ICS Cybersecurity Resources


(Almost) FREE Security Training

The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings are filled with presentations by industry experts on cyber security for ICS. The meeting format can vary somewhat but usually includes several tracks of presentations that cater to the interest of the attendees. There is also one day set aside for cyber security training for either a beginner or intermediate level. One of the best things about these conferences … they are FREE to attend. You only have to pay your…

Read More of This Blog    

2012 - Good Progress for Cybersecurity and Functional Safety

I think it is wise for individuals to periodically review things. I like to do my professional review at the end of the year. 2012 was a good year.

Product Certification

Over 60 new products received functional safety or cybersecurity certification this year. Those products and more can be found on our Safety Automation Element List. Most significant to me are the new product categories including:

  • Microprocessors
  • Integrated circuits
  • Middleware packages
  • Complete safety systems
Many new manufacturers are using exida as their functional safety Certification Body. Even manufacturers who have an older certificate from another agency have come to exida for FMEDA analysis or new certificates.

exida Certification has expanded its scope…

Read More of This Blog    

A False Sense of Security

About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal.  Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people.  I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode. 

I was brought to the facility by a control system integrator who had been working onsite and had concerns about the control system security and the potential risk that it represented.  They wanted me to discuss options to evaluate and improve…

Read More of This Blog    

Are Cybersecurity Servers Making Your ICS Less Cyber Secure?

ICS cybersecurity standards such as ISA 62443 (formerly ISA 99) and NERC CIP require operators to have policies and procedures in place to monitor and maintain their critical ICS cyber assets.  For anything other than very small systems, the obvious choice is to implement systems to automate these procedures.  So, in our practice of performing cybersecurity vulnerability assessments, we are seeing a large number of servers being installed to provide services such as asset management, user authentication, anti-virus management, whitelisting management, patch management, backup/restore, etc.  These servers are being installed “in the name of” improving cybersecurity but are they really?  These are generally IT-driven projects, so, in most cases these servers are being installed on the…

Read More of This Blog    

Cyber Security, Beyond the Internet: An Automation Engineer’s View

The world of automation has changed significantly over the past 30 years.  I have fond memories of starting my career by calibrating, adjusting, and tuning pneumatic control loops while working my way through the electronic age right up to the present digital and cyber generation of automation.  If you are like me, it is easy to get lost in all the technical changes that have made our jobs so rewarding and challenging.  I want to highlight these changes by sharing my thoughts related to “Cyber Security.”

At the beginning of my career, the biggest concern was having clean dry air supplied at 20 psig and a 3 to 15 psi control signal. This may be a bit…

Read More of This Blog    

exida Cyber Blog Series 04 - Cybersecurity Metrics, Diagnostics, and Alarms: What’s What?

Co-written by Todd Stauffer, Director of Alarm Management Services at exida

A wise man once said, “You can’t manage what you don’t measure.” Let's apply this to the world of cybersecurity to discuss the importance of cybersecurity metrics and how they are different from a cyber diagnostic and a cyber alarm.

Cybersecurity Metrics are usually defined in terms of either leading or lagging performance. Think of cyber metrics as the Key Performance Indicators (KPI’s) that help you evaluate your cybersecurity performance and whether things are improving or getting worse. Audits or performance measurements /calculations of specific work processes or cyber events are the norm. However, the addition of performance expectations or specific target goals for each metric allows for an…

Read More of This Blog    

exida Cyber Blog Series: 01 - What is Cyber Hygiene?

exida would like to welcome our new director of cybersecurity services Dave Gunter.  Dave will be taking us through a multi part blog series based on general cybersecurity evolving into how it pertains to your industrial work environment and what you should do to protect your company and its assets from cyber criminals.

Let's Get Started

In a manner of speaking, cyber hygiene is an individual’s base behavior when it comes to handling, managing, operating, and maintaining today's computing devices and software. The term computing devices is a broad term, however in pragmatic terms, it can viewed to represent computers, tablets, phones as well as boundary devices used to connect to the internet.

Ask yourself the following simple…

Read More of This Blog    

exida Cyber Blog Series: 02 - Does your position qualify as a Cyber Sensitive position?

That’s a great question.

What is a Cyber sensitive position?

A cyber sensitive position is a subset of a job position description that can be graded as Ultra, High, Medium or Low sensitivity with respect to cybersecurity assets and associated potential consequences that may impact an operating company.

What this means is that more and more companies are qualifying their operating assets within the context of cybersecurity risk. These risk qualifications of operating assets require having engineering, operation and maintenance positions defined as cyber sensitive positions as appropriate for their role with respect to the asset(s) they support.

Today’s companies have an obligation to ensure they manage the risk envelope of their operating assets to tolerable levels. In the past,…

Read More of This Blog    

How Cybersecurity is like a Goldfish

Oh look! Squirrel!

I am not much of a blogger. I should be but I’m not. This is strange, because I always have plenty to say.

This subject just gets me going so I am writing about it. I welcome feedback and opinions.

I have been in cybersecurity in one form or another for over 30 years, whether it be as the target of the attacks as an IT Manager, or a consultant trying to educate and help client companies with products and services, I have seen the same trend over and over again.

When a company has a realized or suspected a cyber-event, they go into proactive response mode, begin investigating and at that point my phone generally rings…

Read More of This Blog    

How Secure Are Your SIS, BPCS, and/or SCADA Systems?

As an end-user, do you know how reliable and safe your Safety Instrumented Systems (SIS) and Basic Process Control Systems (BPCS) are from potential cyber issues?  Do you rely on your vendor statements regarding the robustness of their products?  If the answer to these questions is “don’t know” or “yes” then maybe you should be considering using an independent 3rd party to perform a cybersecurity vulnerability assessment (for existing installations) and/or performing a cyber-risk assessment (as part of a HAZOP) for new installations.  This is especially true for legacy systems that are still in operation using products from the mid-1990s.  Although most software engineers won’t admit it, they often used to have “back doors” to enable fault-finding and…

Read More of This Blog    

How Secure Is Your Safety Instrumented System (SIS)?

As the cybersecurity threats in the industrial world continue to rise, the automation world continues to grapple with how to address these issues.  As such, the newly released IEC61511-1: 2016 edition has included a new clause to address this (Clause 8.2.4).  In essence, End Users have to carry out a security risk assessment to identify any potential security vulnerabilities of the Safety Instrumented System (SIS).

Clause 8.2.4 then goes on to specify that there needs to be a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS); together with a description of identified threats that could exploit vulnerabilities and result in security events.  This should also include intentional attacks…

Read More of This Blog    

I Did Not Lock the Car Door

I was driving one of exida’s top risk experts from Europe to a business meeting. We parked and I locked the car door.  He commented “I noticed you did not lock the car door when you parked at the exida office.” He was right. In an area I do not know, I always lock the car door.  But not always in the exida lot.  He added “A risk analysis will show car theft is a low risk due to random events, but remember cars are stolen by humans. These are not random events as we know them.”  He added “A good risk return on investment analysis would show you should always lock the car door.  The cost is so little,…

Read More of This Blog    

Industrial automation is in the cross hairs of the hacker

As the details of STUXNET’s design unfolded last fall, like many, I was truly impressed by the pin-point precision that the malware authors used to ensure that their target, and only their target, was impacted by the virus.  In this regard, STUXNET may be one of the most responsible piece of malware ever written, because it was carefully designed to avoid any collateral damage. 

However, one of the unexpected outcomes of STUXNET is the extent to which it has aroused the “security researcher” community and has turned their attention from commercial IT products to industrial automation and control systems.  While their motives vary, from seeking recognition and monetary gain to intending to cause harm,…

Read More of This Blog    

Industrial Control System Cyber Security – Legislation and Standards

There is a lot of concern around cyber security in Industrial Control Systems.  With new threats like Stuxnet and Flame, the perceived risk to critical infrastructure has increased dramatically.  There are increased calls for legislation and new methods for dealing with these threats.  The history of how we have dealt with similar risk issues around process safety tells us that there are two ways to address the issues with very different results.  On the one hand, there is a prescriptive approach where you define the remediation that should be required.  This approach might work in very well-defined systems where there is very little change in technology.

The other approach is to define functional requirements and set performance standards that need…

Read More of This Blog    

Introduction to ICS Security - Pt. 1 - What is ICS Security and Why it Is Important

Over the next couple of blogs, I plan to map out the importance of  ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment.  I'll also explain some of our services so that you can see what might pertain to you.

For part 1, I will start from the beginnning and outline what exactly ICS Security is and why it is important.

What is ICS Security?

To put it bluntly, it's somebody messing around with your process control system that you don't want.  It's keeping the bad guys out and the good guys in.  

It can be done through computers, through the networks, through wireless devices, through USBs plugged in, etc.   Anything that can cause your system not to operate in…

Read More of This Blog    

Introduction to ICS Security - Pt. 2 - IT versus ICS Security

Over the next couple of blogs, I plan to map out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment.  I'll also explain some of our services so that you can see what might pertain to you. For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important. 

For part 2, I will explain the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.

Differing Security Focus Between IT and ICS

The most important things in IT is confidentiality, then integrity, and then the availability.  If your network goes down, you're going to be mad, but nothing's really going to…

Read More of This Blog    

Introduction to ICS Security - Pt. 3 - ISA / IEC 62443 Structure

Over the next couple of blogs, I plan to map out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment.  I'll also explain some of our services so that you can see what might pertain to you.

For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important. 

For part 2, I explained the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.

In this blog, I will explain the structure of the standards that pertain to ICS cybersecurity.

Control System Security Layers of Responsibility

Today everyone’s involved with security, from the people who are originally designing and building the systems, the Emersons,…

Read More of This Blog    

Introduction to ICS Security - Pt. 4 - Control System Assessments

Over the last couple of blogs, I mapped out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment. 

For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important. 

For part 2, I explained the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.

For part 3, I explained the structure of the standards that pertain to ICS cybersecurity.

In this blog, I will talk about control system assessments.

Risk vs. Vulnerability Assessments

The difference between a risk and the vulnerability assessment.  A lot of people use the names interchangeably. A risk assessment tells you, if this device were compromised, what could…

Read More of This Blog    

Keeping “Dancing Monkeys” out of your PLC

Last week a security researcher, Dillon Beresford of NSS Labs, presented at the Blackhat conference on the security vulnerabilities he found in Siemens PLC firmware.  One of many stories on Dillon’s findings can be found here.  Among other things, Dillon found “dancing monkeys” in the code!  Actually, what he found was this graphic of four dancing monkeys inserted in the firmware as an “Easter Egg” - meaning it was intentionally put there by a developer as a joke.  Easter Eggs are cute in websites and video games but not in software that is operating critical infrastructure.  This finding raises concerns about Siemens software quality assurance practices.  While this prank is most likely harmless, imagine, for…

Read More of This Blog    

Network Segmentation and the Fragile PLC

One of the best parts of my job is I get to walk around and look over what has been implemented in the way of physical and cyber security. Most of the time I am very impressed by what has been done as more and more companies are realizing what is at stake should their infrastructure be compromised. Whether its intellectual property or malicious activity, the costs of a breach could be significant, even catastrophic if the right circumstances were realized.

Ok, here is where it gets really fun. I was recently performing a Cybersecurity Vulnerability Assessment on an oil refinery.  The main PCS in place was a form of redundant Ethernet. The main communication was broadcast and multicast traffic…

Read More of This Blog    

Outrage! Panic! Indifference?

How should you react to news of PLC security vulnerabilities? 

Project Basecamp was an exercise conducted at the S4 Security Conference that was held last month in Miami, Florida.  At the event, six security researchers reported their findings on the security vulnerabilities found after testing several PLCs and field devices from several companies.  With relative ease, the security researchers were able to discover, verify and in many cases exploit basic security vulnerabilities such as backdoors, weak or no authentication, buffer overflows, etc. 

Dale Peterson of Digital Bond, the organizer of the event, recently blogged asking, “Where is the outrage?” Dale had expected…

Read More of This Blog    

Pen Testing a Live Control System – Are You Mad?

A recent, disturbing trend I’ve seen in industrial control system (ICS) security is that, in response to concerns about the security of their ICS & SCADA systems, companies are performing penetration (pen) testing on operational systems.  Often times they request these services as one of the first steps in their plans to improve ICS security. 

Pen testing, as the name implies, is intrusive testing whereby the tester behaves like an attacker and attempts to penetrate the system.  This often means the tester will deliberately send probe packets or malformed packets on the network.  Pen testing is common practice in IT security as a means to testing the effectiveness of the security controls (e.g. firewall, intrusion detection, etc.) that have…

Read More of This Blog    

Performing a Cybersecurity Risk Assessment as a Component of the PHA

There are three main components of the safety lifecycle: analysis, realization, and operation. We will be taking a look at the analysis phase, particularly related to the cyber industry.

To start, the first thing to do in both safety and security is do a detailed process, hazard and risk analysis of the system. In the case of safety, you should allocate safety functions that will protect against those risks that you have identified and create a safety specification or set of requirements for each of those safety functions that you are going to apply. Once those requirements are in place, the realization phase is similar to other realization efforts, including design and engineering, acceptance testing and installation, and various…

Read More of This Blog    

The Real Impact of Stuxnet

Stuxnet has, rightly, generated a significant amount of discussion and concern with the industrial automation community.  Fortunately, unless you operate a uranium enrichment facility using Siemens S7 PLC’s and some very specific variable frequency drives (VFDs) you probably haven’t been directly impacted by the Stuxnet virus.  However, that doesn’t lessen the concern that variants of Stuxnet or “the next Stuxnet” will not be as targeted and may impact a much broader range of industrial applications. 

So, in my opinion the “real” impact of Stuxnet is that it has opened the eyes of many who were either unaware of the dangers of control system insecurity or those that were aware but dismissed the issue…

Read More of This Blog    

The Road to More Secure Products

As the incidence of cybersecurity threats in industry continue to rise, the automation world continues to grapple with how to address these issues.  There are many good practices available to end users such as creating demilitarized zones between the business network and the industrial network, banning the use of portable devices on the industrial network, ensuring that security patches are installed regularly, etc.  While these solutions all make a lot of sense, I recommend an attack at the problem core.  Patching, for example, is very important, but it is also very expensive and carries some extra risks in an industrial automation system such as impacting the performance of a critical process.  Wouldn’t it be better to solve the problem by…

Read More of This Blog    

Train Wrecks Waiting to Happen?

Hacking public transportation systems is always depicted on TV and movies.  And they make it seem so easy… it only takes seconds for these fictional experts.  Is it a reality?

Well, the Amtrak train derailment that occurred earlier this year in Philadelphia got me thinking about “hacking” as a possible cause of the accident.  This is only my conjecture at this point, as there has been no indication that it was related to terrorism and all the facts of this unfortunate tragedy are still being collected and determined.  But some data reported from the train’s “black box” and engine cabin camera have been released. 

What’s Your Cyber Score?

It’s been a long time since I bought a used car but I bought one recently and tried CarFax® for the first time.  Wow!  I wish that was around when I bought my first “newish” car in 1987 right after I graduated from college. The car was only a year old, yet in the two short years I owned the car it cost me thousands of dollars in repairs and left me stranded on the side of the road countless times. 

How does this relate to cybersecurity?  My point is that it is nice to know about the vulnerabilities in a product before you buy It - or even after you buy it.  That’s why exida is…

Read More of This Blog    

“Building Security In”

Cybersecurity continues to be a big problem for the world at large and for control systems specifically.  The amount of time and effort that it can take to simply keep all of the security patches up to date on a large control system can be mind boggling.  No matter how up-to-date the security patches are, however, and no matter how well the network was designed, there will still be security vulnerabilities in the system.  Why is this?  This is because of the large number of security vulnerabilities in the underlying software used throughout the system. 

At the time when most of today’s control systems were developed, the software engineers were not aware of the root causes of security…

Read More of This Blog    


Approaches to Cybersecurity Lifecycle for Existing and New Facilities

Approaches to Cybersecurity Lifecycle for Existing and New Facilities

Watch This Webinar    

Commissioning Barrier Devices

This webinar will focus on activities performed after the Cybersecurity Vulnerability Assessment is complete and the recommendations to segment your network have been made. We will review multiple manufacturers product offerings, evaluate selection criteria, and delve into the actual process taken to isolate critical devices from the general control network. Actual network traffic screen shots will be used to demonstrate the steps that will be required to identify and isolate the devices from unwanted traffic while allowing necessary traffic to pass to the devices.

Watch This Webinar    

Commissioning Deep-Packet Inspection of Barrier Devices

Many vendors are producing firewalls designed for the Industrial Control environment. Some very simple; some quite complex. One idea that is rapidly expanding on the Defense-in-Depth concept and becoming more important is that of “Deep Packet Inspection” or DPI. The idea of not only firewalling a protocol, but firewalling what that message is trying to do, allowing for example, a read but not a write command to pass. A number of vendors have released some sort of DPI firewall, and more are adding theirs to the list.

This webinar will explore the uses and special aspects of the industrial control firewall and will review how a firewall works to protect an ICS network. Subsequent webinars will present some of the specific DPI products available on the market today. Who they are from, what protocols they can filter, and what additional functionality they offer.

Watch This Webinar    

Control System Vulnerability Assessment

While many standards have changed, and more information is constantly becoming available, what has not changed is the responsibility of the equipment owner to assure his process is reliable, secure and safe. One major step in that process is the Cybersecurity Vulnerability Assessment. This webinar will discuss the need and the path towards accomplishing that goal.

Watch This Webinar    

Cybersecurity Risk Assessment: A Component of the PHA

This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.

Watch This Webinar    

Deep Packet Inspection for ICS Devices: Modbus/TCP Deep Packet Inspection

This is the second in a series of webinars which will review vendor products who offer Deep Packet Inspection (DPI). In this webinar we will review the background and steps required to implement an Industrial Control System (ICS) firewall using DPI for Modbus/TCP. Multiple vendors products will be shown and their specific configurations reviewed.

Watch This Webinar    

End User Cybersecurity Evaluation Report Card

This webinar will discuss how to make an objective assessment of a vendors equipment to see where it meets (or doesn’t meet) the IEC 62443 requirements through the use of a report card. The report provides a visual presentation of the results that are easy to view and follow. It covers the 7 fundamental requirements of IEC 62443, as well as communications robustness testing and the security development lifecycle. This will give the end user confidence that the products they are using are as secure as possible.

Watch This Webinar    

exida Automation Cybersecurity (ACS) Certificate Program

This webinar will introduce and discuss the exida Automation Cybersecurity (ACS) program. This is a certificate program that addresses a growing need to provide confirmation that an attendee showed competency by retaining the knowledge presented in a training course. The ACS program will also provide an analysis of where the candidate’s strengths and weaknesses lie. This program will also help a participant judge their competency level if interested in obtaining a certification like the Certified Automation Cybersecurity Expert (CACE) or Certified Automation Cybersecurity Specialist (CACS).

Watch This Webinar    

IEC 61511 & Cybersecurity

This webinar examines the revision in IEC61511-1 earlier this year to include a new clause regarding Cybersecurity and how this will impact end users. It has been recognized for sometime now that Industrial Control Systems can be susceptible to cybersecurity events, which could have potentially disastrous effects on Safety Instrumented Systems and Basic Process Control Systems. How immune a SIS or BPCS is depends upon how it was designed, its network topology and “openness” to the outside world. Compromising a SIS could result in a loss of protection, or worse still initiate unsafe or unstable process conditions.

Watch This Webinar    

Industrial Automated Control System (IACS) Cybersecurity Program Management (IEC 62443)

The presence of threats, and the success of attacks has been felt by virtually every individual and organization around the world. Protecting assets must be a well-organized, wide ranging effort that involves everyone who has assets to protect. There are organizational conflicts to understand, policies to create, and specific security activities to coordinate. This webinar discusses key aspects of a Industrial Automated Control System (IACS) Cybersecurity Program, provides concrete recommendations for getting started, and references that provide additional insight.

Watch This Webinar    

Introduction to Process Control Cyber Security

This webinar provides an introduction to Control System Cyber Security and the Security Lifecycle for managers and engineers involved in operating, maintaining and integrating Industrial Automation and Control Systems. While the course follows the Security Level Lifecycle from ANSI/ISA-99.01.01 and ANSI/ISA-99.02.01, it also references other relevant industry standards and industry best practices, in particular drawing parallels to the well established Functional Safety Lifecycle from ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod).

Watch This Webinar    

It’s an Assessment, Not an Audit

This webinar outlines the steps and process exida takes to perform its Cybersecurity Vulnerability Assessment without it taking on the uncomfortable feeling of an audit. The spirit of the assessment needs to be cooperative to be successful for both parties. We are not issuing pass/fail criteria, we are not hiding the results to give you a simple pass/fail rating. We are looking to evaluate you against best practice and standards, recommend enhancements, and document what you have already done right.

We discuss:

  • What steps you can take to make the process more streamlined
  • What information would be helpful in advance if available
  • What we investigate during the assessment
  • What you will receive at the end of the process

Watch This Webinar    

Lessons Learned From Actual Control System Security Incidents and Assessments

Lessons Learned From Actual Control System Security Incidents and Assessments

Watch This Webinar    

Performing a Cybersecurity Risk Assessment as a Component of the PHA

This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.

Watch This Webinar    

Safety / Cybersecurity Lifecycle Overview Part 3 (Operation Phase)

This webinar is the third of a 4 part series to look at the cybersecurity lifecycle. Part 3 introduces the Operate and Maintain phase and focuses on the steps involved. Key topics of this second part includes:

  • Security Monitoring and Metrics
  • Security Threat Event Response
  • PSM cybersecurity Mechanical Integrity
  • Periodic Assessments
  • Management of Change
  • Cybersecurity Assessments
  • Decommissoning

Watch This Webinar    

Safety / Cybersecurity Lifecycle Overview Part 4 (Entering the Lifecycle)

This webinar is the fourth of a 4 part series to look at the cybersecurity lifecycle. Part 4 looks at how to implement the lifecycle within existing facilities where it is not currently in place. Key topics of this fourth part includes:

  • Vulnerability Assessment
  • Policies and Procedures
  • Personnel and Contractor Training
  • Network Access Control
  • System Component Hardening
  • Network Segmentation

Watch This Webinar    

Safety / Cybersecurity Lifecycle Overview: Part 1 (Analysis Phase)

This webinar is the first of a 4 part series to look at the cybersecurity lifecycle. Part 1 introduces the overall lifecycle and focuses on the steps involved in the analysis phase. Key topics of this first part includes:

  • Why IACS security is important
  • How cybersecurity integrates with the safety lifecycle
  • Inclusion of cybersecurity into project scopes
  • Cybersecurity risk & vulnerability risk assessments
  • Cybersecurity Requirements Specification

Watch This Webinar    

Safety / Cybersecurity Lifecycle Overview: Part 2 (Design Phase)

This webinar is the second of a 4 part series to look at the cybersecurity lifecycle. Part 2 introduces the design and implementation phase and focuses on the steps involved. Key topics of this second part includes:

  • Conceptual Design
  • Security Level Verification
  • Detailed design & procedures development
  • Design validation / system integration
  • Cyber FAT / Installation / Commissioning / Cyber SAT
  • Initial validation of countermeasures
  • Cybersecurity assessments

Watch This Webinar    

The 7 Things Every Plant Manager Should Know About Control System Security

Not that long ago, the move towards “open systems” and the resulting incorporation of off-the-shelf technologies represented a huge step forward in control system design. System integration became easier, product development by manufacturers was accelerated, and training leveraged common tools and concepts. While the benefits have been tremendous, open technology has made control systems open to security vulnerabilities, putting production and human safety at risk. Nothing has made that risk more evident than the Stuxnet virus which has made headlines since it was discovered in July 2010. Countering these threats requires organizations to develop a better understanding of their process control system security risks and how to address them. In this webinar, we will discuss the seven things that every plant manager and automation professional should know about industrial control system security. We will also discuss how to apply best practices from standards such as ISA 99.02.01 to mitigate these risks.

Watch This Webinar    

The Security Development Lifecycle (SDL) Explained

A lot of time and effort is spent installing security patches. The number of security vulnerabilities in a product, and thus the number of patches, can be significantly reduced if a Security Development Lifecycle (SDL) is followed during product development.

This webinar will help explain the following:

  • What is an SDL?
  • How following an SDL helps prevent successful security attacks
  • How does SDL fit into current standardization efforts?
  • How do I implement an SDL? What are the major parts of an SDL?
  • How can I ensure my suppliers are using an SDL?
  • How can I show my customers that I am using an SDL?

Watch This Webinar    

Understand Risk of Cyber Threats to an Industrial Process with a Cyber PHA

Operators of industrial facilities, particularly those that operate critical, potentially dangerous processes or produce product for consumer consumption, are rightfully very concerned about the potential for cyber threats that can accidentally or intentionally manipulate their industrial control systems (ICS). Modern ICS are highly vulnerable to cyber threats due to their increased use of commercial IT technology and extensive network connectivity. At the same time, the prospect of cyber threats to an ICS is all too real. In the last few years, there have been numerous documented attempts to hack or inject a virus into an ICS in order to intentionally cause harm or destruction. This presentation explores the challenges that most industrial companies face in understanding the true risk of cyber threats to their industrial processes and introduces Cyber PHA as a solution. Based on Process Hazard Analysis (PHA), which has been used in the process industries for decades to assist in understanding and ranking operational risks so they can be properly mitigated, a Cyber PHA is an organized and systematic assessment of the potential cyber threats to an ICS. It aids in understanding the true risk by identifying and qualifying threats, vulnerabilities and consequences.

Watch This Webinar    

White Papers

Integrating Cybersecurity Risk Assessments Into the Process Safety Management Work Process

Cybersecurity is rapidly becoming something the process safety can no longer ignore. It is part of the Chemical Facility Anti-Terrorism Standards (CFATS). In addition, the President’s Executive Order 13636– “Improving Critical Infrastructure Cybersecurity,” has drawn attention to the need for addressing cybersecurity in our plants as it has been demonstrated that in our new world, they are now a source of potential process safety incident.

IEC 61508[2], “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)” now has a requirement to address cybersecurity in safety instrumented systems and ANSI/ISA 84.00.01, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector” is looking to include this requirement in the next revision. Currently the industry is playing catch up as there tends to be a gap in understanding between information technologists, traditionally responsible for cybersecurity, and the process automation and process safety engineers responsible for keeping our plants safe with help from automated controls and safety instrumented systems. As a result, guidance is being developed, but much of it continues to be a work in progress.

Download PDF    

The 7 Steps to ICS and SCADA System Security

The past two years have been a wakeup call for the industrial automation industry. It has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu. An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries.

If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. This white paper will give you the information you need to get started. It won’t make you a security expert, but it will put you on the right path in far less time than it would take if you were to begin on your own.

We began by condensing the material from numerous industry standards and best practice documents. Then we combined our experience in assessing the security of dozens of industrial control systems. The result is an easy-to-follow 7-step process:

Step 1 – Assess Existing Systems
Step 2 – Document Policies & Procedures
Step 3 – Train Personnel & Contractors
Step 4 – Segment the Control System Network Step 5 – Control Access to the System
Step 6 – Harden the Components of the System Step 7 – Monitor & Maintain System Security

The remainder of this white paper will walk through each of these steps, explaining the importance of each step and best practices for implementing it. We will also provide ample references for additional information

Download PDF    

The ICS Cybersecurity Lifecycle

With the ever changing threats posed by cyber events of any nature, it has become critical to recognize these emerging threats, malicious or not, and identify the consequences these threats may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the ability to take on many forms and threaten not only industrial but also national security.

Saudi Aramco, the world’s largest exporter of crude oil, serves as a perfect example depicting how devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better known as the “Shamoon” virus. According to InformationWeek Security this was roughly 75 percent of the company’s workstations and took 10 days to complete clean-up efforts.

The seriousness of cyber-attacks in regards to national security was addressed by former United States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a strong warning to business executives about cybersecurity as it relates to national security.” A cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation,” he stated. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country.”

In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by ABC News.

This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS) and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.

Download PDF    

Case Studies

Cybersecurity Lifecycle: Giving Information a History and a Future

The Cybersecurity lifecycles from both ISA/IEC 62443 and TR-84-09.01 gave a template and foundation from which to plot a path. The goal of this exercise was to develop a cybersecurity model at one facility which can then be duplicated at other facilities. exida not only came on site to perform the assessments but also provided the training necessary to allow the processes to move forward.

Download PDF    

Cybersecurity Vulnerability Assessment (CVA)

The initial request from the Oil & Gas company was to perform a Cybersecurity Vulnerability Assessment (CVA) on a gas refinery process control network.

Download PDF    

Industrial Cybersecurity Solution

A wastewater treatment plant needed to protect its communications network, specifically the programmable logic controllers (PLCs) that run its operations. The primary goal was to reduce the risk of malware, accidental network incidents, or traffic storms from taking down the plants’ supervisory control and data acquisition (SCADA) network. With an easy to install solution that significantly reduced and filtered network traffic to the PLCs, the facility is now on the leading edge of cybersecurity protection.

Download PDF    

Industrial Cybersecurity Solution - Network Segmentation and the Fragile PLC

A Cybersecurity Vulnerability Assessment was recently performed on an oil refinery. The main PCS in place was a form of redundant Ethernet. The main communication was broadcast and multicast traffic from all devices in a producer/subscriber configuration. It was one very busy network.

Download PDF