Cybersecurity Guidebook

for Process Control

A practical guide to what you should start, stop, and continue
doing to protect your assets from cybersecurity threats.

1
 Take the Next Steps with
Cybersecurity Together
Over the past decades, process industry manufacturers and suppliers have
accomplished incredible scientific and technological advancements in the
products and services our industries provide. Process industry operations
comprise critical pieces of the global economy and infrastructure, like the energy
needed to power our world, vital therapies and medications for patients in
need, and agricultural products for food-insecure nations. As the demands of our
industries have become more sophisticated, so has the complexity of operations–
necessitating that legacy self-contained control systems are now connected to business
networks and therefore, however indirectly, to the internet.
Adopt a Risk-based Approach to Cybersecurity
By leveraging the connectivity of the broader business network, manufacturers have
revolutionized interconnected processes, but also encountered new risks to the safety, Organizations regularly evaluate the risks to their business and operations.
profitability and reliability of plant operations. Cybersecurity needs to be in every operational Cybersecurity is an organizational risk that affects strategic, compliance,
conversation not just today, but every day going forward. operational, financial and reputational risks. A risk-based approach to cybersecurity
An important factor in implementing a cybersecurity program is change management. is not to protect against all threats to your control system, but to identify potential
Emerson’s cybersecurity leaders have compiled this brief guide based on the Start-Stop-Continue vulnerabilities and make a strategic decision based on the likelihood and impact of
Change Management model to help you lead organizational change and take immediate steps to each vulnerability.
make your operations more secure. Every organization is at a different point in the cybersecurity
journey. While not all points will reflect where you are in your journey, take this guide as a START Quantifying the extent of cyber risk. It pays to know where things could go wrong.
reminder to continue that evolution to a cybersecurity-aware organization. While you can’t identify every eventuality, you can easily identify where the particularly
vulnerable points exist. By becoming knowledgeable about the types of events,
Hackers aren’t standing still—attacks are becoming more sophisticated. Our systems and understanding the likelihood those events will happen, and the impact of those events,
operational practices must evolve to stay ahead of the potential threats and malware. you can make more economical decisions on how to protect your control system, your
Let’s start taking the right steps today to ensure the security and thereby the reliability of our business, and your people.
industry’s control systems and plant operations. STOP Attacks before they start. Cybersecurity is not just about making sure that bad
James (Jamie) Froedge things don’t happen; it’s about ensuring your control system works as it should, 24
President, Process Systems and Solutions, Emerson hours a day, 365 days a year. By employing physical, software-based, and administrative
controls you can better ensure your system’s availability, integrity, and confidentiality.
Emerson supports the adoption of the View cybersecurity as an opportunity to ensure that you keep your operations running
IEC 62443 family of cybersecurity standards smoothly, without costly, unintended shutdowns.
CONTINUE Using your current risk management process as you do for other aspects of
The IEC 62443 is a family of standards that defines continue to harden the individual components of the your operations, like safety. Work within your organization and with experts to examine
requirements for how a distributed control automation system and have created system-wide your networks and control system setup to identify risk areas. Generally, some of the
system (DCS) should be developed, deployed, capabilities, both internally and with partners, to easiest changes can go a long way toward making your system more secure and reducing
and maintained to dramatically enhance the better secure the automation system as a whole. your organizational risk.
cybersecurity of the installed system. Cybersecurity In addition to protection that is integral with the
is as important in today’s climate as safety. And, Having a backup and recovery solution with onsite and offsite storage of the
system, it is imperative the end user has an active
in many ways, this standard is similar to what is backup will reduce risk to your control system. Remember to regularly update your
role to ensure security best practices are enforced
currently required for Safety Instrumented Systems in the DCS deployment at their site. This can be OT team’s cyber incident response plan. While not preventative, these plans help get
for safety certification. accomplished through, among other things, work operations back up and running faster.
Following the requirements defined in the IEC processes, behaviors, lifecycle management, and
62443 standards, Emerson has trained its DeltaV™ training. The combination of all the above will result
developers to create new secure products. We in a state-of-the-art cybersecure installation.
2 3
 Tighten System Access Establish Strong Policies
Security measures can be cumbersome and may make limited security tempting, Even the most sophisticated, secure measures can be rendered useless in the
but attackers are counting on it. In many cases, massive shutdowns are caused by face of simple, human error or lack of knowledge. Many devastating attacks are
small malware infections on unsupported operating systems. Companies must achieved through social engineering and phishing that enable corporate and
be conscientious about their security policies to ensure they are raising strong control system networks to be infected. This is preventable with knowledgeable
cyber barriers. employees and strong administrative policies.

START Simplifying and strengthening user access to critical systems. Consider deploying START Making it a point to arm your employees with knowledge. Education and training
multi-factor authentication for user logons. Two-factor authentication systems can will help your employees understand the basics of cybersecurity, identify potential
often be simpler for users than a complex single password, and are far more secure. Also, threats, and realize when they are being targeted. Emphasizing and enforcing strong
longer, easier to remember passwords (e.g. a group of short words or a passphrase) can password creation and management are critical to keeping your networks safe, as is
be superior to shorter, more complex passwords since users will find them easier to type, following authentication policies for customers and employees.
remember, and not write down.
STOP Peripheral-based exploits. USB ports left enabled create the possibility for
STOP Opportunities for intrusion. Limit single sign-on and group logons wherever human error when an unsuspecting employee plugs in a phone to charge or attaches a
possible. If single sign-on is a requirement in your industry, look for methods to compromised thumb drive picked up from a vendor event. By disabling these ports and
implement it so that the bare minimum is exposed. Finding ways to eliminate shared establishing and enforcing organizational policies, you can help limit your exposure.
accounts and elevated user access can mean sacrificing some flexibility, but these
CONTINUE Maintaining vigilance on physical security by locking down control system
changes are worthwhile; shared accounts are prone to password theft - a more serious risk
workstations and servers within dedicated rooms and cabinets. Companies must stay
than many organizations anticipate.
on top of and maintaining their physical security systems and access management
CONTINUE Evaluating and monitoring privileged permissions. Remain vigilant and controls helps protect assets from unauthorized direct access.
periodically evaluate the level of user-access granted to highly privileged users. Ensure they
only have access to the minimum permissions they need to complete their job. It might be Defense wins championships. By establishing and enforcing these administrative
effective to enforce two-person rules for highly sensitive operations or decisions as well. policies, you can prevent your control system from falling victim to unauthorized
physical access or exposure to compromised media devices.
Today’s convenience shouldn’t become tomorrow’s crisis. Building a culture of
security by creating and enforcing security best practices will help your employees
realize they are a crucial part of keeping your operations safe and secure.

4 www.emerson.com/cybersecurity 5
 Protect yourself: Building the Basic Cybersecurity Assessment Results
Right Cybersecurity Coverage Network
Security
Data Workstation
Management Hardening

Start with an Assessment

Making your plant and control system cybersecure is an evolution and
one that can be overwhelming. By conducting a plant risk assessment Security User Account
and leveraging that assessment, you can prioritize your cybersecurity Monitoring Management
implementation to strategically mitigate many risks upfront.
An assessment determines the readiness in each of seven key
elements of cybersecurity, as shown by a radar plot. The closer the
blue plot areas are to the outside edges the better the results of the Perimeter Patching
assessment and the strength of a system’s overall security posture. Protection

Improve Your Cybersecurity Posture

Adopt a Risk- Upgrade to a Go Beyond Keep Remote

based Approach Tighten System Establish Strong More Secure Perimeter Access in the Know Your
to Cybersecurity Access Policies Control System Protection Right Hands Control System

Risk Two-factor Training Request Network Remote access SIEM

assessments authentication cybersecurity segmentation management
Cybersecurity solutions Network
Policies and User accounts posture Perimeter security
procedures management Patch protection monitoring
Physical management monitoring
Backup and security
recovery Workstation
hardening
Incident
response plan Endpoint
protection
6 www.emerson.com/cybersecurity 7
 Upgrade to a More Secure Control System Go Beyond Perimeter Protection
We all know that downtime is costly, and we must make hard decisions to avoid Workstations and servers are potential entry points to the control system,
it as much as possible. Timely patches and upgrades are a critical element of especially if they are connected to the corporate business network. Targeted
cyber defense. Recent malware and ransomware attacks around the globe have attacks assume that perimeter protection is in place and therefore use common
proven just how costly unprotected and outdated systems can be. Protecting your protocols and known service ports to compromise control system components.
control system can help avoid putting your operations at risk. How you connect your control systems to the corporate network matters.

START Requesting that vendors provide cybersecurity solutions as part of the bid START Using firewalls and network segmentation. A controller firewall further
specification for the control system. All modern control systems require cybersecurity segments and protects your most critical control assets from Denial of Service attacks
measures beyond the basic process control system “Request to Quote” language. Have (among other things). Define clear security zones and DMZs. Start holding contractors
an assessment of your current cybersecurity practices and control system and learn how and suppliers to the same security standards you expect from your own employees.
you can greatly improve your cybersecurity posture. Enforce your methodology for any connections to your internal systems.
STOP Latent software vulnerabilities. Upgrading old control systems builds strong cyber STOP Hackers scanning for security gaps. Ensure firewall bypasses are opened only long
barriers. Unsupported operating systems and older control systems may have inherent enough for active testing and then immediately closed. Avoid providing direct Internet
security vulnerabilities that have been designed out of modern automation systems. and email access on control system workstations and servers; all data coming from
Demand that new system releases have cyber hardening features to provide additional or going to the Internet should be made available through segmented networks with
defense-in-depth. intermediate servers in demilitarized networks, and should be monitored at all times.
CONTINUE Applying patches, system updates, and new anti-virus signature files. While CONTINUE Deploying customizable, adaptable firewalls at the control system
patching can be disruptive, it is a critical aspect of your operation and ensures that your perimeter. Check firewall event logs and adjust rules accordingly. Continue defining and
control system is operating with the latest software updates. Those updates and patches hardening network segmentation to protect and limit access to the very highest layers—
include fixes and shore up vulnerable areas of the applications and operating system. Anti- particularly the control system. Constantly define and enforce security procedures for
virus is another critical aspect of protection that must be maintained so it can identify the data flow at every network layer.
latest system threats.
Hackers count on organizations forgetting the backdoors they’ve left open.
Most cybersecurity threats are avoidable. Look to the many options for Using the tools at your disposal, you can shut those doors and lock them tight,
automated patching and lifecycle cybersecurity services to eliminate the risk of leaving hackers out in the cold.
having unprotected servers and workstations.

8 www.emerson.com/cybersecurity 9
 Keep Remote Access in the Right Hands Know Your Control System
Almost all control systems are deployed with some type of remote connectivity. You have adopted a risk-based approach to cybersecurity, so you have a plan to
But just because something is the norm, doesn’t mean it is a safe practice. Poorly prevent and deal with cyber incidents when they happen. But how will you know
controlled remote access is like leaving the keys in the lock of your front door. On when to put those plans into action? By implementing comprehensive system
systems where remote access is a must, make sure it is monitored and secure. monitoring, you will be able to identify threats or issues in their earliest stages as
well as leverage that information for forensic purposes after an event.
START Considering a dedicated remote access strategy incorporating mobile devices.
Remote access should start with view-only permissions, and any commands that are START Implementing security monitoring. Active, continuous monitoring is crucial for
required should be provided temporarily and only by exception in strategic instances. Write understanding your control system’s baseline activity so you can identify anomalous events
access (if needed) should only be allowed temporarily, and only under supervision of a local when they occur. Start with a Security Information and Event Monitoring (SIEM) solution
user. A remote engineer might be allowed to change the configuration, but it should require that monitors syslog events from your firewalls, Windows events from your workstations,
a local engineer to download and apply the change to the system. and SNMP monitoring of your switches. A SIEM is critical for intrusion detection, post-event
STOP Easy remote access by intruders. When users require remote access to control forensics, and future threat prevention. Use the tools at your disposal to detect cyber-
systems, you can improve security by detailing policies and procedures for each attacks as they start – before they can damage your control systems.
deployment. Control system administrative permission or safety-related user access STOP Previously undetected intrusions. You need to be able to detect and respond
should never be allowed through a remote connection. Strong remote access policies to threats as quickly as possible, and that means having the right tools, staff, and
provide significantly more protection than air-gapping. procedures at your disposal. Tactical defense information is available in security events
CONTINUE Evaluating which users have the rights to remotely access your control and log data. Analyze it to identify unwanted activity. Despite some claims, security
system. Very few, if any, users should have permissions to log on remotely, and different devices are not “set-and-forget”. Intrusions go undiscovered if you are not monitoring –
accounts should be created for the same user—one vigilance is essential to maintaining security.
for local highly privileged access and another for CONTINUE Gradually improving monitoring, response, and forensic strategies. Move
restricted remote access. toward more advanced Network Security Monitoring of your control system’s network
communications. If you already know what normal, expected activity looks like, then it
Knowing exactly when and how any mobile is easier to know when something unexpected or malicious is happening.
devices connect to your control system will
put you in control. Remote access needs to be After a breach, you need to react quickly and efficiently. To do that, it is critical
implemented securely, always requiring it to pass to identify events as soon as possible. While events are not always malicious
across the control system perimeter protection attacks, you want to prevent any abnormal activity that could result in downtime,
and jump servers traversing multiple layers of accidents, or worse.
authentication for added security.

10 www.emerson.com/cybersecurity 11
 PLANT
PlantSECURITY
Security
Policies
Plant
Plant
Policies Security
Security
Policies
Procedures
Policies
Procedures
Procedures
Training
Procedures
Training
Training
Physical
Training Security
Physical Security
Physical Security
Physical Security
Services and Support
Services and SUPPORT
Support
SERVICES
Services AND
and Support
Endpoint Security
Endpoint Security
Cybersecurity
Application
Endpoint Security
Application Assessments
Whitelisting
Whitelisting
Attack Vectors SIEM
Application Whitelisting
Attack Vectors SIEM
Automated Patch Management
Attack Vectors Autmated
SIEM
Autmated Patch
PatchManagement
Management
Upgrades
Autmated
UpgradesPatch Management
Upgrades
Guardian
Upgrades
GuardianSupport
Support
Guardian
Guardian Support
Support
Featuresand
Features andSetupSetup
FEATURES
Features
System
System AND
and Setup
Hardening
Hardening SETUP
DeltaV
DeltaV
System Security
Security
Hardening Administration
Administration
System Hardening
Network Device Center DeltaV Flex Lock
CommandCenter
Network
DeltaV Device
Security Command
Administration
DeltaVDeltaV
DeltaV
Network Flex
Security
Flex Lock
Lock
Device Command Center DeltaV User Manager
DeltaV User manager
DeltaV User manager
Flex Lock
Administration
DeltaV and DeltaV SIS Lock Commands
and DeltaV
DeltaV User manager SIS Lock CommandsDeltaV and DeltaV SIS Lock
Authenticode FileSigning
Signing
Network
DeltaV andDevice
Authenticode File
DeltaV SIS Lock CommandsCommands
Command Center
Authenticode File Signing
Authenticode File Signing
Security Products
Security Products
SECURITY
EmersonPRODUCTS
Security
Emerson
Smart Firewall
Products
Smart
Firewall-IPD Firewall
Endpoint
Emerson Security
Firewall-IPD
DeltaV Smart
Smart Firewall
Switches Emerson Smart Firewall
DeltaV Smart
Firewall-IPD
Layered Switches
Architecture
Application
LayeredSmart
DeltaV Whitelisting
Architecture
Switches DeltaV Firewall-IPD
Layered Architecture
SIEM DeltaV Smart Switches
Network Monitoring Backup and Recovery

The Time for Cybersecurity is Now.

Cybersecurity threats are more prevalent than ever. Has your organization
taken the necessary steps to ensure it is protected from the next malware or
ransomware attack? Emerson has a comprehensive portfolio of cybersecurity
solutions and strategies aimed at helping you assess and reduce your risk level.
Begin building the foundation for a cybersecure future today.

Take the next step. Learn more at www.emerson.com/cybersecurity

Emerson
North America, Latin America:
+1 800 833 8314 or ©2018, Emerson. All rights reserved.
+1 512 832 3774 The Emerson logo is a trademark and service mark of Emerson Electric Co. The DeltaV logo is
a mark of one of the Emerson family of companies. All other marks are the property of their
Asia Pacific: respective owners.
+65 6777 8211 The contents of this publication are presented for informational purposes only, and while every
effort has been made to ensure their accuracy, they are not to be construed as warranties or
Europe, Middle East: guarantees, express or implied, regarding the products or services described herein or their
+41 41 768 6111 use or applicability. All sales are governed by our terms and conditions, which are available on
request. We reserve the right to modify or improve the designs or specifications of our products
www.emerson.com/cybersecurity at any time without notice.

12