Safety Instrumented Systems

PHA, LOPA, and QRA

Fire and Gas Systems

Industrial Cyber Security

Industrial Cyber Security

//Industrial Cyber Security

Industrial Control System protocols are modified Ethernet protocols and were created originally as serial communications before the wide spread use of Ethernet networking. They support proprietary inter-process communications and were built to provide reliable, and deterministic communications long before Ethernet security was a consideration. The Ethernet capable devices like industrial programmable controllers (PLCs) and other industrial controllers including devices like variable speed drives and instrumentation, do not have the capability to protect themselves. In fact, many even lack means of authentication or integrity checking and are vulnerable to potential attack or just mistakes. Consequently, it is up to all of us to protect industrial purpose made controllers from attack using solid, proven engineering and security techniques.

Kenexis specializes in making the complex manageable and understandable. Consider the drawing which shows zones and conduits a little differently. By changing the typical layout and putting the network switches in the zone and placing the barrier device that supports the conduit outside to the left, the design makes logical sense. Now it is easy to see that the control systems green wires are protected from the plant wide red wires by a firewall. Likewise the plant is connected to the enterprise through a router (probably using a VPN over the Internet or a leased line). The plant control systems are shown protected from the Internet using the plant firewall and the enterprise firewall. The router could also have firewall capabilities enabled in addition to the VPN and routing function.

DESIGN & MIGRATION PLANNING

Our Security Services are staffed by seasoned industrial control system and IT technology experts. Our services start either by designing a robust, secure, and performance based network or by analyzing the design and planning your migration path to your ideal industrial network.  Design services are based on solid industrial control system network design with secure communication and reliability as defined in ISA/IEC 62443 and other standards as required by your industry or region of the world. Our design services focus on providing secure and reliable industrial networks that will serve your business well with better visibility, secure remote connectivity, and less unexplained downtime. Kenexis offers industrial cyber security services designed around your process lifecycle to assist your organization with establishing a secure and reliable industrial network throughout the system’s lifecycle.

POLICY & PROCEDURE ASSESSMENT

We work closely with your organization to evaluate or develop an industrial control system network policy and procedures based on your concerns and the appropriate standards and regulations applicable to your industry and region. We will work with your team to insure agreement, rollout, and adoption. The established policy & procedures will drive security focused behaviors without compromising performance and connectivity. It will also establish a method for budgeting decisions, and accountability.

ACCEPTANCE TESTING

Our team will work with yours to verify that the detailed design as built, meets the security functions defined in the design. These test can be performed onsite for systems/equipment constructed and installed locally or performed offsite where the skid is built. In some cases, it is possible to conduct analysis remotely; contact Kenexis for more information on remote acceptance testing. Acceptance testing is designed to prevent the introduction of vulnerabilities into your system.

CONFORMANCE ASSESSMENT

Our conformance assessment service verifies your system, policy, and/or procedures, comply with the appropriate standard or regulation. A conformance assessment can also measure awareness and other attributes on a global scale for large corporations seeking to understand where they should focus effort and budget. It many cases, it is possible to assess certain conformance criteria remotely using online questionaries or remote conferencing technology. Periodically it is good practice to test both policy awareness and policy compliance.  We will work with your team to develop questionnaires and interview strategies as you desire using a variety of methods or you can utilize our custom questionnaires based on ISA/IEC 62443, NIST SP800, NIST Cybersecurity Framework, ISO/IEC 27001, ISACA Cobit 5, or SANS 20 Critical Controls.

VULNERABILITY ASSESSMENT

A Vulnerability assessment evaluates the ICS network for security, performance, and Kenexis will also perform reliability analysis. Prior to assessment, we typically review network architecture, assets, technologies, data flows, process flow diagrams, and previous assessments including risks assessments like HAZOP. Vulnerability testing includes passive scanning for device discovery and service enumeration as well as vulnerabilities. A penetration test can be performed with written permission to pursue vulnerabilities further into the system. Data aggregation and collation is followed by in depth analysis using a variety of tools and Kenexis Dulcet Analytics™. We identify vulnerabilities and rank them, remove false positives, and develop prioritized recommendations for remediation. Our final report includes asset inventory, vulnerabilities discovered, severity ratings, recommendations, comparisons, overview of tools and methods utilized and findings. Once the project is complete, we either destroy or return of all raw data.

STRATEGIC PLANNING & INCIDENT RESPONSE

If we plan correctly from the beginning, incident response should rarely if ever be required. If required, then our organization can dispatch rapidly to assist your team’s response and recovery. Strategic planning can encompass all the above services to insure your industrial network and team are ready to act based on procedure in the event you are attack or a network mishap occurs. Our incident Response service will help you develop a plan including the services listed above as required and assist during an incident. Our incident response focuses on remediating the problem as quickly as possible and not specifically on forensics unless specified in writing. Regardless, we use the same forensics techniques in either case, but emphasis shifts depending on the response requested.

 Industry Experience:

  • Oil & Gas, Petrochemical, Chemical, Pharmaceutical
  • Power Generation including Nuclear, Gas, Coal, and Hydro
  • Manufacturing including Automotive, Metal, Food & Beverage
  • Transit including Rail, Shipping, and Terminals
  • Government & Municipalities including Military, Research, Water & Wastewater

Additional Information

Security PHA Review (SPR) and Security Levels

After reading an ISA article related to the application of Security PHA Review (SPR) for the determination of required security [...]

Achilles JQS Registered

Achilles JQS Registered Supplier Kenexis Consulting Corporation is pleased to announce that it is a registered, verified, and compliant supplier [...]

BSides DC 2016 Cybersecurity ICS Work

Recently, Jim Gilsinn presented at BSides DC 2016 about cybersecurity work on Industrial Control Systems (ICS) and SCADA (Supervisory Control [...]

ICS Cybersecurity Professionals Needed

Kenexis is looking for industrial control system cybersecurity professionals to join a highly trained and dedicated team. Take a look [...]

Email Phishing Always a Threat

This week, someone attempted to penetrate our systems again. Many of these type of attempts are blast to thousands and some [...]

Beware of USB Charging Stations

As a consultant, I travel on a regular basis. When I travel, I usually have multiple devices with me: a [...]

Cybersecurity PHA Review

Make sure to check out the cover article in ISA’s InTech publication. In the article, Ed Marszal explains: “Even though [...]

Patching & Hardening – Cybersecurity

It is important to note the difference between ‘patching’ and ‘hardening.’ It is also important to note the importance both [...]

Did Iran Actually Attack (Cyber) a NY Dam?

It appears the US is going to blame Iran (ink to the New York Times article) for the cyber attack on [...]