Five minutes with Safdar Akhtar, Honeywell
The Middle East cyber security market size is expected to grow to $22.14bn by 2022, affecting industrial as well as construction environments, says Safdar Akhtar, Honeywell
Construction Week speaks with Safdar Akhtar, business development director of industrial cyber security for Europe, Middle East, and Africa (EMEA) at Honeywell Process Solutions (HPS), about cyber threats in construction and industrial sites
CW: How big a threat are malware and viruses to construction and industrial sites? How prevalent are their spread through USB devices?
Safdar Akhtar: The Middle East cyber security market size is expected to grow from $11.38bn in 2017 to $22.14bn by 2022, affecting industrial as well as construction environments.
As a result, we are seeing an increased focus on detecting these threats and on implementing advanced technology to combat them.
When it comes to industrial sites, operators have a large number of employees and contractors on site every day, many of whom rely on USB-removable media to patch, update, and exchange data to complete tasks. USB devices in an industrial site are crucial for control systems as they are primarily used to update and maintain PCN configuration for the site to remain operational.
However, malware and viruses transferred through USBs remain a real risk for industrial control systems. According to a report by BSI publications, malware spread through USB devices was recorded as the second largest threat to these systems in 2016.
USBs are extremely difficult to control with corporate directives, and, as such, they must be managed with technology. For this reason, the industry needed a solution that enables secure transfer of files using removable media without disrupting operational workflows. Honeywell has introduced Secure Media Exchange (SMX), which specifically protects facilities against current and emerging USB-borne threats.
CW: Could you give examples of possible problems that USB-borne malware can cause in construction and industrial sites?
SA: Plant managers must balance their need for swift operational updates with their responsibility to secure and protect their operations against disruption or malicious attacks. USBs are one of the main threat vectors used in industrial attacks and the proliferation of malware. According to Honeywell Industrial Cyber Security research, more than 39% of malware found on industrial control systems was propagated using a USB port.
Open USB ports are spread throughout the plant, leaving industrial processes also vulnerable to insider threats and unauthorized third-party commands introduced through infected removable media.
USB-borne malware affects the critical infrastructure of an industrial site and can only be removed by deploying advanced industrial cyber security solutions. USBs have taken power plants offline, downed turbine control workstations, and caused raw sewage floods, among other industrial accidents.
CW: In terms of practices, what can companies do to protect their facilities from computer- and electronic-related threats?
SA: The first step to protecting facilities is for decision makers to recognise and understand the current environment and related threats. With this knowledge, they can then identify and prioritise finding the systems and devices that are the most exposed and vulnerable to cyber-attacks. Most threats come from the network and securing that becomes imperative in an industrial site.
Identifying the early warning signs are key. These include knowing which systems and servers are vulnerable to threats and determining whether the proper access controls are in place. Honeywell offers a range of solutions that install and configure firewall, Intrusion Prevention System IPS, anti-virus, application whitelisting, and endpoint hardening.
Industrial executives must focus on building a robust industrial cyber security program that is resilient and defensible.
Here are the key areas for program development: Establishing baselines is important. Organisations need to identify and address vulnerabilities, threats, and residual security risks. They then need to define risk tolerance by working with leadership teams to define the level of cyber risk that is acceptable to the business. They must categorize and quantify how these risks could impact strategic business objectives and, in turn, define what needs to be protected and to what level.
The next phase is about measuring risk and instituting a plan to continuously measure and report on cyber security risk. This will help in making sure businesses understand trends and unexpected anomalies.
Mitigating risks is crucial. Organisations need to implement remediation steps and extend enterprise risk management policies and processes to cover cyber security risk as well.
They should also have an incident response plan. That includes organising and formalising the steps to address a cyber security incident and conduct regular tests of cross-functional response teams.
CW: How about in terms of technology? What types of products should they be using?
SA: Honeywell has a unique multi-vendor approach to provide integrated cyber security management. We integrate state-of-the-art technology with proven expertise so that customers can confidently rely on us.
It’s crucial that we address cyber security holistically throughout the control system lifecycle with a complete suite of solutions and services.
One of the products is Honeywell’s Cyber Security Risk Manager, the first solution to proactively monitor, measure and manage cyber security risks for industrial environments. It consolidates complex site-wide cyber threat and vulnerability data into a single view for better visibility and improved decision-making and extends users' ability to stay ahead of cyber threats in ways not previously possible.
Honeywell’s Managed Industrial Cyber Security Services combine leading engineering analysis with the industrial expertise essential for process control environments. Leveraging an encrypted Secure Connection, the services provide protection management, continuous monitoring and alerting, intelligence reporting, and perimeter and intrusion Management.
Interview continues on next page...
CW: Could you tell us about Honeywell’s Secure Media Exchange (SMX) software and Advanced Threat Intelligence Exchange (ATIX)? How are they different from the other products on the market?
SA: SMX and ATIX enable secure use of USB devices, offering solutions to CIOs across the region. These innovations provide hassle-free, multi-layered protection for USB use, letting users simply plug in and check devices for approved use in the facility. Contractors “check-in” their USB drive by plugging it into an intelligence gateway. The ruggedized industrial device analyses files using a variety of techniques included with ATIX, a secure, hybrid-cloud threat analysis service.
On one hand, SMX protects plant safety and operations (e.g. production rates) by reducing site disruptions caused by malware and other security threats transmitted via removable media such as USBs. On the other hand, it protects plant safety and operations (e.g. worker productivity rates) by allowing service providers and employees to safely use convenient and effective removable media for equipment updates.
SMX modernizes plant security by combining a consumer-friendly USB scanning device (in your entry area) with cloud-based industrial cyber security threat updates (from professional researchers). It simplifies compliance and site reviews by providing logs of removable media activity and users throughout the plant and improves equipment servicing productivity by eliminating complicated security mechanisms, while ensuring documented industrial security. SMX reduces the risk of malicious exploitation of USB ports by monitoring and controlling removable media use throughout a plant.
With an evergreen repository of vendor-agnostic malware and threat updates, the time horizon for new attacks to be launched against operations is reduced. SMX reduces the administrative cost and burden associated with less effective methods of verifying and controlling the use of removable media in the industrial control network.
It is these types of solutions that will allow regional industrial players to ensure that they have the proper protection needed to ensure maximum cyber security. Studies show that the adoption of digital safeguards is increasing as IT spending within the Middle East oil and gas sector grew to around $1.66bn in 2016.
CW: Other than USB-borne malware, what security challenges should companies look out for, especially now that smart systems and the Internet of Things (IoT) are seeing more integration into construction and industrial operations?
SA: The digitisation and increasingly interconnected nature of industrial automation is doing more than changing our industrial processes. The transition underway presents the industry with tremendous opportunities for increased safety, efficiency, and profitability, while at the same time presenting new business requirements and risks to be managed.
Recently, we've seen hackers exploit connected "smart" devices using the Mirai botnet, malware that takes control of computers, to conduct a massive cyber-attack against commercial Internet sites. It has impacted more than 500,000 IoT devices in 164 countries simply because they lacked strong security credentials.
In today’s cyber threat environment, developing secure products all starts with designing security into our software and hardware from the beginning and managing risk across their entire life cycle. We understand that developing connected products that are resilient to malicious tampering involves having proficient cyber security professionals, mature security processes, and best practices, and advanced capabilities to continuously monitor for threats, reduce vulnerabilities, and actively manage cyber incidents when they occur.
As a software-industrial company, Honeywell’s technologies and solutions improve quality of life for people around the world, which is why cyber security and data protection are at the forefront of how we do business.