Emerson Exchange 365

Cybersecurity Technologies in the DeltaV System

Alexandre Peixoto and Rick Gorskie at Emerson ExchangeCybersecurity remains a pressing concern for automation specialists across all industries and world areas. In a session on technologies for the DeltaV system that address cybersecurity, Emerson’s Rick Gorskie and Alexandre Peixoto provided an update.

Alexandre opened by providing a look at what has been added over time since 2016. While the DeltaV controller firewall has been around for many years, the DeltaV Firewall IPD (Intrusion Protection Device) was introduced to replace it. It provides firewall function on the DeltaV control network and communications flooding from perhaps a virus infected workstation on the network. When in a LOCKED state, DeltaV nodes on the network will not accept certain commands including downloads, decommissioning, and upgrades.

All executable files now have digital signatures to determine if files have been tampered with. Any changes will break the signature. It also simplifies whitelisting of the applications within a DeltaV system.

From a remote access perspective, two-factor authentication is required for access. Credentials are validated with the Active Director and users establish a remote session via SSL authentication through firewalls.

For removable media, such as USB sticks, the DeltaV system can disable USB ports and any autorun features with the files located on a USB stick for all the DeltaV workstations. One alternative is the Symantec BlueCoat ICSP which scans the contents of a USB stick and signs the files.

DeltaV Smart Switches lock any unused network ports so that other network devices cannot be added without administrator approval. Secure Shell SSH has been added to access the switches for any configuration, and ARP spoofing detection was also implemented to protect from man-in-the-middle attacks.

Industrial Networks Firewalls, such as Tofino Xenon, can be used at the lower level connections to devices running Modbus, Ethernet/IP and other digital protocols.

Alexandre next switched to discuss what is coming in the v14.3. He described the Independent DeltaV Domain Controller functionality, that is separate from the DeltaV Professional Plus and other DeltaV workstations. This independent domain controller provides a more secure installation option for DeltaV systems. It allows standard Microsoft Windows security solutions to be applied to DeltaV systems and provides a tested and supported DeltaV security solution. Another big advantage is that this domain controller can be virtualized. To get the settings right, a setup application is being developed to walk through the steps to successfully configure it.

Some of the cybersecurity certifications included embedded DeltaV nodes Achilles Level 2 certification. From the ISASecure System Security Assurance (SSA) standpoint, the plan for v14.3 is to have DeltaV and DeltaV SIS products certified to ISASecure SSA Level 1 which includes System Robustness Testing (SRT), Security Development Lifecycle Assurance (SDLA), and Functional Safety Assurance (FSA).

For embedded firmware in the DeltaV hardware, this embedded software is also being digitally signed. Before firmware can be flashed, the digital signature is checked and verified for any tampering.

Microsoft Device Guard and Credential Guard help to protect against pass-the-hash attacks that can capture system hashes in the system.