Improving cybersecurity in industrial control systems for glass production

Where to start?

In preparation for a CRA, the type of information required includes current cybersecurity policies, cyber program objectives, applicable standards, and existing cybersecurity tools and technologies. OT network diagrams showing ICS layers and zones, and labels displaying locations of critical assets on the network are also needed; as well as identification of the personnel and stakeholders most familiar with the OT network layout, equipment and assets, from an OT, cyber and technical knowledge point of view. The cybersecurity assessment has two parts; the assessment with report, and the consultation services to discuss the results in depth and create a tangible roadmap for the next steps.

Risk assessment

There are varying levels of risk assessments available, including: Core, (Cybersecurity Risk Assessment – a high-level gap assessment); Enhanced (a detailed assessment aligned to the 15 control areas in IEC 62443); and Optimized (a customer assessment that typically focuses on a deep dive of a high-risk environment, system or process).

The risk assessment includes a documentation review, of items such as network diagrams, current cybersecurity policies and program elements. Remote interviews are carried out with key OT and cybersecurity stakeholders. Then the cybersecurity expert’s analysis identifies key risk areas, gaps and recommended steps for remediation in a report, which provides a starting point to prioritize future cybersecurity initiatives.

Expert consultation

The CRA includes a deep dive on the results of the cybersecurity assessment, during which the independent Schneider Electric cybersecurity experts will provide detailed recommendations and step-by-step guidance, as well as a Q&A session, time frame for implementations, and budget estimates. Workshop sessions can help define a blueprint for cybersecurity and prioritize which areas to address first, based on resources, covering cyber training levels of ICS personnel, documented incident response procedures, lifecycle management policies and procedures, and access controls.

After implementing cybersecurity improvements, control systems can be further protected by ensuring the operation and applications are always current and up to date by using managed cybersecurity maintenance services, such as the Eurotherm software patching service, which can be offered as part of a Sales Level Agreement (SLA). Personnel cybersecurity training can also be provided to reduce the chance of cybersecurity incidents resulting from human error.

Defense in depth

An effective industrial cybersecurity strategy is typically based on a defense in depth approach to achieve multiple layers of physical and digital protection. Ideally, cybersecurity should be designed-in, but Eurotherm recognizes that existing control systems require consideration too. Control and data acquisition products normally reside in the process control level behind a firewall but to support a defense in depth strategy, the Eurotherm product range includes features that help protect processes from being compromised by cyberattacks. The resilience of existing products and systems can also be improved through services.
The Eurotherm product ranges include communication robustness and user access features, helping to protect production processes from being compromised by cyberattacks as part of a defense in depth strategy. For example, Secure File Transfer Protocol (SFTP) provides secure file transfer over a Secure Shell (SSH) connection. Data is encrypted before transmission to prevent sensitive data, such as username, password and production process data from being disclosed over the network. In Eurotherm products that support this feature, SFTP can be used to archive recorded data, for instance, process values, alarms, messages, and batch information over a network, helping to protect data transfer in accordance with the IEC 62443 guidelines.

Achilles is an independent certification that demonstrates the robustness of products when subjected to a wide range of demanding communication conditions. The Eurotherm control and data acquisition products with Achilles Certification have communication robustness features, for example, algorithms that can detect excessive network activity and help to ensure that a device’s resources are prioritized on the essential functions of the control and/or recording strategy. The IEC 62443 standard states that industrial control systems should be able to authenticate and authorize human users. Some regional cybersecurity requirements and guidance also no longer allow the use of hard-coded user passwords, therefore IoT capable devices must have the functionality to create unique passwords or prompt a new user to set a password before they have access. Eurotherm products are available with password-controlled user access features to aid defense in depth strategies in industrial control systems. Typical features include Ethernet communications, and FTP server functionality disabled at instrument start-up until an Engineer account password has been created. Operator and Supervisor accounts are disabled until unique passwords have been created, and well-known recovery/backdoor passwords are not supported – all helping to limit access only to authorized job roles for improved cybersecurity.

For companies not sure where to start or that need help implementing a cybersecurity strategy, Eurotherm’s experienced and qualified experts can assess glass producers’ unique situations and requirements, helping them meet cybersecurity challenges with targeted solutions that fit their needs.

About the author:
Param Chana is Global Service Business Development Manager at Eurotherm.

The full version of this article appeared in the September/October 2022 glasstec issue of Glass Worldwide alongside a broad cross-selection of editorial covering all areas of production and processing.