Honeywell Industrial Cybersecurity

A major European oil and gas company that acquires, explores, produces and supplies chemical and petroleum products had a cybersecurity challenge. Company leadership wanted a better way to quantify and respond to the industry’s increasing levels of cybersecurity risk. Pioneers were looking for a new way to better understand and improve their company’s OT cybersecurity. As part of this effort, pioneers wanted to compare the company’s current levels of protection against a series of hypothetical attacks to identify gaps. With operations in several locations and a supply chain network of over 1,000 gas stations, auditing and improving the company’s cybersecurity would be no small task. Set of analysis and recommendations The Honeywell csHAZOP solution is designed to deliver a comprehensive set of analysis To help overcome these challenges, the company called in Honeywell and, specifically, its csHAZOP services team to perform a detailed design evaluation based on OT cybersecurity risk. The Honeywell csHAZOP solution is designed to deliver a comprehensive set of analysis and recommendations–it goes beyond the standard cybersecurity vulnerability assessment or IEC 62443 compliance audit by adding deeper analysis that is designed to: Investigate a significant amount of what can go wrong, including approximately 500+ attack scenarios – evaluating these for multiple threat actors and different consequences, Address – via risk assessments – both the likely risk reduction through the regular IT type of countermeasures (AV, firewall, hardening, etc.) and the consequence severity reduction through the implementation of safeguards (e.g., hardwiring critical control signals), Estimate residual risk for each hazard, allowing identification and quantification, making mitigation actionable, Focus on process automation cybersecurity risk (csHAZOP stage 1) or production process cybersecurity risk (by adding csHAZOP stage 2 vs. cybersecurity production risk) to add a higher level of cybersecurity analysis from an OT perspective unique in the industry. Send in the csHAZOP experts Honeywell cyber experts also uncovered some high-risk design deficiencies The Honeywell OT cybersecurity experts worked with the Honeywell proprietary csHAZOP method to uncover several concrete recommendations for immediate remediation and technical design recommendations in the company’s ICS, to be considered in upcoming ICS migrations. Honeywell cyber experts also uncovered some high-risk design deficiencies. The Honeywell csHAZOP framework was used to identify levels of residual risk to determine which security hazard was more critical to address versus others. Honeywell provided targeted guidance on several aspects of the study, using experience from real-world cyber attacks in the industry. Honeywell’s csHAZOP service is one of the few cybersecurity assessments available on the market that is designed to apply counterfactual risk analysis. Honeywell’s csHAZOP report This evaluation now links OT cybersecurity to loss prevention and process safety Given a system’s protective measures, this method helps a company evaluate which cyber attacks (based on countermeasures, security protections and type of threat actor) may succeed. This evaluation directly links OT cybersecurity to loss prevention and process safety. Honeywell’s csHAZOP report for this oil and gas refinery was considered successful by the customer because of its well-defined procedure, the tools Honeywell has specifically designed for OT systems and the team’s experience and efforts in OT cybersecurity. Results of the csHAZOP assessment “The results of the csHAZOP assessment from Honeywell went beyond our expectations. We have received a detailed and analytical cybersecurity hazard and operability report concerning both identified risks and realistic recommendations for remediation." "Additionally, the report is a valuable tool for future upgrades of our systems as well as new projects and the development of an incident response plan. We intend to repeat this assessment periodically, as it is a valuable tool in our continuous efforts to improve security for our systems from the ever-evolving cybersecurity threats,” Major refinery in Europe.

Cybersecurity threats targeting organisations' industrial control systems (ICS) are not always direct. Instead, the most vulnerable entries to an ICS can start with external partners, like suppliers and vendors.  Honeywell's customer, a global pharmaceutical company, realised that potential vulnerabilities like these might be in its partner ecosystem. Therefore, the pharmaceutical company wanted to get ahead of a potential breach so they trusted Honeywell to do a thorough assessment of its suppliers’ operational technology (OT) cybersecurity gaps. Why did the customer choose Honeywell?  First, Honeywell's OT cybersecurity experts took the time to understand the customer’s processes at more than 100 sites around the globe. Second, Honeywell experts used their knowledge and experience along with the customer process insight to conduct assessments that met their unique needs. Many of the competitors are simply IT vendors dabbling in the world of OT. Honeywell, however, has the knowledge and the experience to better meet the demands of OT. The pharmaceutical company chose Honeywell over the competitors based on the quality and wealth of OT knowledge the experts provided. Spreading security The Cybersecurity Vulnerability Assessment is part of a global two to three-phase project that covers over 100 sites This was not to be a small or limited undertaking. This Cybersecurity Vulnerability Assessment is part of a global two to three-phase project that covers more than 100 sites. The first assessment was completed for the company’s site in India with other sites being covered in later phases. Vulnerability assessment Honeywell’s OT cybersecurity experts conducted the vulnerability assessment to help capture the customer’s control system vulnerabilities and potential weak spots. The assessment performed was a holistic technical review of the ICS infrastructure. It focused on analysing their cybersecurity processes, procedures, and safeguards to better protect their industrial control systems(ICS) from internal and external threats. Because Honeywell focuses on OT as opposed to IT only, Honeywell experts are skilled in considering the entirety of an ecosystem. This means including people, processes, and any technical issues that can impact the ICS cybersecurity posture. Digging in to reduce risks  The Honeywell team was able to holistically assess the customer’s ICS environment, documenting observations  The Honeywell team has deep expertise across IEC 62443 standards and other industry-specific guidelines, as well as invaluable experience with control systems. Because of this expertise, the Honeywell team was able to holistically assess the customer’s ICS environment, documenting observations and recommendations to help reduce cybersecurity risks. Physical site review Honeywell team first conducted a physical site review to assess to uncover issues such as control room doors left unlocked, passwords in the line of sight, and other security compliance violations. The team also reviewed the customer’s network equipment from third parties such as switches, routers, and firewalls; reviewed the infrastructure configurations; and checked installation processes. Site-specific recommendations The report detailed best practices and site-specific recommendations to help the customer help mitigate and prioritise All the vulnerabilities, severity levels, and remediation details were included in the Cybersecurity Vulnerability Assessment report. The report also detailed best practices and site-specific recommendations to help the customer help mitigate and prioritise any identified threats or vulnerabilities and notes regarding how and where each step can serve as a foundation for the best practice architecture. Challenges and successes Honeywell experts remained diligent in exceeding the customer’s expectations despite the shutdown in India due to the pandemic and the unexpected need to assess and remediate assets. Honeywell also had one secret weapon: one of the OT cybersecurity experts had real-life experience in the pharmaceutical industry. This made it possible for the team to better tailor the assessment (and recommendations) to this particular customer.

Hackers gain control of a chemical plant’s furnace control system. They tamper with the temperature settings and cause an explosion. The consequences of an incident like that can be catastrophic, especially since 9.3 million people reside within a 10-kilometre radius of the average chemical plant in the US. Targeting operational technology (OT) systems has become a typical tactic for bad actors. Cybercriminals and nation-state actors see these critical assets as an open invitation to disrupt operations, cause physical damage and even put public safety at risk. Average cost of Cyber breach OT environments require greater connectivity to realise the advantages of an intelligent production environment. “With increased connectivity comes the increased risk of bad actors gaining access to a network. They want to use it as a launching point to deploy malware and cripple the ability to produce products or provide services,” says Chase Carpenter, Chief Security Officer at Honeywell. Attacks are also costly. According to the Ponemon Institute, the average cost of a cyber breach in critical infrastructure is now $4.5 million. Moreover, 75% of OT organisations experienced at least one intrusion in the past year. OT cybersecurity starts with visibility Unfortunately, the solution didn’t provide the visibility required to efficiently identify cyber threats Honeywell needed to improve security for its own manufacturing environment. Every one of its over 400 facilities depend on OT to function, and in turn, those OT environments depend on cybersecurity programs and solutions to help improve their defences against malware and other cyber attacks that could disrupt or, worse, shut down its manufacturing sites. Before they can implement a good security program for the OT assets, they need to know what they are and where they are. Honeywell started by using an off-the-shelf cybersecurity solution to monitor OT networks at its various manufacturing locations. Unfortunately, the solution didn’t provide the visibility required to efficiently identify cyber threats. Specifically, the tool could not correctly detect numerous network assets, which might vary between workstations, test devices, control systems, CNC devices and more, depending on the manufacturing site. Advantage of the situation Honeywell would have to shut down a factory every time the site was threatened “Over 49% of our assets were left unclassified,” says Mukesh Saseendran, Director of Cybersecurity at Honeywell. “To get an accurate inventory, we needed an individual to walk down to every single workstation and document everything manually, which in itself is labour intensive and prone to human error.” If an asset is undocumented, it’s a blind spot. It could present a gaping hole for attackers to infiltrate, and no one would know about it until it’s too late. Without the right cyber tools in place, Honeywell would have to shut down a factory every time the site was threatened, resulting in serious revenue leakage. “If I don’t know about a particular asset, I can’t protect it and that’s a terrifying scenario,” Carpenter says. “There could be bad actors taking advantage of the situation to stage an attack.” Honeywell taps in-house experience to fight threats Around the same time that Honeywell realised its commercial off-the-shelf solution was inadequate, the company launched its own OT cyber solution. This software solution – Honeywell Forge Cybersecurity+ | Cyber Insights – came from years of internal development in Honeywell’s OT cybersecurity business, which serves multiple industries with products and services designed to help organisations reduce their industrial cybersecurity risk. Honeywell tested and evaluated dozens of OT cybersecurity software products in its labs The reality is that, over the years, Honeywell tested and evaluated dozens of OT cybersecurity software products in its labs – for itself and its customers. The company gained profound insight into what is considered a best-in-class solution and applied that insight as it developed Cyber Insights. Inventory of assets on the network Carpenter says he had three must-haves before removing the previous cyber tool and replacing it with Cyber Insights. First, the solution needed to be capable of accurately determining the inventory of assets on the network. Second, he and his team needed the capability to be able to passively detect any malicious activity happening on the network. Third, the solution should be designed to accurately identify the version of the operating system or firmware on each asset and when it needs to be patched or updated. “Cyber Insights delivered on every one of those must-haves,” says Carpenter. “Honeywell now has far greater visibility into all the assets on the network that manage, monitor and control its industrial infrastructure.” OT-centric environments In addition, Cyber Insights is designed to provide a layer of vulnerability defence “Having this visibility also means that, in case there is an adverse situation, we should have the ability to respond more quickly to the threat,” says Saseendran. In addition, Cyber Insights is designed to provide a layer of vulnerability defence. If an unauthorised system is trying to communicate with another asset, Cyber Insights is designed to raise flags and send alerts about the potential threat. Cyber Insights is also capable of significantly reducing unnecessary noise, particularly in OT-centric environments. “The previous product discovered 200,000 to 300,000 assets and networks across all our sites, and we didn’t understand why it was discovering so many,” explains Saseendran. “We later realised it was looking at the data and traffic incorrectly and, as a result, generating a lot of noise. When we switched to Cyber Insights and did the audit correctly, we were down to 67,000 assets across those sites. Honeywell now has far greater visibility into all the assets and networks that manage, monitor and control its industrial infrastructure.” Deployment of Cyber Insights Cyber insights are designed to make the implementation process easy Carpenter is the process of deploying Cyber Insights to 120 of Honeywell’s vital manufacturing sites Another major downside to that original off-the-shelf tool was that it was very difficult and time-consuming to implement. At each site, it took Honeywell four to six months to get up and running with the solution. “There are over 400 factory sites at Honeywell,” says Saseendran. “We simply cannot invest six months per site to implement the solution. That’s why efficient implementation is so critical.” In contrast, Honeywell implemented its first Cyber Insights site in less than a month, with seven sites implemented in two months. Carpenter is now in the process of deploying Cyber Insights to 120 of Honeywell’s most critical manufacturing sites. Honeywell’s experience indicates that a typical single-site deployment of Cyber Insights takes about 33% less time than the previous solution utilised by Honeywell. In addition to ease of implementation, Cyber Insights’ clear and straightforward representation of the network landscape simplified asset configuration and viewing, which is crucial for asset discovery without resorting to manual audits. Since going live with Cyber Insights, Honeywell observed an 18% to 20% increase in asset discovery within the Honeywell-deployed sites. This is a significant benefit that eliminates the need for manual workstation audits, which are often error-prone and unreliable. The Honeywell difference Reality is that OT cybersecurity is lazing because it needs specialised tools and knowledge Cyber teams have become skilled at implementing solutions, practices and procedures designed to improve security for IT systems; however, the reality is that OT cybersecurity is lagging because it requires specialised tools and knowledge. Organisations simply can’t use the tools they have in the IT space when managing their OT environment Honeywell has approached this challenge by leveraging its vast experience in the OT world to develop Cyber Insights. “We have a very complex environment, including small sites, large sites and sites around the world,” says Saseendran. “If Cyber Insights works for us in our manufacturing sites, it will very likely work for our customers as well. There is no silver bullet to fully secure your OT environment,” says Carpenter. “However, Honeywell currently offers one of the most complete sets of products and services that can help organisations improve their protection of their critical OT assets.” Robust cybersecurity solution for the OT environment Implementing Cyber Insights is like getting a good pair of glasses for the first time – everything becomes clear, and with that clarity comes new speed and efficiency. If there is an attack, Cyber Insights is designed to help cyber teams identify the source and know where to focus, which can help their organisations save valuable time and resources. It is not an install-once and-walk-away solution, but rather a constant companion in the battle against cybercrime. If they are looking for a comprehensive and robust cybersecurity solution for the OT environment, look no further than Honeywell Forge Cybersecurity+ | Cyber Insights. This solution can help them improve the visibility, control and resilience of the OT network, and help to improve their ability to protect it from cyber threats that could harm the business and reputation.