CSIA 2014: Everyone has responsibilities for cyber security

Product suppliers, project service providers and system integrators, asset owners, and operators all need to be involved in cyber security, said Johan Nye, control systems commercial technology leader at ExxonMobil Research and Engineering, Fairfax, Va. Nye presented at the 2014 CSIA Executive Conference in San Diego on April 25.


Johan Nye, control systems commercial technology leader at ExxonMobil Research and Engineering, Fairfax, Va., presented on cyber security at the 2014 CSIA Executive Conference in San Diego on April 25. Courtesy: Control Engineering, CFE Media, Mark T. HosEveryone has responsibilities for cyber security: Product suppliers, project service providers and system integrators, asset owners and operators all need to be involved, according to Johan Nye, control systems commercial technology leader at ExxonMobil Research and Engineering, Fairfax, Va. Nye presented at the 2014 CSIA Executive Conference in San Diego on April 25. His comments and advice follow:

  • Vendors must deliver products secure by default and should not deliver products wide open. [A recent Control Engineering site poll results suggested most devices recently installed did not require a password reset, even though that's the recommended delivery practice for vendors.]
  • More than 90% of cyber security intrusions could be thwarted if human-machine interfaces were not delivered in administrator mode.
  • The tools ExxonMobil uses include the NIST Cybersecurity Framework, ISA99/IEC 62443 industry standards, and ISASecure, and system integrators have a role to play, as well.

Best practices framework

The NIST Cybersecurity Framework executive order is involved in many critical infrastructure sectors in development. It references ISA/IEC 62443 standards and can be used as a high-level framework within asset/owner and operator companies. The five elements of the framework are to identify, protect, detect, respond, and recover.

The ISA and IEC have a simultaneous submission process for cyber security efforts. ISA/IEC 62443-1-1 is the overall concept and terminology document covering foundational requirements, security terms, and security levels. Edition 2 is now underway. The audience for these standards includes product suppliers, service providers, and asset owners.

ISA/IEC 62433 Security levels are modeled after safety integrity levels, explained Johan Nye, control systems commercial technology leader at ExxonMobil Research and Engineering, who presented on cyber security at the 2014 CSIA Executive Conference in SanThe document is based on the ISA84 safety instrumented systems (SIS) concepts of safety levels, where security levels are modeled after SIS. Security level is based on four adversary capabilities: means, resources, skills, and motivation. (See photo.)

  • 2-1 covers asset-owner audience based on risk assessment.
  • 2-4 covers requirements for solution suppliers with concept of maturity levels and is of the greatest interest to system integrators.
  • 3-2 and 3-3 are system-level documents. 3-2 covers security zones and security levels based on the risk assessment process, and 3-3 covers technical requirements, helping the product suppliers, based on foundational requirements and security levels.
  • 4-1 and 4-2 cover components, including host computers, network, and embedded devices and applications. 4-1 covers development lifecycle for product suppliers, with patching requirements. 4-2 explains technical requirements for suppliers. 

Cyber security certification

The ISA Security Compliance Institute (ISCI) offers a product certification, and they may not cover things that haven't been discovered yet, which are considered zero day threats. The process tests points for boundaries and inside the security zones.

The three types of certifications are:

  • A EDSA embedded device security assurance
  • A SDLA security development lifecycle assessment (coming later this year).
  • A SSA system security assurance system.

Security zones and conduits, for example, can divide the system into a safety zone, control zone, and operations zones, according to Johan Nye, control systems commercial technology leader at ExxonMobil Research and Engineering, who presented on cyber secSystem integrator advice

System integrators should:

  • Establish company policies and procedures
  • Take a lifecycle attitude.
  • Use ISA/IEC 62443 standards.
  • Not leave surprises behind for your customers. You must train employees, letting them know you have zero tolerance for unsafe cyber security behaviors.
  • Encourage suppliers to get the ISASecure certifications. Select secured products when you have a choice.
  • Role-based access control should have the least privileges.
  • Meet the NIST Cybersecurity Framework.
  • Don't connect the industrial automation control system (IACS) to the Internet. Hacker tools can map the control system if it is connected. If you connect, it will get found and exploited. 

Questions and answers

Q. Certification training for products and system: Is it about process or the technology?

A. Both, but really the certification attempts to establish trust among vendors, service providers (SIs), and asset owners, since they may not have the in-depth knowledge required.

Q. If the system is certified, how long does it last? What about next month when an unforeseen threat emerges?

A. We spent a lot of time talking about that. To get a certification, the production supplier must have a work process in place and must get a security patch to address that vulnerability. They also must do this for third-party components in their systems. Test the security patch. The certification isn't forever. A trigger includes a product revision. Time limit on certification; I think it's two years. Timeframe differs by program.

Q. What about budgets? This isn't free. It requires training and compensation; asset owners need to pay more. Are they willing?

A. Is system reliability an add-on option? Safety? Security is an inherent part of the industrial control system. For legacy systems, there also are mechanisms to add security around them.

Q. How do you handle external connections?

A. ExxonMobil sees connections as the highest threat. If you give view only, risk is less. If you give administration trust to a third party, then all bets are off.

- Mark T. Hoske is content manager, CFE Media, Control Engineering, mhoske@cfemedia.com.


See related cyber security articles, research and webcasts below.

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Doubling down on digital manufacturing; Data driving predictive maintenance; Electric motors and generators; Rewarding operational improvement
2017 Lubrication Guide; Software tools; Microgrids and energy strategies; Use robots effectively
Prescriptive maintenance; Hannover Messe 2017 recap; Reduce welding errors
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Research team developing Tesla coil designs; Implementing wireless process sensing
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me