Construction Week speaks with Safdar Akhtar, business development director of industrial cyber security for Europe, Middle East, and Africa (EME) at Honeywell Process Solutions (HPS), about cyber threats in construction and industrial sites

CW: How big a threat are malware and viruses to construction and industrial sites? How prevalent are their spread?

Safdar Akhtar: The Middle East cyber security market size is expected to grow from $11.38bn in 2017 to $22.14bn by 2022, affecting industrial as well as construction environments.

As a result, we are seeing an increased focus on detecting these threats and on implementing advanced technology to combat them.

When it comes to industrial sites, operators have a large number of employees and contractors on site every day, many of whom rely on USB-removable media to patch, update, and exchange data to complete tasks. USB devices in an industrial site are crucial for control systems as they are primarily used to update and maintain PCN configuration for the site to remain operational.

However, malware and viruses transferred through USBs remain a real risk for industrial control systems. According to a report by BSI publications, malware spread through USB devices was recorded as the second largest threat to these systems in 2016.

USBs are extremely difficult to control with corporate directives, and, as such, they must be managed with technology. For this reason, the industry needed a solution that enables secure transfer of files using removable media without disrupting operational workflows. Honeywell has introduced Secure Media Exchange (SMX), which specifically protects facilities against current and emerging USB-borne threats.

CW: Could you give examples of possible problems that USB-borne malware can cause in construction and industrial sites?

SA: Plant managers must balance their need for swift operational updates with their responsibility to secure and protect their operations against disruption or malicious attacks. USBs are one of the main threat vectors used in industrial attacks and the proliferation of malware. According to Honeywell Industrial Cyber Security research, more than 39% of malware found on industrial control systems was propagated using a USB port.

Open USB ports are spread throughout the plant, leaving industrial processes also vulnerable to insider threats and unauthorized third-party commands introduced through infected removable media. 

USB-borne malware affects the critical infrastructure of an industrial site and can only be removed by deploying advanced industrial cyber security solutions. USBs have taken power plants offline, downed turbine control workstations, and caused raw sewage floods, among other industrial accidents.

CW: In terms of practices, what can companies do to protect their facilities from computer- and electronic-related threats?

SA: The first step to protecting facilities is for decision makers to recognise and understand the current environment and related threats. With this knowledge, they can then identify and prioritise finding the systems and devices that are the most exposed and vulnerable to cyber-attacks. Most threats come from the network and securing that becomes imperative in an industrial site.

Identifying the early warning signs are key. These include knowing which systems and servers are vulnerable to threats and determining whether the proper access controls are in place. Honeywell offers a range of solutions that install and configure firewall, Intrusion Prevention System IPS, anti-virus, application whitelisting, and endpoint hardening.

Industrial executives must focus on building a robust industrial cyber security program that is resilient and defensible.

Here are the key areas for program development: Establishing baselines is important. Organisations need to identify and address vulnerabilities, threats, and residual security risks. They then need to define risk tolerance by working with leadership teams to define the level of cyber risk that is acceptable to the business. They must categorize and quantify how these risks could impact strategic business objectives and, in turn, define what needs to be protected and to what level.

The next phase is about measuring risk and instituting a plan to continuously measure and report on cyber security risk. This will help in making sure businesses understand trends and unexpected anomalies.

Mitigating risks is crucial. Organisations need to implement remediation steps and extend enterprise risk management policies and processes to cover cyber security risk as well.

They should also have an incident response plan. That includes organising and formalising the steps to address a cyber security incident and conduct regular tests of cross-functional response teams.

CW: How about in terms of technology? What types of products should they be using?

SA: Honeywell has a unique multi-vendor approach to provide integrated cyber security management. We integrate state-of-the-art technology with proven expertise so that customers can confidently rely on us.

It’s crucial that we address cyber security holistically throughout the control system lifecycle with a complete suite of solutions and services.

One of the products is Honeywell’s Cyber Security Risk Manager, the first solution to proactively monitor, measure and manage cyber security risks for industrial environments. It consolidates complex site-wide cyber threat and vulnerability data into a single view for better visibility and improved decision-making and extends users' ability to stay ahead of cyber threats in ways not previously possible.

Honeywell’s Managed Industrial Cyber Security Services combine leading engineering analysis with the industrial expertise essential for process control environments. Leveraging an encrypted Secure Connection, the services provide protection management, continuous monitoring and alerting, intelligence reporting, and perimeter and intrusion Management.

Interview continues on next page...