By Matthew Pacobit, Senior Director of Regulatory Affairs
We have been getting many questions from clients about cybersecurity and the cyberattacks that have been widely reported in recent news. Most clients want to know why these attacks are happening all of a sudden and whether or not their plant is vulnerable.
To begin, the media may have just started reporting some of these high-profile attacks, but if you read public companies past disclosures, you will find that this has been going on for years. Additionally, cyberattacks have been growing exponentially and with the rise of cryptocurrency, criminals are now able to demand payments that are almost completely untraceable.
With regards to the vulnerability of clients’ plants, the answer is a bit more complicated and there are a few key points that need to be made clear.
First, all power plant control systems are vulnerable and there is no such thing as a perfectly secure system. Even systems that are air-gaped are still at risk of transient cyber assets and removable media (laptops, tablets, phones, USBs, etc.).
Second, power plant control systems are not the same as IT business networks. Plant control systems are made up of many customized components from a wide variety of venders. Some of these components might be off-the-shelf computers, but they cannot be secured using the same solutions as business network computers. I have seen firsthand, a cybersecurity software try to request information from a plant controller on an operation network. The controller interpreted it as an unknown error, failed, and triggered a backup. The software then did the same thing to the backup and took down the entire system.
Because of the risk to the control system, the CAMS cybersecurity team separates out the business network from the operational network when looking at cybersecurity solutions. Most of our clients currently use CAMS Bluewire Technologies for their business network cybersecurity, however, each operational network is unique. There needs to be a discussion on risk mitigation vs. cost for each control system and each cybersecurity solution. Some control systems can be secured with a firewall or data diode, while others are better off with firewall monitoring and/or whitelisting. Additionally, most power plant control systems have at least some components and software that are older than 5-10 years, so determining the right fit is a personalized process.
In the end, securing the power plant control system not only reduces the risk of down time but also reduces the risk of equipment damage, making cybersecurity and risk mitigation worth the cost.
For more information, contact us below.