keynote address at this year’s Honeywell User Group, the need to lock down the plant to ensure a more profitable endeavor is vital.

One of the things we are doing with our systems is mitigating losses. We gather more information and more data into the systems so they can make the right decisions. Because of that, crucial control engineering functions and IT come together.

Our goal is for process automation to help reduce incidents and the downtime cost associated with these incidents. A well implemented system can be imperative to this success and needs to have process engineers and IT specialists working closely to avoid an accidental or malicious cyber incident.

In today’s manufacturing automation environment, where an unplanned downtime costing millions of dollars can occur easily, the level of communication needs to be smooth and seamless.

Standards can help clarify communications. Existing IT standards cover at least 80 percent of the security issues on the plant floor and the remaining 20 percent is part of an ongoing manufacturing automation industry standards process.

In industrial IT most companies work with the ISO 27000 series of governance standards that exist. However, awareness needs to be established that IT standards cannot completely be applied to an industrial automation control system. There are tasks in IT systems that will cause failures to occur in an industrial automation control system (IACS).

Those differences, though, end up covered in the ISA99 standard.

While the entire series of ISA99 standards are not completed yet, the two sides can use the information, especially in ISA99.02.01. It is entitled “Setting up a security management system for your industrial automation and control system.” Because the title says “setting up,” it actually talks about all the different things you need to take into consideration that are specific to an IACS.

With process control and IT working together, IT can understand the ISA99 standard for an effective implementation and business continuity.


Posted in best practices, General, ISA, Security and tagged , , , , , , , . Bookmark the permalink.

What do Cheetah’s Tear-marks have in common with PCN Security?

It is said that a cheetah’s black “tear-marks” running from the corner of its eyes down the sides of the nose to its mouth are for keeping sunlight out of its eyes and aid in hunting and seeing long distances.  I suppose with the glare from the bright sun reduced that helps in being able to spot a lion lying in ambush behind the shrub too.

Defense-in-depth architecture for a Process Control Network (PCN) basically shares the same idea as well.

The ISA-62443 prescribed concept of zones and conduits in 4-level architecture is not just about layering protection to make it more difficult for any intrusion threat coming from the external network, i.e. Level-4 and above.  Zoning with levels segregated also helps provide clearer visibility in terms of what susceptibility to what attack-vectors the systems within a zone are more exposed to.  For instance, servers at Level-3.5 DMZ being the front-facing systems to the outside are expected to be with opened ports and services that are with higher attack-surface.  Hence, an appropriate cyber security counter-measure would be to ensure that the systems there patched more stringently and regularly in comparison to the systems at the lower Levels 1 and 2.

Just like with enhanced vision a cheetah has better chance of a kill in its hunt while avoiding itself being hunted, having clear visibility of vulnerabilities and knowing the appropriate counter-measures is important in managing cyber threats.  With the ability to appropriate counter-measures, asset operators can also exercise discretion in their security spending.

The ISA-99 Working Group has just recently approved the ISA-62443-3-3 “Security for industrial automation and control systems Part 3-3: System security requirements and security levels”.  It stipulates the seven foundational requirements and specifies the security controls required to determine for a specific environment the Security Assurance Level (i.e., SAL1 thru SAL4) for each network zone based on the threat level to protect against.  If it is a control system for national critical infrastructure with devastating impacts, it may require SAL3 or SAL4 security controls.  If it is a non-critical monitoring system, it may require SAL1 or SAL2 controls.  The ISA-62443-3-3 standard allows you to apply a baseline level of security controls based on the SAL (security assurance level) for the zones.  Honeywell Industrial IT Solutions security experts provide consulting services on secure network architecture relative to ISA-62443 Security Assurance Levels.

Posted in best practices, General, ISA, Security and tagged , , , , , , , , . Bookmark the permalink.