How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft

© Copyright 2018 OSIsoft, LLC 1
How Facility Controls
Systems Present
Cybersecurity Challenges
Learn how you can resolve them
Scott Smith
Principal – Facilities and Data Centers
OSIsoft
2018

© Copyright 2018 OSIsoft, LLC
Speaker
2
Scott D. Smith
– OSIsoft
– Industry Principal, Facilities & Data Centers
Perspective
– IT background
• Enterprise system architecture
• System operations
• Disaster recovery and IT security
– 15 Years in IT/OT environments
• Power generation
• Energy trading
• Electric distribution and transmission
– 10 Years in software solutions

Objective
As we continue to require the need for such data, serious
cybersecurity risks are brought to light from inadequate
security architecture or lack of process and controls. We
need to be able to identify our risks and develop a
mitigation strategy.
3

Lessons
• Discuss how to raise awareness of cybersecurity threats
• Identify the value of IT/OT integration in solving
cybersecurity threats
• List challenges of IT/OT integration
• Describe the value we can receive from IT/OT
integration and the expansion of data sharing
4

The Challenge

Mission Critical Nature of Facility Operations
6
fa·cil·i·ty
/fəˈsilədē/
Noun - noun: facility; plural noun: facilities
1. a place, that provides particular purpose such as an
office, store or school
2. Mission Critical Infrastructure, the mission may vary
from a hospital who has a live saving mission, a corporate
campus who has a mission to support the core business
operations to a government building that provides
financial, security or social services.
✓ Life Saving
✓ Food Supply
✓ Housing
✓ Security
✓ R&D
✓ Regulatory
✓ Manufacturing

The Risk is Real
7
An attack on US retailer Target, in which
millions of customers' credit card
information was stolen, was traced back
to the heating and ventilation system.
Tomorrow's Buildings:
Help! My building has been hacked
In 2013, Google - one of the world's pre-
eminent tech companies - was hacked.
“How a fish tank helped hack a casino”
A 2018 U.S. Department of
Defense (DoD) report to
Congress estimates it could cost
more than $250 million over the
next four years to identify,
register and implement fixes to
vulnerabilities in DoD facility
control systems.
The risk does not have to malicious it could be the
execution of poorly trained or inappropriate resources

Driven to Share Information
8
1
2
3
4
5
Situational Awareness
New Technology (IOT)
Operational Efficiencies
Energy Savings
Planning with M&V

Center of all process
design, system
integration, and
automation is
SECURITY
Ongoing success of
SECURITY is
measured by your
Situational Awareness
of change

5 Challenges to the Cybersecurity Challenge
10
All environments have
unique challenges, we
will discuss 5 core
areas of risk

Cybersecurity Today
1. Facility systems installed without security expertise
2. Remote access for 3rd parties
3. Merged control networks and IT networks
4. Lack of multi-layer security

Challenge 1 – Separate Data from Control
12
1. Understand future needs and value of data
2. Increase access to data while separating control
3. Use the situational awareness of data to evolve security posture

Challenge 2 – Internet Accessible
13
Shodan.io - Shodan is the world's first search engine for Internet-connected devices
In less than 5 minutes identified multiple systems and had broadcast
addresses and log in screens for Johnson Controls, Niagara and Alerton
systems
Search
Result Access

Challenge 3 – Remote Access
14
• Commission Process Remote Access
• Outsource Maintenance and
Management
• Accidental - Installer’s lack of security
knowledge
Trends
1. Have you completed a review to understand your
risk and vulnerability from cybersecurity threats
Answer: 46%
2. Are any of your building management systems
under a service contract that allows remote
access?
Answer: 70%
Building Operating Management Survey (2018)

Challenge 4 – Lack of Visibility to Best Practices
15
The only time most people even think
about the building systems are when they
are not comfortable.
More times than not your own IT security
team may have no knowledge or
awareness of these control systems.
Leverage the decades of lessons learned on security,
risk assessments, disaster planning and change
control offered by your own IT and OT operations

Challenge 5 – Lack of Situational Awareness
16
Baseline + M&V
Contingency Plans
Documentation “AS-IS”
• Monitor set points and configurations settings
• Baseline performance for deviations
• Create alerts to changes
• Develop risk matrix
• Identify operations that require facility services
• Create plans for loss of control
• Export configuration
• Monitor change logs to configuration
• Create a log of changes

IT/OT Value

IT & OT Convergence Is a Key Answer
18

Technology Barriers Have Fallen
19
▪ Common Protocols
▪ Open Standards
▪ Common Operating
Systems
▪ Common Hardware
▪ Shared Services

Cultural and Functional Barriers Remain
20
• Different Languages
– Operational Decision Making
– Outage (Control Systems vs IT Systems)
– Maintenance
– System Upgrades
– Security
• Organizational Silos
• Increased Risk – Cyber Security
• Profit –Loss Implications
• Mission Success

Security Models
21
Traditional Control Security Model IT Security Model
• No inbound/outbound access
• Barrier of entry
• Insure networks leveraging application password
• Secure Barriers (Inside and Out)
• Centralized security directory
• Security monitoring tools and services
Open protocols
within control
Application
Security
Firewalls Firewalls
Master Controls
Data & User
Segregation

A Strategy to Embrace OT IT Integration
22
Define Target/Objective
Define Governance
Separate Data from Control
Data Infrastructure
Secure Unidirectional
Asset or Process Centric
Knowledge Sharing
Heavy Hand of IT Full Scale Integration

Define Mutually Beneficial Value
• Identify operational
challenges
• Identify business
challenges
• Identify Security Best
Practices
• Pick the low hanging fruit

Business Intelligence
Standard Reporting
Ad hoc Reports
Query Drill Down
Alerts
Statistical Analysis
Forecasting
Predictive Modeling
Optimization
What Happened?
How Many, How Often, Where?
Where exactly is the problem?
What actions are needed?
Why is this happening?
What if these trends continue?
What will happen next?
What’s the best that can happen?
Distance from Operations
ComplexityofIntelligence
Objective: New Enterprise IT
Technologies To Meet Business &
Operational Goals
Operational Intelligence
Thought Process – Identify value of data to process objectives

Benefits: Why do we care
• Financial Performance
– Track financial performance of operational decisions
– Optimize asset performance
– Optimize business operations based on market conditions
– Supply chain improvements
• Improved Governance
– Expand the view beyond the context of a single system
– Align to “Chart of Operations/Financial Operations”
• Risk Reduction and Resilience
– Situational Awareness
– Condition Based Maintenance
– Cybersecurity Architecture

For more information…
26
…visit our Facilities web page…
…or you can visit the Facilities Cybersecurity page.
You can also go to our PI System Overview webpage to learn more about OSIsoft
and the PI System.

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft

More Related Content

What's hot

Similar to How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft

Recently uploaded

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft