For end users in the process industries, cybersecurity concerns permeate all the way down to the sensor level and throughout many plant work processes and procedures. Emerson recently had a chance to showcase the company’s cybersecurity knowledge and offerings at the Emerson Exchange end user conference in San Antonio. While the overall message focused on digital transformation, cybersecurity was a common element, since this needs to be considered at many levels within the control hierarchy and across the organization.
Cybersecurity: An Essential Element of Digital Transformation
Emerson Exchange, which seems to get bigger every year, attracted over 3,000 attendees this year. The return to growth of the oil & gas and other process industries provided an upbeat environment. Mike Train, current Executive President of Emerson Automation Solutions, keynoted the event by expounding on the growth in the process industries. He referred to the many shelved projects coming back online, rising oil prices, and accelerated adoption of new technologies that support digital transformation. Mr. Train then passed the torch on to his successor, Lal Karsanbhai, who will become Executive President of Emerson Automation Solutions, while Mike will assume the role of President at Emerson.
Digital transformation was the big theme at this event. With Emerson’s new Version 14 of its DeltaV distributed control system, the company has added capabilities for doing complete digital transformation readiness assessments and consulting services. These include providing the end user with a complete road map that includes smart digital instrumentation, DeltaV process automation systems, DeltaV electronic marshalling with CHARMs solutions, cybersecurity solutions, and other Emerson offerings.
ARC Advisory Group heard a strong cybersecurity message throughout the many presentations and press conferences that we attended. Day Two of the Exchange featured a well-attended press conference with top management from Emerson Automation Solutions. Emerson Automation Solutions CTO, Peter Zornio, stressed the importance of cybersecurity as he outlined the company’s overall strategy for digital transformation. This includes building cyber and physical security into products from the beginning, as well as providing a “secure first mile” from the sensor level to control applications.
Safety and security are major components of Emerson’s digital transformation readiness assessment model. The company also recognizes the overlap between cybersecurity, process safety, personnel safety, physical security, and alarm management. The fact that Emerson recently acquired alarm management supplier, ProSys, certainly helps demonstrate this.
Secure Development Process/Certification Panel Discussion with Emerson and exida
The Emerson development sites in Austin, Texas in the US and Manila in the Philippines were recently certified ISASecure SDLA (Security Development Lifecycle Assurance) Level 1 through joint efforts with exida, which validated and performed the certification process. Both the DeltaV and DeltaV SIS products will be ISASecure SSA Level 1-certified once the v14.3 Feature Pack 1 is released. This includes ISASecure Secure Development Lifecycle Assurance (SDLA) Level 1 for the processes used to develop all new code introduced in DeltaV version 14. As part of the certification process, exida had to validate the revised development procedures, validate application of security development processes, and verify system security features and functions, among other things.
President of exida, Bill Goble, participated in this panel discussion along with Mike Lester, the new Director of Cybersecurity Strategy at Emerson Automation Solutions; and Alexandre Peixoto, Emerson Automation Solutions’ DeltaV Product Marketing Manager for Cybersecurity. Rick Gorskie, Emerson Global Sales Manager for Cybersecurity Solutions, moderated the discussion, which also touched on cybersecurity governance and procedures.
When certifying suppliers from a cybersecurity perspective, exida uses techniques and procedures for secure development learned from the safety development lifecycle. The company now applies this knowledge to cybersecurity and is an accredited certification body (per ANSI) for ISASecure certifications.
DeltaV Cybersecurity and Physical Security Features
As we learned, both the DeltaV process control system and DeltaV SIS have many embedded cyber and physical security features. Over the past two years, Emerson has built in several new cybersecurity features for DeltaV. These include the ability to lock down DeltaV embedded nodes, Authenticode secure digital file signature capabilities, and secure remote access policies and procedures. Some of the more recent enhancements include enhancements to DeltaV Smart Switches, which now feature automated security event reporting capabilities for things like abnormally high network traffic or unauthorized access to locked ports. DeltaV Smart Switches also have auto lockdown capabilities to prevent unauthorized access to the network.
The relationship between cybersecurity and process safety systems has attracted a lot of attention due to recent malware attacks specifically designed to affect these systems. Emerson actively addressed the topic of separate versus integrated control and safety systems and the key steps that should be taken to ensure that process safety systems are cyber secure. DeltaV product marketing managers, Sergio Diaz and Alexandre Peixoto, delivered an excellent presentation on some of the benefits and challenges of an integrated approach to process control and safety. They also discussed the leading cyber threats to process safety systems and what end users can do to mitigate those threats.
In the wake of the TRITON attack on a competitor’s control system, Emerson has placed even more emphasis on both physical and cybersecurity for its process safety systems, including secure write mechanisms, lockdown capabilities, physical key switches, and other features.
New Plant Turnaround Services Focus on Cybersecurity
Emerson announced new capabilities for plant turnaround services at Exchange. This has been a focus area for the company for many years, particularly its significant control valve business, since much of the work during a maintenance turnaround involves valves. Building on its already considerable capabilities here, Emerson plans to take a more consultative approach by working closely with the end user to ensure that turnarounds are planned and executed properly, and objectives met on schedule.
Many refineries and continuous process plants only do turnarounds every five to seven years, with some facilities going even longer. Most turnaround projects fail to meet their deadlines. According to a recent ARC survey, lateness in completing turnaround projects is one of the largest sources of unplanned downtime for the process industries.
Cybersecurity, however, is one key aspect of turnaround projects that most suppliers and service providers don’t talk about much. During turnarounds, many third-party contractors are on site; many are connecting to plant networks, field networks, and control systems. End users need to ensure that only trusted partners with secure connections have access to these networks. Many end users are also putting “geofencing” policies in place, where third-party contractors are restricted from entering certain parts of the plant. Emerson’s new generation of Location Awareness geolocation tags, introduced at the Exchange, can be used to keep track of contractors on plant sites, making it easier to implement geofencing policies.
Based on what we learned at the recent Emerson Exchange, it’s clear that Emerson Automation Solutions understands the value of cybersecurity to its customers. It was good to see so many cybersecurity-focused sessions at a major user group meeting. The accelerated adoption of digital transformation strategies and IoT technologies only underscores the need for increased cybersecurity, which should be a major part of any digital transformation program. Cybersecurity-related criteria should also be part of any selection process, whether it’s a process automation system, safety system, intelligent sensors, or valves.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Emerson Exchange, ICS Cybersecurity, ISASecure, Secure Development Lifecycle, Turnarounds, Safety Location, Plantweb, Digital Transformation, ARC Advisory Group.