Control device security
Expert
Hall of Fame

Hall of Fame – Industrial Cybersecurity Stalwart Sinclair Koelemij

January 28, 2024

For the next installment of our Industrial Cyber Hall of Fame series, we are thrilled to announce the induction of Sinclair Koelemij, a distinguished expert in the industrial cybersecurity field.  With close to 45 years of international experience, Koelemij has made significant contributions to the field. He holds certifications in risk, security, and service management and has worked in various roles within SCADA/DCS (supervisory control and data acquisition/distributed control system) environments in industries such as refining, oil and gas, chemical, mining, and energy.

Since 2000, Koelemij has focused on cybersecurity, specializing in protecting the chemical, offshore, and refinery industries. He is also a respected speaker at cybersecurity events. 

Koelemij’s expertise lies in safeguarding cyber-physical environments, implementing robust security measures, and staying ahead of evolving cyber threats. He excels in various areas such as risk assessment, vulnerability management, and incident response and is adept at designing and fortifying organizational infrastructures to withstand sophisticated attacks, ensuring data integrity and confidentiality. With a keen eye for emerging trends, he stays at the forefront of cybersecurity, contributing to a safer digital environment. 

Furthermore, his commitment to excellence and continual learning underscores his role as a stalwart guardian in the realm of industrial cybersecurity. He is also a regular contributor to Industrial Cyber.

Could you discuss any notable projects or situations in your 46-year career that presented significant challenges in industrial cybersecurity, particularly in process automation, and how you managed those complexities?

Working at Honeywell involves actively contributing to the development of extensive process automation systems worldwide and ensuring their security. This role entails collaboration with experienced asset owners overseeing established production processes and forming partnerships with newer organizations with limited operational experience. These diverse scenarios consistently present significant security challenges. Additionally, complexity may arise when different teams or integrators are responsible for various installation aspects, and regulatory authorities directly oversee project outcomes and processes.

To manage these complexities effectively, it is essential to adhere strictly to engineering best practices within a well-defined framework. This approach guides your efforts towards successful outcomes while collaborating within a multidisciplinary team that includes individuals with specialized, in-depth skills and engineers with broader expertise. My most significant lesson learned is the importance of consistently considering the bigger picture and comprehending the entire production process that requires safeguarding. Conducting a detailed risk assessment should always be the first step in a complex project.

How have your varied experiences at organizations like IBM, Renault, Fiat, NATO, and Honeywell influenced your viewpoint in the field of industrial cybersecurity?

My early career at my first employer was pivotal in my professional growth. I automated packing processes, including a segment of typewriter production and spare parts packaging for car factories in France and Italy. I also worked on specialized military packaging solutions, gaining valuable experience collaborating with diverse individuals from various cultural and organizational backgrounds and job functions.

These experiences proved invaluable in my international role at Honeywell. I gained a deep understanding of how Honeywell’s process control solutions impact production processes. My involvement in automated packaging, integrating chemical product creation with robotics, exposed me to control programming and operational technology (OT) functions using sensors for temperature, pressure, and position. 

This laid the foundation for my work in maintaining and implementing large, distributed control systems and process control computers at Honeywell in the 1980s and 1990s. It also instilled in me the importance of understanding the broader control application, not just the technical components, which later drove me to develop application and system programs in the mainframe process control computer environment in my career.

Throughout your career, were there key moments or obstacles that were pivotal in your decision to focus on cyber-physical risks in the industrial sector? How did these experiences enhance your knowledge in this domain?

In the early days of cybersecurity services at the turn of the century, I faced limitations due to a narrow focus on isolated security measures, which left gaps due to the limited solutions available. While grappling with the technical challenges of implementing individual security measures, I sometimes lost sight of the bigger picture, becoming overly fixated on technology.

The concept of cyber-physical risk offered an escape from this narrow perspective. It urged me to consider potential attack scenarios against the entire installation, understanding their impact on production processes and independent dynamics, such as chemical processes. I recognized that a cyber-attack scenario could disrupt the intended automation process, leading to changes in the physical installation processes, and resulting in actual business losses. Thus, integrating these process deviations into risk assessments became imperative. Terms like ‘loss of control’ and ‘loss of view’ held little meaning unless translated into tangible consequences for the physical process installation.

This realization allowed me to draw on my background in process control and process safety engineering, enabling me to approach cybersecurity comprehensively by merging OT security, process safety, and process control. Working for a company offering complete control solutions, covering physical installations, automation components, systems, and applications, providing access to a wealth of knowledge and experience. Collaborating with asset owners and subject matter experts in various projects allowed my colleagues and me to develop a more holistic risk assessment framework.

Based on your experience, what are the crucial factors for companies to consider when developing effective cyber-physical risk management strategies in industrial environments? How do you balance technological advancement with cybersecurity resilience in the constantly changing industrial sector?

Asset owners must establish a risk register for quantifying and monitoring risk changes over time. This register should yield measurable outcomes, even if they are not initially 100% accurate. Semi-quantitative risk assessments, as precise as qualitative ones, offer objectivity. Quantifying risk aids in better comparisons and justifiable decisions. To maintain this register, continuous improvement of the risk evaluation engine is necessary, but it should focus on the production process perspective rather than silos like the network, process automation equipment, or physical installation.

Companies must adopt a risk-centric decision-making approach, acknowledging the operational responsibilities linked to technical choices. Ineffective operational management can render overall security measures useless.

In my experience, personal enthusiasm can overly influence security solution selection, leading to investments in ineffective measures that don’t match the actual threat landscape. Evaluating security measures from both technical and operational perspectives is crucial. Focusing solely on technical aspects can overlook operational gaps, making the security measures ineffective. Ensure that the security measure’s complexity aligns with the organization’s maturity level.

From your time addressing cyber threats in industrial contexts, can you describe a particularly complex or critical situation and the specific strategies or methods you used to resolve it?

Complex projects often arose when asset owners or regulators insisted on aligning cybersecurity risk criteria with process safety risk criteria. This development, a relatively recent one, emerged as both asset owners and service providers matured. It led to the creation of a new risk evaluation tool that focused on processing attack scenarios through a counterfactual risk engine. This engine assessed numerous vulnerabilities and security controls to estimate the probability of cyber defense failure.

To address this challenge, I conducted an in-depth examination of ten major process automation projects, studying their implementation and performing threat modeling for network, automation equipment, and automation packages. The results were compiled into a comprehensive library for the counterfactual risk engine.

I assigned initial event frequencies (IEFs) to cyber-attack techniques by analyzing five years’ worth of registered vulnerabilities and determining which techniques would have been effective. This data provided the necessary statistics for the IEF assignment.

I developed a semi-quantitative method to assess risk reduction from each security control, both built-in and add-on. I also established a methodology for expressing residual risk as an event frequency per annum, aligning cybersecurity risk with quantitative process safety criteria. 

Subsequent multi-year projects expanded the library and improved risk factors, enhancing accuracy and consistency. The risk engine could estimate a conditional probability of defense failure (PFA) for specific targets, which, when combined with the Rings Of Protection Analysis (ROPA) technique, consolidated into system PFA values. This method allowed us to estimate residual risk based on different defense strategies using various security controls and compare it to process safety criteria.

Could you talk about your experience as a patent holder and the impact your inventions have had on the industrial cybersecurity landscape?

Patents are primarily used by vendor organizations to protect their intellectual property. The patents I was involved in had to do with risk estimation but had no direct impact on the cybersecurity landscape.

Looking back at your career, were there any particular moments or turning points that steered your focus toward the convergence of cybersecurity and physical systems in industrial settings? How have you observed this intersection evolving?

The convergence was prompted by asset owner demands and my conviction that solely concentrating on risk assessment for the process automation system or IACS, as denoted by IEC 62443, wouldn’t deliver adequate value. These pivotal moments stemmed from discussions with asset owners and project demands. Although we maintain a policy of not disclosing specific asset owners or projects, we were challenged by critical infrastructure projects in various Middle Eastern nations to set higher standards.

Considering the future of industrial cybersecurity, what emerging trends do you find most important, and how do you think they will influence the industry? Could you give us a brief preview of the theme of your upcoming book?

Emerging trends in cybersecurity involve new autonomous systems and the centralization of automation components in ‘cloud-based’ systems. In the late seventies, intelligent functions and interfaces were in central mainframe computers. However, distributed control systems and open technology in the late nineties led to complex distributed networks.

Today’s trend is moving towards centralization using virtual computing, cloud computing, and IIoT (Industrial Internet of Things) technologies. This may result in field equipment remaining in the traditional plant environment, while computing functions shift to private or public clouds, particularly in less complex process installations.

Security improvements include enhanced messaging techniques that verify message sources, protecting against modification, injection, and replay attacks. The focus shifts from monitoring network traffic to data validation. Data accuracy and integrity are crucial, especially with guaranteed message integrity.

Autonomous systems introduce artificial intelligence to process automation, posing integrity challenges for cybersecurity, primarily from state actors.

My upcoming book, ‘Deep Defense,’ discusses a holistic cybersecurity approach, recognizing that network security and technical vulnerabilities are just one aspect. Multiple layers of protection are essential, and defense requires adapting processes to cyber threats throughout the lifecycle of a process installation. The book assesses risks and addresses technical and non-technical threats.

In your work to promote a deeper understanding of cyber-physical risks in the industrial sector, could you share stories about the difficulties you faced in explaining complex ideas to diverse audiences and how you overcame these challenges?

Overcoming technical challenges is typically straightforward, but the real hurdle is dealing with people. Some resist reevaluating past concepts, while others may not fully grasp changes in the threat landscape and technology. To surmount these obstacles, we must repeatedly convey a consistent and simplified message. When tackling new challenges, it’s easy to become too absorbed in detail, potentially losing the audience. The key is to streamline the narrative, use suitable analogies, and expand the group of individuals who understand and convey the same story. Overcoming these challenges is an ongoing, time-consuming effort, and I hope my book contributes to this journey.

Could you tell our readers about the book you are working on, which addresses the concept of Deep Defense, and explores the importance of implementing multiple layers of protection in manufacturing processes?

Progress is gradual, and writing often feels like taking steps forward and sometimes backward. Balancing detail and clarity for both specialists and novices is crucial. I’ve defined nine protection layers, four related to digital technology, and five tied to plant processes. I clarify what constitutes a process automation system and a cyber-physical system. I explore engineering and management practices in cybersecurity, including risk management and assessment. 

Methods for estimating risk, such as asset-based, control-based, performance-based, and (semi-)quantitative/qualitative approaches, are discussed, highlighting their alignment with process safety and reliability risk processes. The book focuses on safeguarding process installations against cyberattacks across these layers, with the actual installation as the innermost layer.

As a leader in the field, what practical advice would you give to those aspiring to make a significant impact in industrial cybersecurity?

My primary message underscores the importance of understanding and protecting the target continually. This target includes its mission, technical aspects of automation functions, and the web of management, maintenance, and operational processes. Specialized expertise is valuable, but holistic understanding and recognition of its significance to stakeholders are equally crucial.

Challenge and rethink solutions; even proven methods may become outdated.

Securing process automation goes beyond data protection. It involves understanding data generation, users, and potential physical repercussions. A process automation system represents a physical system, requiring alignment to prevent accidents and maintain operational integrity. 

He also highlighted that cybersecurity engineering for OT is a relatively new field, without the advantage of decades of experience and lessons learned, as seen in process automation engineering. It is important to be open to reevaluating established concepts and continuously improving our skill set. With the constantly evolving threat landscape, this field has become one of the most dynamic and intriguing engineering domains.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Sprinting Toward NIS2 Compliance
Sprinting Toward NIS2 Compliance