Features Equipment & Systems Paper Pulp
Securing your mill’s control system: Q&A with cybersecurity experts

As is true for any type of plant, a cybersecurity breach in a pulp or paper mill can bring production to a halt, leading to serious financial losses.

It can also cause harm to workers, equipment and the environment, destruction of data and much more, say experts like Michael Lester, director of cybersecurity strategy, governance and architecture at Emerson’s Automation Solutions.

Even a minor security breach, notes Apala Ray, ABB’s global cybersecurity manager for industrial automation process industries, has the potential to affect production for days.

Downtime losses could reach over $150,000 CAD per hour, depending on the specific pulp or paper mill, explains Donovan Tindill, senior industrial cybersecurity expert at Honeywell Connected Cybersecurity. And in addition to these direct losses from a cyberbreach, there are many potential sources of indirect loss.

Some are immediate and others more long-term, and span from immediate payment of data ransom fees and the effects of uncontained ransomware spreading into more systems to risks to customer relationships.

There are also costs associated with validating that systems are back to normal, and there may be consequences related to incorrect regulatory reporting (for example, of emissions data).

To explore today’s cybersecurity threats in the pulp and paper sector, we put important questions to our experts.

Donovan Tindill, Honeywell

Apala Ray, ABB

Mike Lester, Emerson

Here, we’ve collected their responses, which have been edited for length and clarity. Cybersecurity is an enormous topic and the devil in in the details; each company must of course do its own specific due diligence.

Is paper mill cybersecurity different from other sectors?

Ray: There might be subtle differences. For example, quality control systems (QCS) are one of the major systems in a mill and operate like a SCADA system in supervising, monitoring and controlling the physical processes. The process can usually continue to run for short periods if the QCS is offline, but with high risk to product quality and high potential for production loss. Therefore, it is critical to maintain cybersecurity in such systems.

Tindill: The paper mill industry…doesn’t usually have the higher budgets that other industries may spend on their automation systems and staffing. Staff are expected to do more, including cybersecurity tasks, effectively. Alternatively, if the skills do not exist at the mill then there is a higher need for secure remote access technologies. Remote access has its own challenges, and […] could increase the risk.

Lester: Outdated systems that are not patched or well protected with a defence-in-depth approach are most vulnerable. Not all mills make cybersecurity a priority for a project, or often it is an afterthought and hence not funded.

What are the common threats and vulnerabilities in pulp and paper mills?

Tindill: Malware, including ransomware. USB portable memory is one of the leading sources for introducing malware into the control system.

Lester: Mills face various vulnerabilities to attack, including the unintentional behaviours from employees unaware of threats at the plant floor or at their desktop.

When cybersecurity is not part of the culture of an organization, its personnel create a significant cyber risk. Upskilling personnel on new technology and related cybersecurity helps to create a “cybersecurity culture.”

Ray: Generic attacks are high in frequency and may have destructive-to-catastrophic impact, but target generic information technology environments that are not specifically tuned to industrial control systems.

They usually affect the client/server layer and/or network infrastructure of a control system and are equally relevant for the paper industry as any other industry.

How do Industry 4.0 technologies help or hinder cybersecurity in mills?

Lester: For mill manufacturers looking to unlock the potential of Industry 4.0, cybersecurity is a chief concern, [but] while the need for effective cybersecurity is well understood, the topic itself is not.

Designing and implementing new technical solutions requires new or updated skills, and cybersecurity expertise. While new solutions can be implemented securely, they can also introduce new threat vectors if not implemented and maintained appropriately.

Ray: Industry 4.0 technologies push for enhanced connectivity. When considering a new digital solution, make sure discussions include how to address cybersecurity concerns, and how to ensure multiple layers of defence, will be in place.

Tindill: Industry 4.0 or any technology advancement in general makes cybersecurity more difficult. As each new technology is invented, the cybersecurity controls required often lag. The number of applications and devices is increasing [and] this also broadens the “attack surface.”

Photo: Emerson

What are some new cybersecurity technologies?

Lester: Integrated security technologies that provide secure connectivity, system and user interaction, remote access and visibility to the environment relative to security are key to providing higher levels of security.

Modern security technology like web application firewalls, identity services, edge gateways and protocols like AMQPs, MQTTs, OPC-UA and security monitoring systems are crucial to successfully implementing secure solutions, but the most crucial aspect is skilled resources to design, implement and operate the technology effectively.

Ray: New and emerging technologies will have an important role to improve the overall cybersecurity position for mills, and we will need to understand their challenges. The introduction of technology must be matched with operational measures that bring in people and processes. This typically includes defining policies and procedures for utilizing the new technology as well as educating employees accordingly.

Best practices to protect your mill’s control system

We summarize the top advice from our three experts:

Donovan Tindill, Honeywell

• Identify the components and systems that comprise the industrial control system, and an even clearer understanding of the most critical and impactful parts of it.
• Consider the potential impacts of malicious configuration or operation. Group brainstorming helps to identify new and unique attack scenarios, and promotes discussion on the feasibility of detection and protection. What could happen if the wrong person had access, for example? Could we train individuals or implement technology to detect an issue and respond quickly?
• Apply detective and protective controls.
• Plan the next control system design or upgrade well in advance. Making cybersecurity part of the front-end engineering will be significantly more effective and lower cost than to working it in later.
• Over-engineer your cybersecurity to ensure the system is able to withstand both current and future attacks.

Apala Ray, ABB

• Use people, policies and procedures.
• Understand and respect the different cultures and mindsets of people in your organization. The engineering mindset, which keeps safety as a major concern, will look for a deterministic process and system. However, cybersecurity requires processes that are much more dynamic, less deterministic and continuously evolving.
• ABB’s three-stage model is 1) establish a foundational level of technical and organizational security controls to defend against the majority of the generic threats, 2) continuous management and maintenance of these controls and the addition of more sophisticated controls, and 3) a strong collaborative operation of cybersecurity controls with managed security services.

Michael Lester, Emerson

• Get a thorough assessment of your cybersecurity posture to help determine your baseline and identify the biggest potential gaps, then create an actionable plan for a cybersecurity program and a technical-operational cybersecurity roadmap.
• Stay updated on the latest threats. Optimize your threat-detection capabilities and ensure equipment has the latest defence measures.
• Improve your incidence response capabilities, upskill your workforce and do periodic training.
• Cybersecurity, like safety, also requires more than just technology. Both require behaviour and culture change. A deeply rooted understanding of the “why” and “how” that spans everyone in the company is critical to driving meaningful behavioural change in cybersecurity.

Treena Hein is an award-winning science and tech writer based in Ontario.