Door-to-the-floor cybersecurity requirements

How big or small should the air gap be?

By Jeremy Pollard, CET

Remote access and cybersecurity go hand in hand. I have been doing some market research to gather information for an upcoming presentation at the ISA Power Industry Division Symposium this June in Cleveland. I am flabbergasted at what I am finding.

First, remote access as a technology has more solutions than you can shake a stick at. Vendors are supporting open-source protocols for remote access of devices over the Internet—VPN appliances, network appliances and proprietary protocols, along with physical access restraints and cable plugger-inners (the ones that use a network cable as an air gap).

It’s like a free-for-all, but the one thread that keeps coming up is that users and integrators alike want and need this function.

The concept of cybersecurity is very hazy, as well. The end of IT and OT being like church and state is clouded by the requirements of IT departments that do not understand the reality of OT requirements. Simply put, one can’t be without email for an hour. Access to the process has to be available at all times.

Download our special report on trends in industrial networks

Scott Phillips, founder of IIoT Global and president and founder of the SearchLite produced a report on IIoT cybersecurity for manufacturing. While reading the report, my mind wandered to a risk alert from the Department of Homeland Security on Rockwell Automation and Modicon PLCs. These devices have the ability to be hacked from the inside or the outside. Phillips describes various obstacles to a successful implementation of securing industrial control systems with mitigation trees to roadmap how you would deal with a certain threat vector. He refers to the basic issues of device protection, but I wondered where the monitoring of and promoting of system firmware would fit into his plan.

While SCADA and the SCADA network are the most vulnerable, states Phillips, he brings up many good points on how to implement a policy to do basic industrial control system (ICS) protection from inside the firewall.

These steps can be taken directly by the floor maintenance and engineering peeps. However, IT departments have to be involved for the remaining issues, so you can’t leave them out in the cold. You can find the report online at

James Scott, senior fellow at the Institute for Critical Infrastructure Technology has authored a number of publications dealing with cybersecurity that have resulted from the collection of data from user surveys.

Scott’s approach for the survey was targeted at the retail space, and not the industrial space. But the results and implications are similar, regardless.

Data protection policies are becoming tedious, lengthy and problematic. The intent of the ISO 27001 standard is to create a path for certification to put policies and systems in place to address the issues that Scott suggests are ever present in our current IoT world.

Remember when I wrote about the Internet-enabled Barbie? It seems she now has a partner in crime—a teddy bear. When will we ever learn? This is why Phillips and Scott are doing what they are doing.

Ransomware is on the rise, and 50% of the respondents reported they had a ransomware attack in the past. This frightened me: 86% said they do not have a plan in place to address security issues.

Where this took me is just how my mind works. The report was based on non-profit organizations who more than likely use a third party for IT support. Let’s say the United Way is one of them. A lot of companies support the United Way. If its security isn’t up to par and an employee of your company goes to the site to donate, your network may now be infected with something and quickly.

If that computer is also on the OT network, then who knows what could happen.


Scott mentions that some are using internally developed frameworks, NIST guidelines, and SANS Institute’s list of the top 20 critical security controls. Know that there is ISA99/IEC 62443 and the ISO 27000 series, as well as homegrown IT rollouts and vendor-supplied frameworks. We don’t have any consensus on what’s good, right and workable for your level of expertise and funding.

Scott asserts that backups are important, but it is the downtime that hurts. Remember about OT being always available. Houston, we may have a problem here.

Coming back to remote-access policies and procedures, I wonder how many people are using devices that have been used for functions other than remote access, such as your grandson using your iPad to access the Internet and then how secure that device is to the network it happens to be on.

Would you allow that iPad to access your network using a VPN, which then could allow malware or ransomware into your network?

One door-to-the-floor requirement includes multi-factor authentication of the device, the person and the target. Check out the new government personal-identity verification (PIV) security. Are we important enough to require this level of security? I think so.