The recent JBS meat-packing and Colonial pipeline ransomware attacks and shutdowns are appearing in all of the recent headlines. However, they're just the latest in a long and possibly endless barrage of cybersecurity crises. Of course, the low points for the process industries include Stuxnet in 2010, Triton in 2017 and several others over the years, along with a litany of named malware threats and related incidents. They haven't been as numerous (or well-publicized) as breaches in the mainstream IT and consumer realms. However, they're all symptoms of computing, software and networking inexorably driving formerly separate technical disciplines, users, organizations and businesses into closer proximity than at any time in their respective histories.
Unfortunately, most breaches and attacks occur when basic cybersecurity isn't implemented or is neglected—in short, humans not doing what they should be doing. But how do we diminish space for this kind of error? Well lets begin with long distance defenses. Just as more network connections create more vulnerabilities, adding increasingly remote processes to networks can also create more avenues for intrusions and possible cyber-attacks.
Spanning 1,850 kilometers across Turkey, the recently completed Trans-Anatolian Natural Gas Pipeline (TANAP) supplies more than 5% of Europe's natural gas, and relies on ABB's Process Automation Division for its control infrastructure, security and telecommunications. ABB, in turn, uses Skkynet's DataHub software to support its secure, redundant communications of real-time and alarm data. To move 16-30 billion cubic feet of NG per year, TANAP uses four metering stations and two compressor stations connected to a main control center. It monitors and controls operations and equipment including leak detection, and stores and transmits data between the remote stations and the control center.
Managing cybersecurity is a broad topic covering everything from network security to personnel training, so Skkynet concentrates on giving users access to data without exposing their control networks. "VPNs are directly or indirectly exposed to outside networks, which is not ideal. Users know that zero-day exploits and phishing attempts can compromise their networks, so our approach is to avoid exposing networks and plants at all, and to reveal only the data needed by remote users," says Andrew Thomas, CEO of Skkynet.
"However, any time there's an authorized way into a network, for example via OPC UA or RDP, there is also a potential for unauthorized access through exploits in those same systems. The answer is, if access to a process or plant network is not absolutely necessary, then the plant should be completely isolated. It's not good enough for somebody to claim they have a good cybersecurity product and then require an open inbound port in the plant firewall—the whole notion is disingenuous; one open firewall port is one too many. Our message is simple: don't open any ports if you don't want to be attacked. That's possible with the right software and protocols."
Instead of exposing a process-control network, Thomas explains that remote users should only have access to the data. Skkynet's DataHub software, its open DHTP protocol and its Skkyhub cloud-computing service let process data reach a DMZ, and stream data to whoever needs it without exposing the inner network itself.
Most data used in this article was recovered from controlglobal