Cyber security | 14 November 2023
Obsolescence and cyber security management system solution for global chemical manufacturer
Published by Patrick McConville
A Global Chemical Manufacturer approached us due to a requirement for an obsolescence and cyber security management system. Many of their manufacturing plants were designed several decades ago and although there have been upgrades to their industrial control systems, they were experiencing increasingly frequent unscheduled outages. This was due to obsolescence issues associated with control system components.
The Background and the Challenge
These challenges arose whenever spare parts could not be sourced routinely. They were no longer manufactured or supported by OEMs with reliable repair services. Alternative interchangeable parts were also becoming unobtainable for some systems, for the same reasons.
The result was an increase in the frequency and duration of unpredictable disruptions to production. This was not simply a ‘cost of production’ problem. There were potentially serious implications for the functional safety of ageing assets and the company’s compliance with environmental Regulations at several sites.
To tackle the issue, a working group and a steering group were formed at the largest manufacturing site, with the goal of either finding a suitable obsolescence management system that met the requirements of the international standard or developing their in-house tools.
The problem was compounded by the fact that some of the oldest production plants did not have accurate inventory data, so a straightforward method of building Bills of Material (BoMs) would be required if these issues were to be addressed thoroughly.
The Solution: Obsolescence and Cyber Security are Very Interdependent
Early in the project discussions, it was acknowledged that software obsolescence issues can impact the cyber security of Automation and Industrial Control Systems (IACS) and it was demonstrated that the standard Asset Guardian system could also manage software obsolescence issues.
Also, with the adoption over the past few years of connected devices and systems that were designed to increase productivity, all production plants have greater exposure to cyber threats. The older plants in the portfolio were designed before these threats were even conceived and were therefore particularly vulnerable.
It made sense to look at obsolescence issues and cyber security simultaneously as these are interdependent.
The Asset Guardian software also includes a fully featured cyber security management system for IACSs to the International Standards. This is achieved by adding cyber vulnerability data published by the US Cybersecurity and Infrastructure Security Agency (CISA) to an Asset Guardian system. No hardware or equipment is needed to implement these enhanced functions, so adding the cyber security management capability was an easy decision to make.
The client therefore decided to broaden the scope of the project to include both obsolescence management and cyber security management.
The Extended Project Scope
With a large portfolio of ageing manufacturing assets, the customer opted for a global system that would deliver the following:
- An obsolescence management system that can accurately assess and prioritise obsolescence risks across their assets and derive workable strategies to minimise production outages. The system would comply with the IEC 62402 Standard, ‘Obsolescence Management’ and benefit from a large database of obsolescence dates, maintained and regularly updated by AGSL.
- A cyber security management system complying with the ISA/IEC 62443 series of Standards. The system would automatically identify the location of system components affected by the cyber vulnerabilities highlighted in CISA’s database and advisory notices. Also, the system would provide clear, targeted instructions on how to mitigate each vulnerability and manage progress across all of the assets globally. The project would provide global visibility and bring resilience to their disaster recovery plan, with the ability to return to full operations quickly in the event of a ransomware attack.
Uncovering ‘Missing’ Inventory Data with Parsing Tools
Some significant inventory data were missing from older legacy industrial control systems and since older systems are more prone to obsolescence issues and cyber vulnerabilities this needed to be addressed if the benefits of the new combined system were to be fully realised.
The Asset Guardian system links inventory records of hardware and software components with lifecycle data for obsolescence management and with vulnerability data for cyber security management.
To obtain these missing inventory data, AGSL developed tools for parsing data from software backup files, which were available from the plant’s operating and maintenance teams. This allowed our client to compile complete Bills of Material (BoMs) and fully populate their Asset Guardian system with software and hardware inventory data.
The availability of these previously ‘missing’ data would significantly improve the utility of the new system for the older plants and reduce outages.
The Benefits of Accurate Software and Hardware Inventories
This extra effort in developing the parsing tools has meant that the inventory data was obtained for systems where records were not up to date.
Having accurate inventories has enabled our client to fully extend the obsolescence management and cyber security management capabilities of Asset Guardian to older production plants where records had not kept pace with each subsequent system modification. The older plants experience the most problems, so it was important to include these in the new global system.
The ability to manage obsolescence and cyber issues comprehensively enabled our client to achieve the following:
For Obsolescence Management:
- Reduce outages and increase profitability.
- Develop obsolescence management strategies that they can have a high degree of confidence in.
- Accurately compare the pros and cons of various proactive obsolescence strategies and base important investment decisions on these.
- Spare inventory can be managed between plants, allowing the life of some systems to be extended while others are upgraded.
- Achieve compliance with the IEC 62402 Standard
For Cyber Security:
- Introduce greater resilience to their Disaster Recovery Plan with the knowledge that the software inventory is secure, up-to-date and accessible so that systems can be rebuilt quickly, even in the event of a ransomware attack.
- Enable all of the software components to be checked for new cyber vulnerabilities with each advisory that is issued by CISA.
- The system will automatically advise nominated members of staff of the location of new vulnerabilities, which reduces workload.
- Progress with mitigation work is recorded, monitored and reported within the Asset Guardian system to provide greater visibility across the organisation.
- Achieve compliance with the relevant sections of the ISA/IEC 62433 series of Standards.
The benefits of this approach to obsolescence management can be seen at the level of individual components and systems, but for the wider, global organisation there will be significant improvements in profitability, realised through the improvements to plant availability and production time.
Greater resilience to their operations will be achieved through the newly implemented Asset Guardian cyber security system. In addition to being able to demonstrate compliance with international standards, local regulations, and industry guidelines, they will be safe in the knowledge that they have the best, industry-leading tool, in the event of a ransomware attack.