Consider this: in 2016, the US and NATO nations officially recognized cyberspace as a domain of warfare. In geopolitical terms, a cyber attack is now as actionable as a naval attack. Within industrial and commercial settings, cyber malice is a frequently seen as a leading threat, and likely a permanent one. So let’s discuss PLC, HVAC, and cybersecurity
As first brought to global attention by the Stuxnet attack in 2010, PLCs are a tempting target for malice. Since that event, cyberattacks on PLCs and beyond have sent alarming messages throughout the heating and energy industries. The ingress point for the massive 2013 hack of retailing giant Target is believed to have been its HVAC management company. In 2016, a cyber attack in Finland crippled residential heating systems in freezing winter. In March of this year, a Saudi petrochemical plant’s system was hacked not only for its data, but as an attempt to sabotage internal systems and trigger an explosion.
Today, every industry executive understands the need for cyber security in PLC systems. Not all, however, are fluent with their own company’s risk profile. Many more don’t understand the methods and limits of prevention. Federal agencies have no doubts about these topics, and have strenuously advocated both risk assessment and intrusion prevention for the industrial sectors. The National Institute for Standards in Technology (NIST) has particularly active in this arena, and has assembled a Manufacturing Extension Partnership (MEP) program to help businesses of all types understand cyber threats and how to deal with them.
The NIST MEP program, created together with private enterprise, has been developing a framework for cybersecurity risk management, and guidelines to assess and mitigate cyber risk to manufacturing systems. Businesses that have not yet conducted a serious assessment of their cyber vulnerabilities would do well to start their education with the NIST overview. In addition to NIST, the Center for Internet Security (CIS) also offers a resource and security risk assessment method that helps organizations implement and assess their security posture against CIS controls.
Best practices for safeguarding are a more complex topic. As more Industrial Control Systems are connected to the Internet and the IIoT, there is predictable debate over where the security dollars are best applied. The cyber security services industry is flush with new vendors ready to serve the ICS markets. The threat of cyber attacks has actually created a flourishing new industry.
Quality, not quantity, is the problem when it comes to finding cyber security for PLC systems. Much of today’s talent pool is drawn from the IT world, where cyber security has long been an established discipline. Proprietary or legacy PLC systems are often outside their experience. Training new professionals in relevant cyber security techniques is crucial, and is being addressed by programs supervised by the International Society of Automation (ISA). Businesses seeking to build their in-house cyber security competencies can find up-to-date training and certification through these programs.
To combat the problems of not enough security and not enough security experts, some PLC manufacturers are touting built-in cyber security features. These include integrated firewalls, secure booting, and preventive measures against uploading of unauthorized software. In these new PLC designs, slots can accept authorized, non-rewritable memory, which can be securely locked as a safeguard against tampering. This simple level of physical security is more important than most CIOs give credit to. Many cyber threats don’t necessarily begin as deliberate, planned invasions; they are a product of opportunity. A careless employee or careless password maintenance can be as big a threat to the PLC system as the most relentless black hat. The insurance industry calls these risks a “moral hazard,” like a homeowner that doesn’t lock all the doors when leaving home to get groceries. Many of these security holes around the PLC are often overlooked and expedient to solve.
The U.S. Department of Homeland Security has also issued specific, emphatic cyber security messaging for companies in the HVAC spaces. According to the Department, “HVAC and fire systems have significantly increased roles in security that arise from the interdependence of process control and security.” The agency goes on to warn that computers and computerized devices used for ICS functions (such as PLC programming) should never leave the ICS area. Laptops, portable engineering workstations, and handhelds should be tightly secured and never used outside the ICS network. With these kinds of warnings in mind, it’s easy to understand how simple cures to the aforementioned “moral hazards” contribute to a more secure system.
The HVAC sectors are on the front lines of the cyber threats against industry. Climate control is a universal need for both people and machines. Understanding and accepting the differences between what should be done and what can be done are crucial to a successful cyber security strategy, for PLCs and beyond. Not every attack can be prevented, and not every component of every system can be secured. However, strategies for preventing the preventable are critically necessary. Building those strategies and executing them with tactics that can adapt over time is not just worthwhile to industry — it’s imperative.