Joshua Clemens

Author Archives: Joshua Clemens

August 10, 2021

in Industry News , Legacy Migrations , Training by Joshua Clemens

3 Ways to Mitigate Risk through Training

Are your operators prepared in the event of an abnormal process situation?

Do they know how to actively (and appropriately) respond to alarms?

Mitigate your facility’s risks by providing your operators with training opportunities that improve user confidence and decrease response time to abnormal situations, resulting in using your workforce’s time more effectively.

How, you ask? By empowering your operators by providing them hands-on experience with your specific control system in an isolated/controlled environment, simulating an array of abnormal scenarios that you can’t effectively achieve on-process – and doing so conveniently at your facility or one of Champion’s nearby locations.

STEP 1: IDENTIFY RISK AREAS & PRACTICE RESPONDING

Take a minute to imagine any or all “worst case” scenarios your facility could one day face – that if not handled properly could result in a Health & Safety event, equipment failure, or simply a loss of production. It sounds pretty ominous! But it doesn’t have to. Knowing what these situations are is the first step to mitigating risk and effectively responding – without hesitation and without panic.

Your scenarios typically don’t need to go so far as a “doomsday apocalypse” – often something as simple as a failed sensor or an unrecognized alarm could present risks with untrained personnel.

This is where Champion comes in – to create a “twin” of your control system and operating environment. In this simulated environment, we can introduce any number of scenarios, teaching first how to identify the risk and then how best to respond.

STEP 2: STOP “SNOOZING” THAT ALARM

We’ve all done it from the comfort of our bed – “snoozing” that daily alarm for “just a few more minutes.” Regularly doing the same with control system alarms may be an indication you are due for an assessment by one of Champion’s Alarm Management specialists – but that is a topic for another day!

Training your personnel how to properly identify, evaluate, and respond to alarms and responding to abnormal situations in your facility is a big part of mitigating risks. Using the same example of your control system “twin,” Champion can effectively train users based on your process environment. Each possible abnormal scenario can be triggered in a no-risk environment – with users learning in each case how to respond to an abnormal situation in a timely or correct manner.

STEP 3: WORK SMARTER, NOT HARDER

Training your workforce shouldn’t be a major undertaking – it should be a well-coordinated, preplanned, and efficient use of your personnel’s time. Champion values these goals for all clients, whether providing on-site training at your facility or at one of our strategically located facilities.

Do you have new personnel or a new facility?
Is your existing facility undergoing a control system upgrade?
Do your technical personnel want more flexibility to perform system updates and modifications?

There are plenty of scenarios in which your workforce may benefit from Champion-tailored training solutions for operators, maintenance, and technical personnel. Whether getting everyone up to speed on a new system, comparing changes between a legacy and new system, or learning how to stay agile in the onsite maintenance & updates your site might require – reach out to our sales team for more information on all of the training solutions we can offer.

Champion’s goals are to maximize your facility’s safety, efficiency, and overall performance.

January 29, 2021

in 24UP Support , Industry News , Legacy Migrations , Project Management by Joshua Clemens

Choosing the Right Control System for Your Facility

Is your control system approaching its end-of-life product lifecycle?

Does your system rely on replacement parts that are increasingly harder to find?

Is it more difficult to find or hire personnel who have experience with your control system?

It may be time to upgrade.
But – How to choose the right system?

When you have identified that it’s time to upgrade your control system, you want to explore all the options that are available to you. It is especially important to find a control system that best fits your application. For example: if you need to upgrade a controller, you would avoid upgrading the entire control system.

Some manufacturers’ control system platforms offer a variety of upgrade and migration solutions and strategies. For some end users, there are migration strategies that may be a better solution than a complete upgrade. In other cases, a complete system upgrade may be the answer. Most of the time the best solution is somewhere in between.

How would you go about choosing which solution or strategy is right for your application? Maybe your company is standardizing on a single platform, which simplifies your options. But sometimes the field of options is wide open.

Understanding your unique needs and expectations is vital to choosing the proper system. This can be a challenging task if you don’t have the required information.

When choosing your control system, you should think about:

Lifecycle of Existing Assets
Pros/Cons of Technology Solution Options
- Evaluated by an unbiased party with hands on experience
- How will the technology solution better enable you to meet industry requirements and best practices such as safety and cybersecurity (ISA, NFPA, CISA)?
Feasibility and Impact of the Solution
- Technology solution and strategy
- Potential downtime and risk mitigation
Maintenance and Support
- Effort required to maintain the system
- Training of staff to maintain the system
- Identify established partners in order to provide timely support
Total Cost of Ownership
- Evaluated by an unbiased party with hands on experience

Champion understands the challenge of a new system meets your requirements, and how it will function or grow for your future needs. Our team specializes in leading clients through the process of choosing a control system that is right for their specific needs – and their budgets. As part of our process, we will work with your team to define your goals and expectations, conduct an assessment, and recommend the best, unbiased solution that aligns with your goals. Bring your control system from the past into the present, while you plan for the future. Contact us today for an assessment to plan your systems roadmap.

Want to learn more about Champion? Contact us!

Champion Technology Services, Inc. is an industrial control systems integrator that provides OT services across the United States and abroad. Our team includes ISA/IEC 62443 Cybersecurity Experts and GICSP (Global Industrial Cyber Security Professional)-certified professionals in the latest NIST standards. We help small, medium, and large companies assess their existing control systems and implement protocols that meet their facility’s requirements while maintaining our status as an unbiased third-party solution provider.

January 6, 2021

in 24UP Support , Cybersecurity , Industry News , Legacy Migrations , Operational Technology (OT) , Project Management , Safety by Joshua Clemens

Champion Celebrates 20 Years

FOR IMMEDIATE RELEASE

Champion Technology Services, Inc. is celebrating an incredible milestone: 20 years in business.

What started out as a two-person endeavor in late 2000, steadily matured into a team of 125 people across the country in 2020. Champion has achieved amazing milestones – growing one office into nine, being part of the LSU Top 100, being named Control Engineering’s Systems Integrator Giant, and achieving steady growth year-over-year.

None of this would have been possible without our dedicated team, continual process improvement, and of course – our clients. We are thankful and humbled by our clients’ unwavering dedication!

Through the years, Champion has made strategic adjustments to generate a culture that inspires and empowers talented individuals to make the world a better place through technology. By always staying at the forefront of technology and investing in our team’s professional growth, our clients realize the benefits in their day to day operations.

Whether implementing a control system upgrade, designing a new installation, assessing cybersecurity gaps, improving a facility’s safety systems, or enabling secure remote access for a full suite of OT Managed Services – our commitment to excellence remains steadfast.

At Champion, we believe the success of our clients is a direct reflection of our own efforts and successes. That’s why we will continue to provide the best solutions available at any given time. Independent of any equipment manufacturer or technology platform, our experts partner with you to evaluate needs, make recommendations, and execute the rollout that brings the most value to your facility.

From all of us at Champion, we thank you for trusting in our team to provide the solutions and systems that best achieve your goals. We look forward to the next 20 years, as we continue to grow together.

Want to learn more about Champion? Contact us!

June 29, 2020

in 24UP Support , Cybersecurity , Industry News , Operational Technology (OT) by Joshua Clemens

Is Remote Access to Your Control System Safe?

Anytime a new conduit to an ICS network is created – especially one which transits the internet – there is inevitable trepidation about the potential security risks it might create. So, when we talk about creating a tunnel from your network into the cloud, you’re going to have mental alarms going off. This article will describe how Champion keeps your network secure while providing unprecedented levels of service and support.

The Cloud Zone

A security zone is created in the cloud specifically for you. Here, it serves as an extension of the Demilitarized Zone (DMZ) of your control system. The same security concepts that apply to your DMZ apply here as well.

There are only two paths in and out of your cloud zone:

The Tunnel, as defined below, to your on-premises DMZ.
Dedicated secure route to our portal servers to enable the features provided by our managed service offering.

These paths are restricted by routing and firewall rules to pass only the authorized data.

No windows administrative connections (RDP, WMI, RPC, and other evil acronyms) can be made from outside the DMZ and cloud zones. All administrative activity happens within the cloud zone via hosted desktop sessions. These sessions are delivered using virtual desktop presentation technologies so that only the video stream leaves, and only keyboard and mouse commands enter. No proprietary data or external threats can be transferred via either cloud path.

The Tunnel

In order to connect your site to the cloud, a tunnel must be created. This tunnel is built using the best available VPN protocols . Like most tunnels, its job is to keep the good things in and the bad things out.

This includes:

Ensuring that only your DMZ can connect to the cloud zone and only the cloud zone can connect to your DMZ.
Encrypting the data so that it cannot be monitored by outside forces.
Ensuring the data stays intact from one end to the other.

The Eyes

It’s often stated that if you can’t see it, you can’t secure it. To ensure your network stays safe, it’s vital to have eyes on the traffic that’s going through it. Like a building with door sensors, motion detectors, smoke detectors, security cameras, and a remote monitoring service… Champion can be your partner in notifying you in real-time of any abnormal activity.

Intrusion Detection Systems (IDS) designed with OT networks in mind are deployed for your network. These are strictly passive systems that merely sound the alarm if a potential compromise is detected.
IDS sensors are installed in strategic locations to passively monitor as much of the traffic on your network as possible.
Firewalls guard all the border crossings of your network. Anyone without the right credentials cannot get through.
End devices are protected with antivirus software. This blocks malware which makes it to a computer and sends out alerts.
A Security Information and Event Management (SIEM) server collects real-time data from all these safeguards and more and presents them to Champion’s monitoring team.
Should an event occur, we’ll notify you immediately. If you authorize it, we can also take action to mitigate any threat per your Incident Response Plan.

The Result

While opening a tunnel between your network and the cloud might sound scary, using the proper technology and partner allows your network and OT assets to be safer than ever. Not only will you be better protected from security threats, but now we can even alert you to process issues before they become big problems.

Remote support engineers can respond even quicker and without introducing you to unnecessary risks like VPN connections from untrusted computers, unmonitored persistent virtual desktop access, or cellular modems.

Want to learn more?
Contact us with questions, or to receive a free consultation!

June 29, 2020

in 24UP Support , Cybersecurity , Industry News , Operational Technology (OT) by Joshua Clemens

The Top 5 Differences Between IT and OT

While everyone is familiar with the term “IT” (Information Technology), the term “OT” (Operational Technology) is far less familiar to the general public. That is not to say OT is newly emerging; quite the opposite. Over the last two decades, IT and OT have begun to converge. You’ve likely heard terms like “IIoT” (Industrial Internet of Things) or “Industry 4.0.” But there are unique differences that set OT apart from IT:

Production:
While IT is extremely important at the corporate (or “Enterprise”) level, OT is the livelihood of any facility. The mission of any OT system is to achieve the greatest production output with the least amount of downtime possible.
Safety:
IT and OT must both be vigilant in mitigating security risks. However, IT’s risks generally lend themselves to trade secrets and corporate accountability. OT’s risks can be much more tangible: Unsafe operating conditions or monitoring can result in health and safety issues such as fatalities or environmental catastrophes.
Skillset:
IT and OT have overlapping skillsets with technological approaches, but OT requires much more specialized experience with respect to the OT systems. From understanding an industry’s production process, to the integration of many diverse L0/L1 devices and systems into one cohesive and intuitive platform, to the safety and alarm management of the process.
Cost of Ownership:
The lifecycle on IT and OT systems are vastly different. Whereas IT’s typical lifetime on equipment is about 12-18 months, OT is generally more robust and operate longer – often lasting 10-15 years. Therefore planning for Total Cost of Ownership (TCO) takes not just different expertise but also a different approach and methodology to achieve a comprehensive cost.
Compliance:
Whether for the safety of workers, surrounding communities, or the environment, compliance standards are often far more stringent on OT systems. Federal and state agencies regularly monitor and regulate industrial processes due to their inherent ability to impact the community at large.

Production

Since production is the livelihood of any industrial facility, so too are the operational systems that keep them moving. Loss of production for any reason has a direct impact on a company’s bottom-line. Whether due to an outdated, unreliable platform, poor configuration, unprepared support staff, or insecure technology allowing for system breaches – many factors can affect production. Be sure to utilize an OT specialist with the experience to reach your maximum production output.

Safety

Securing proprietary information is a major concern with any corporate IT network. But cybersecurity is equally (if not more) important for a facility’s Industrial Control Systems. In past years, many have taken the “air gap” approach to securing their OT control systems – keeping any production equipment separated from Internet-connected Enterprise equipment. In theory – and in a time before flash drives and smartphones – this was enough to mitigate operational risks. But, as consumer technologies emerged, so too did many large-scale security breaches affecting Industrial Control Systems.

Air gapped systems that were not physically connected to the Internet would run on outdated security patches because they were seemingly “secure.” With the advent of devices like flash drives and smartphones, however, control systems around the globe became vulnerable. Cyber-attacks could now halt production, disable critical safety systems, or result in catastrophic loss simply by altering production readings.

Having a team of Globally Certified Cybersecurity Experts at your fingertips is now vital for any industrial environment.

Skillset

While the fundamental principles of IT networks are shared with OT networks, Industrial Control Systems require a much more specialized set of skills to implement and maintain. For starters, the very environment of each are vastly different. IT networks are often climate-controlled in office environments, whereas OT networks can be exposed to extreme elements and process environments.

More importantly, what sets OT professionals apart is their knowledge of how to implement specific industry processes, using a range of industrial controls across multiple platforms. Lastly, they must use this knowledge to make everything communicate in an efficient, reliable, and intuitive manner.

With vast experience across numerous industries, platforms and technologies, Champion’s OT professionals deliver on this expertise.

Cost of Ownership

The natural lifecycle of IT versus OT lends itself to completely different budget approaches. While IT environments typically change every 12-18 months, OT environments can last 10-15 years or more – if they are properly designed and maintained.

The key to enabling Industrial Control Systems for the extended durations is proper maintenance and support. In addition to cybersecurity risk mitigation, including budgetary funds for preventive maintenance and support is essential in any OT environment. As a system ages, it is key to provide regular security patches, scheduled backups, and a supply of spare parts to achieve the greatest production output.

Champion’s knowledge of these items, paired with our 24UP Support Solutions, allow customers to tailor specific needs into one easily-predictable budgetary plan.

Compliance

Another unique difference between IT and OT is the types of compliance each must meet. Industrial Control processes are typically subject to far more scrutiny due to their ability to impact more than a corporate entity; if improperly maintained, a process can harm employees, communities, or the environment. For this reason, it is imperative that OT systems function correctly and reliably.

OT networks continuously monitor process stages, operating temperatures and pressures, environmental emissions, leaks, or any other number of factors associated with the facility. Having reliable systems in place not only raise overall safety. They allow companies to provide real-time or historic reporting to compliance agencies, such as the EPA, DEQ, FDA, or OSHA.

Champion engineers and professionals hold the experience necessary to implement the reliable OT systems our customers demand.

Want to learn more?
Contact us with questions, or to receive a free consultation!

June 29, 2020

in 24UP Support , Cybersecurity , Industry News , Operational Technology (OT) by Joshua Clemens

3 Reasons an “Air Gap” is Not Good Enough

Is an Air-Gap “Good Enough” to keep your Industrial Control System secure? Short answer: No.

And here’s why…

“Security by isolation” or air-gapping previously worked in Operational Technology (OT) environments when OT and IT were completely isolated from one another. Many older systems based on PLC’s and SCADA were built without cybersecurity in mind. OT and IT are now converging as organizations embrace the digital transformation, and security experts are now declaring the air gap dead as security by isolation is not a long-term solution for protecting OT assets.

Air Gapping an OT system has very limited value in today’s constant technological advances. It can no longer be used as a sole security solution in the long term for three reasons:

It causes organizations to miss out on valuable data.
It is more costly and difficult for maintenance and repairs.
It is more prone to security breaches than a “connected” OT system.

Missing out on Data

While air-gapped OT systems can minimize risks, organizations are not able to benefit from the highly valuable data these systems generate. Data analyzed in real time can provide business intelligence to cut costs, reduce downtime, and improve efficiency. These opportunity costs outweigh air-gapping as a viable cyber security measure.

Higher Maintenance Costs

Maintaining air-gapped OT systems are more expensive and difficult because the engineering tools of a connected system cannot be used to perform routine maintenance or troubleshoot problems. It also limits the system from secure remote support by technical experts. Without remote access, facilities experience higher support costs and increased downtime. The reality is that even a properly air-gapped system is not completely protected; Every system is a potential breach target, and even air-gapped systems can be infiltrated. Organizations must engage in active monitoring and security measures to mitigate the risks.

Reduced Security

Air Gaps can be physically breached by a third-party networked laptop, USB drive, removable media, smartphone, or other devices. Allowing OT systems to connect with these devices creates vulnerabilities that air gapping cannot protect against. Air gapping makes it difficult for users to move back and forth between the air-gapped device and network-connected devices. For ease of use, an individual may use an unsecure USB drive to transfer data which could compromise an air-gapped system.

OT infrastructure is only as secure as the user operating the devices. An openly accessible USB port can serve as an entry route for malware. Smartphones provide another convenient route to cross air gaps when switched to Wi-Fi hotspot mode. The Wi-Fi hotspots can also be used as an entry point by hackers or those with ill intentions.

FUN FACT:
90+% of randomly found USB drives are picked up by the casual person and more than half are plugged into a PC.
Source: Kapersky

Why your OT control systems can’t afford cybersecurity shortcuts:

OT cyber-attacks are more dangerous in nature. An OT attack can pose risks to operational and safety systems, employees, plant, and environment. Because the outcome of an OT cyber-attack is more catastrophic, it is essential that organizations prioritize cybersecurity. While air gapping provides some security, it is not the best option to select in the competitive marketplace.

Air gapped control systems are also more vulnerable because they don’t receive the latest Windows security patches easily, therefore are usually neglected. As new virus threats emerge, the OT system will likely be unprotected, unlike its Enterprise counterpart.

We must accept the fact that air gapping as a security control is no longer a valid option. IT and OT will continue to converge leaving air gapping to be useless. Facilities should take advantage of the opportunities from integrated technologies to reduce costs and downtime while improving efficiency. While doing so, they must prioritize OT security to lessen the risk and still capitalize on the advantages of a connected IT and OT world.

Want to learn more?
Contact us with questions, or to receive a free consultation!

March 30, 2020

in 24UP Support , Industry News by Joshua Clemens

Has your facility taken steps to prevent unnecessary downtime?

You may have experienced it before:

Your operator experiences an abnormal situation that costs you production time, and your in-house staff is too busy to identify the REAL root cause.
Extended downtime because critical part of your control system fails but you don’t have a replacement.
You are striving for maximum uptime and production, but your control system is not allowing you to reach your goals.
Your control system reaches end-of-life and you can’t get support.

The list goes on…

How can you proactively address these issues while ensuring that your control system is not an impediment in reaching your goals?

Consider partnering with a solution provider who specializes in keeping your control system functioning as intended so your team can overcome today’s toughest challenges.

24UP® is Champion’s premier Industrial Control System, Operational Technology and Industrial Cybersecurity support solution led by the experts who have seen it all, supported by the company you’ve come to trust. Clients rely on 24UP® support to ensure a proactive response to issues that often arise, but not often considered – or simply haven’t had the time to address.

Whether simply providing you with the tools to be prepared for unexpected challenges, or being your primary provider of maintenance and 24/7 emergency support – we work with you to tailor a plan that fits your needs and budget. Your company’s 24UP® support solution could include as few or as many of the services that help you achieve your goals, including:

PREVENTIVE MAINTENANCE such as routine Control System hardware and system diagnostics, backups and imaging, and other preventative maintenance services
ASSET MANAGEMENT such as critical spare parts assessments, inventory and the services to replace the parts that keep you up at night
24/7 SUPPORT from for general maintenance or simply staff augmentation to provide reliability and flexibility
CYBERSECURITY MAINTENANCE services such as scheduled audits to help identify your OT system vulnerabilities and implement solutions to protect you from the ever evolving cyber threats
PROCEDURE & DOCUMENTATION to enable your team to perform simple control system maintenance while of formal training

Want to learn more? Contact us with questions, or to receive a free consultation!

March 30, 2020

in 24UP Support , Industry News by Joshua Clemens

Do you have cost effective support for your multivendor install base?

Is your industrial control system comprised of multiple manufacturers or platforms? Do you know which service team to call when an issue arises? Original Equipment Manufacturers (OEMs) can offer support on their products but often come up short in environments where their equipment is integrated with other “unsupported” equipment.

This is where a System Integrator comes in. Champion, with expertise in every major industrial control system, supports all parts of your facility’s systems under one agreement tailored to your specific needs. Typically, response times are quicker than a manufacturer would be thanks to the extent and experience of our team. Combined with our Secure Remote Support offerings technology, we are able to you services anywhere at any time.

Whether your facility already has in-house support staff, or requires a primary support contact, Champion can offer guaranteed response times based on your needs. Industrial clients can also benefit from our multi-vendor support by receiving unbiased recommendations about system upgrades, network configuration, cybersecurity, and more.

Lastly, Champion’s 24UP® Support Solutions often save clients money over multiple OEM service contracts or in-house support staff with a ‘one stop shop’ support solution for your industrial control systems and Operational Technology (OT) assets. So whether you prefer a secondary support option or a full umbrella of support, we can tailor and provide the right solution for your needs and budget.

Ask for a free quote, or schedule a consultation today!

February 10, 2020

in Cybersecurity , Industry News by Joshua Clemens

The Top 3 Benefits of a Third-Party Cybersecurity Assessment

Most companies are not compliant with mandatory industry or governmental guidance and regulations relating to their cybersecurity practices. In fact, only 23% of companies who participated in a 2018 Kaspersky study report that they meet the standards. [1]

Even further, 56% of companies say they will increase their cybersecurity budgets in the next year due to potential incidents and risks associated with their current infrastructure and policies. [1]

One of the first investments your organization can make is to perform a Cyber Criticality Assessment. A Cyber Criticality Assessment is a process that allows organizations to identify general threats, determine the worst-case impact, whether it’s Financial, Safety, Health, Environmental, or otherwise, of devices/software becoming unavailable, unreliable, or compromised. The assessment process includes a survey, a vulnerability assessment, and a risk assessment to allow your organization to determine the severity of the consequences should a device or network not perform as intended.

While teams in your organization could perform a cybersecurity assessment internally, there are key benefits from inviting professionally certified expert third party to perform this task for you.

1. Unbiased approach to your system.

Third-Party Assessment teams, who do not represent any hardware or software manufactures, take an unbiased approach to your system. While internal teams may have critical knowledge of your control system and may have even designed it, third-party assessors can see the high-level view of your control system as well as the minute parts of it. They will see gaps in a system that internal teams can miss.

This is doubly important when it comes to Operational Technology (OT) and Industrial Control Systems (ICS) because all control system manufacturers have their own products and solutions for implementation. An unbiased third-party assessment team, especially one with a deep understanding of OT systems can connect manufacturer solutions with industry best-practices for solutions that fit your requirements.

2. Cybersecurity experts with the necessary background are difficult, if not impossible, to find.

The cybersecurity industry is expanding and growing at an astounding rate, and the demand for qualified and experienced professionals is fierce. Even when they can’t find qualified professionals to hire, many companies are still hesitant to hire outside help. According to a Kaspersky study released in 2018, 92% of companies who participated in the Kaspersky study prefer to maintain in-house OT and ICS cybersecurity personnel [1]. At the same time, 58% percent of companies find it difficult to find and hire employees with the necessary skills to address their organization’s OT/ICS cybersecurity challenges [1].

Is your company in a position to contribute resources to compete in the cybersecurity hiring market?
Is your company willing to be responsible for the cost of ongoing training, specialization, and other costs that come with hiring full-time personnel?
Does your company have the time and capacity to invest in a ground-up OT/ICS cybersecurity program from within?

If not, you might consider working with a third-party OT/ICS cybersecurity team who has the expertise and to do the bulk of the work for you.

3. IT vs. OT – It’s not a competition, it’s a complementary approach.

Cooperation and collaboration between OT and Information Technology (IT) is critical for your company’s complete, comprehensive cybersecurity investment. But does your IT team have OT knowledge and expertise?

A third-party assessment team with an OT/ICS background can connect manufacturer products and solutions with industry best-practices and methodologies that meet your requirements. They fill in the OT knowledge gaps that your IT team may lack. For example, assessors with OT backgrounds can provide insight on which control hardware your system uses that meet ISASecure® standards [2]. This is especially critical if your control system uses hardware and software from many different manufacturers.

A top-rated cybersecurity team with both IT and OT backgrounds can help to ensure that your cybersecurity assessment includes all aspects of your control system and business networks while working with your already-established IT team.

If you’re interested in learning more about Cybersecurity System Assessments for your system and establishing a strong foundation for your company’s cybersecurity policies and procedures, click here to reach out to Champion’s team of cybersecurity experts.

Contact an expert today!

Champion Technology Services, Inc. is an industrial control systems integrator that provides cybersecurity services across the United States and abroad. Our team includes ISA/IEC 62443 Cybersecurity Experts and GICSP (Global Industrial Cyber Security Professional)-certified professionals. We help small, medium, and large companies assess their existing control systems and implement cybersecurity protocols that meet their facility’s requirements while maintaining our status as an unbiased third-party cybersecurity solution provider.

References:

[1] Kaspersky, “2018-Kaspersky-ICS-Whitepaper.pdf,” 2019. [Online]. Available: https://ics.kaspersky.com/media/2018-Kaspersky-ICS-Whitepaper.pdf

[2] ISA, [Online]. Available: https://www.isasecure.org/en-US/Certification

[3] Savoy Stewart, “firms-investment-on-cyber-security-by-industry,” [Online]. Available: https://www.savoystewart.co.uk/blog/firms-investment-on-cyber-security-by-industry

January 27, 2020

in Cybersecurity , Industry News by Joshua Clemens

Safe and Sound Delivery

Your control system is only as secure as your files.

Moving data is imperative to a successful business. Whether it’s from one area of your organization to another or to an outside party, transferring information and files is part of everyday work. But if that information is particularly sensitive or proprietary, certain precautions must be made to ensure it is protected from being compromised.

Types of data that should be securely transferred:

Proprietary Data – any data that must be kept private for confidential, competitive or other business reasons. This sensitive data can be your company’s internal knowledge base, plans, communications, recipes, processes, financials, or other intellectual property.
Customer Data – any information owned by your customers that you use to do work for them. This may include batch recipes, processes, report results, etc.

Understanding the threats

The same threats to the general business IT system can also infiltrate the Operational Technology (OT) system which is the backbone of the facility. Threats to information come in many forms and usually occur from lack of diligence or knowledge on how to properly move information from place to place.

The impact? Risk of exposure. All threats to your network have the potential of stealing information that is vital to your business. This includes theft of intellectual property, identity, and information; sabotage; and even extortion of information. These threats include viruses, worms, trojans, bots, spyware, malware, ransomware, scareware, social engineering, and media attacks.

Unintentional Disclosure of Information – malicious programs can cause your data to be shared or seen by parties for which it was not intended. Data can be skimmed, intercepted, and used as ransom.
Compromised File Integrity – the loss or inability to maintain file integrity. Any file that can be modified proposes a security risk. Files can be intercepted and modified with malicious macros. What may look like a normal file, transferred by email or an FTP site, may now be a threat.
At-risk Channels of Operation – the security of an entire operational technology (OT) network and control system, including all devices, is at risk. Compromised files and PCs (configuration files, OT network devices files, firewalls) can wreak havoc on the overall health and function of the control system and the operation of the facility.

Distributing proprietary information safely

With these risks in mind, what is the best way to share files? The following scenario provides a glimpse of best practices in the real world.

An operator at a chemical plant has pulled a report of emissions data. The report must be delivered to the operator’s supervisor and the state regulatory agency. This data is proprietary information to the company but required to report, by law.

How does the file get transferred to its proper recipients, internally and outside the company?

Internal Delivery

The data from the PLC is collected by the historian into a spreadsheet file which is used to generate the emissions report. All this occurs in the Operational Technology (OT) environment, not the business IT network. The operator can safely move the report from the OT network file server to the IT network server using Windows File Sharing with security and authentication enabled.

Any time data transits security zones (e.g., OT and IT), it must be subjected to security controls, including but not limited to, authentication, threat inspection, integrity validation, information sanitation, etc.

Once the file is on the IT network server, the report can be delivered internally per the company’s established protocol. This can be by email (if permitted) or by internal file server or an approved cloud service.

Why not just put the report on a jump drive from the OT device then load it onto the operator’s computer? Because this method yields a greater opportunity for risk. Jump drive use provides the opportunity to connect to less secure zones and unauthorized machines. This means that malware has more opportunities to be installed on this drive.

Additionally, by using Intrusion Detection Systems and Security Information and Event Management systems, it’s possible to record, correlate and alert based on activity on the network.

External Delivery

Once data leaves company-controlled servers, it enters malicious territory and becomes more vulnerable. Delivering files externally must be done in a way that ensures the information gets to its final point intact and without being exposed to the wrong parties.

Using a Managed File Transfer System will ensure end-to-end security and encryption for the data.

Managed File Transfer Advantages:

Secure from end-to-end (from sender to receiver).
Limits admission to only those meant to have access.
Interaction with a hosted file is logged and auditable – data is captured showing who and when the file was viewed, downloaded, changed, uploaded.
Helps facilitate large file transfers (little to no restriction on file sizes).
Users can request files to be sent to them from outside sources securely.

File sharing bad habits are dangerous, if not used correctly

These data transfer shortcuts are dangerous to your organization if not used properly.

TRANSFER METHOD	BEST PRACTICES
Email with attached file	Limit to non-sensitive information only. Emails can be forwarded without any control as to who sees it.
Jump drives	Drives should be scanned for threats before each usage by a dedicated machine.
Commercial cloud sharing sites	Never use a personal cloud site. Use ONLY those managed by your company and deemed safe.

Mitigating cyber threats

Champion has the expertise and knowledge base to help you build a secure file transfer system which align with industry best practices and guidelines. Here are a few ways Champion can help make your OT systems more secure.

Perform Cybersecurity Risk Assessment.
Install anti-virus software and keep it up to date.
Install firewalls to create security zones and establish a DMZ between OT and IT networks.
Deploy a SIEM (Security, Information and Event Manager) to capture instances of bad habits, jump drive use, and users to identify threats.
Establish an Industrial Intrusion Detection System to monitor access and traffic to and from ICS and alert to abnormal activity.
Train employees on security best practices.

Contact an expert today!

1 2 Next »