ARC recently spent the week at Honeywell User Group Americas conference 2019 at the Hilton Anatole in Dallas. This year's HUG set another attendance record, and Honeywell had more cybersecurity content at this year’s HUG than ever. Honeywell Process Solutions has five primary offerings in ICS cybersecurity that were all on display at HUG, including:
- ICS Shield is based on technology from Honeywell’s acquisition of NextNine in 2017. ICS Shield provides remote access capability to secure field assets through a single Security Operations Center (SOC), performs asset discovery, monitoring, and patching, and automates deployment and enforcement of plant-wide security policies.
- Industrial Cybersecurity Risk Manager software collects information across installed assets including network infrastructure equipment to calculate risk scores which are presented through easy to read dashboards and visualization tools. Highest risk areas are then easier to spot for prioritization and resolution.
- Secure Media Exchange (SMX) is Honeywell’s solution for scanning USB media for threats and enforcing the use of properly validated USB drives on protected systems. In a session on the SMX roadmap, Honeywell announced that it plans to take the threat intelligence capabilities of SMX and expand it to one that is more system-wide in nature.
- Managed Security Services (MSS) provides turn-key security operations management for customers who prefer to augment or outsource their in-house capability with improved visibility into potential threats, extended multi-vendor support, and 24x7 coverage through global security operations centers (SOCs) located in Singapore, Bucharest, and Houston.
- Security Consulting Services consists of many highly specialized offerings that customers can leverage to better secure their environments. In addition to several types of assessments provided, companies can engage the Honeywell team in architecture design reviews and test various scenarios in one of 3 labs available globally in Atlanta, Dubai, and Singapore.
With the introduction of Honeywell Forge, which is probably the most ambitious software strategy launch in the company’s history, a unified suite of enterprise performance management tools is now available on top of the Experion offering. Honeywell did inform ARC that a Forge-based offering for cybersecurity would be on the near horizon, but an official announcement on the details around Forge and cybersecurity will come later this year. In the meantime, the Honeywell Forge web page has a section on cybersecurity that you can already check out here that includes a case study from end-user client Total.
Honeywell’s Most Important Cybersecurity Resource: People
However, it was not the products that stood out at HUG, but the people. The company has added a lot of experienced cybersecurity professionals over the past few years, and at this year’s HUG they had many of these people leading sessions and panel discussions to share their knowledge and spread the word about Honeywell’s offerings. Topics ranged from USB security to threat intelligence and penetration testing, and it really was a much more comprehensive cybersecurity track than we have seen at any HUG in the past.
The first of these was an open discussion with Eric Knapp, Chief Engineer, Cyber Security Solutions and Technology, on the operationalization of cybersecurity in industrial plants, balancing response, and protection. Eric was then joined by well-known ICS cybersecurity pioneer Eric Byres and Honeywell senior strategy manager Rusty Gavin for a discussion on threat intelligence. Mr. Byres now runs a company called aDolus, which is providing a framework of trust to prevent the installation of counterfeit software and firmware. There was no official mention made of any kind of alliance between aDolus and Honeywell Process Solutions but given the content of the discussion, we can probably look forward to a joint solution from aDolus and Honeywell soon.
Honeywell Consolidates Cybersecurity Expertise
In addition to the SOCs that Honeywell operates for Managed Security Services customers, the company has cybersecurity centers of excellence in Duluth, Georgia, and Dubai, UAE. The company also has significant expertise in Edmonton, AB, where Honeywell and several of these people were delivering sessions at HUG. Connor Leach and Jackson Evans-Davies, both penetration testers at Honeywell, gave a great workshop on ICS penetration testing and went through some informative scenarios on how cyber-attacks unfold.
Donovan Tindill, global marketing manager and cybersecurity SME for Honeywell Connected Enterprise (HCE) Industrial Cybersecurity, gave a particularly good introduction to the overall landscape of industrial cybersecurity from the perspective of a large automation supplier. Mr. Tindill’s presentation was followed by an open panel discussion moderated by Jarmo Salminen of Georgia Pacific and included Honeywell’s Mark Littlejohn, Mike Spear, and Owen Sillett of Honeywell Process Solutions.
End Users Need to Drive Cybersecurity into the Selection Process
What was particularly interesting about Mr. Tindill’s presentation was the statistic that really illustrates the disconnect between automation project groups, the project engineering process within plants, and industrial cybersecurity. According to the statistic, out of the almost 1,700 upgrade (or migration) projects that Honeywell conducted in 2017 and 2018, only 12 percent of those projects included any additional HPS cybersecurity products or consulting services in the scope. Out of the 1,400 upgrades planned in 2019, only 8% of customers have specified additional HPS cybersecurity products or consulting services in the scope.
There are missed opportunities to enhance cybersecurity with the daily management of change (MoC) processes, product selection, RFP specification, design & engineering, configuration, and both planned and unplanned outages. A control systems upgrade provides the most cost-effective and easiest opportunity to make significant cybersecurity improvements.
ARC has also found this to be true with our own experience in assisting end users with supplier selection projects.
Cybersecurity is often missing, or an afterthought, in the process automation system selection process for a modernization project. End users instead tend to focus on replacing like for like functionality within the system, and we believe this is a mistake. Relevant cybersecurity criteria should absolutely be part of any supplier selection process, whether it is a new project or a migration/modernization/upgrade.