Seth Carpenter is a cybersecurity technologist at Honeywell Process Solutions and an expert in the area of secure networks and systems. In January, Plant Services chief editor Thomas Wilk had the chance to talk with Carpenter about the state of plant cybersecurity in 2018. The conversation took place days after the Meltdown and Spectre chip vulnerabilities became widely known and publicized, so the conversation began by addressing the two elephants in the digital waiting room.
PS: Given the Meltdown and Spectre news, the conversation about industrial cybersecurity has taken on a new urgency. What are some of the things that our readers in maintenance, reliability, and operations ought to know about how these threats might affect what they are doing?
SC: The big story here, just like any major breaking malware, is that as much as possible, make sure that you’re up to date, that you’re running supported operating systems, and look to announcements from different vendors talking about compatibility or patches or anything like that coming out. The people who are already on top of things and have their patching process in place, they are going to be in fairly good shape here. Vendors are working everywhere to make sure they’ve got patches available.
Likewise, having good security defenses in place is always going to help. “Defense in Depth” is something that’s really ingrained in industry, as we’re used to the days when these systems were completely disconnected from the rest of the world. Most of the time the threat is from another connected system, or maybe a malicious ad, or something like that, that may not be very applicable in an industrial control system. But still, making sure those firewalls are in place, preventing direct internet connectivity from your processing control environment – good security hygiene, if you will – all those good practices are going to help out for this, just like they will with any major malware outbreak. And if there is a group that hasn’t been as diligent in their security practices, this is another good wake-up call, and we just keep getting one after the other.
PS: What are some of the questions or conversations you’d encourage maintenance, reliability, and operations teams to have with IT? Are there any specific questions they might want to ask about the Spectre and Meltdown vulnerabilities?
SC: Some of those questions to ask include, “What’s applicable to our systems?” and “Can we apply the patches?” It’s a little more complicated in this case than just a simple Windows patch. Right now there are patches coming out specifically targeted at Meltdown, so obviously that’s going to be very timely targeted. In some cases, depending on what antivirus they are running, that may need to be patched first to then allow the Windows update to go through. So there’s a very strategic conversation about what needs to happen for our systems, what systems are vulnerable, and understanding what needs to happen there.
There’s a broader conversation as well. How are we reacting to things, and what are we doing systemically? We tend of think of people, processes, and technology when we are talking about cybersecurity. The people aspect is critical. It’s encouraging that you’re talking about the maintenance-reliability group working closely with IT. Traditionally, there’s been a bit of a divide between the IT teams and the OT teams.
A really positive trend that we’ve been seeing is those teams working more closely together and understanding how they can each bring their expertise to these kinds of problems and help solve them, and having the people working together and then having the processes in place to know: “Here’s where we get our qualified patches. Here’s how we distribute them. Here’s how we verify that they’ve actually been put out to the machines.” You know, just closing the loop on all those things.
There are obviously technology solutions that can help out, and it’s going to be dependent on each team. Maybe they are working with their IT teams to use a centralized patching solution, or rely on managed services teams to get patches installed on the system.
Honeywell does have some additional tools, such as the Industrial Cybersecurity Risk Manager, that will assess the systems, the machines within the system, make sure they are up-to-date. So there are a number of solutions there we can look at.
PS: Do you see the Spectre and Meltdown vulnerabilities as more of an anomaly when it comes to the flaws in the processors themselves? Or do you see this as probably the way the future is going to go, where this is a lot more common than say a Stuxnet type of attack? Or is it going to be a balance?