Automation technologies are widely used in critical infrastructures to ensure continuous operation. Beyond productivity, cost, and accuracy, risk reduction is also a significant benefit. In the past, cybersecurity was not a major topic of discussion in these environments. This was largely because automated processes typically operated in isolated environments, separated from the Internet where attacks originate, or because these systems were not equipped with adequate cybersecurity measures due to technical constraints.
Factors such as geopolitics and the evolving nature of hacker activities are gradually reshaping the landscape. Increasingly, critical infrastructures are falling victim to cyberattacks, prompting forward-thinking vendors of process automation services to take proactive measures. Among these, Valmet stands out as a role model, placing cybersecurity at the forefront of its priorities.
We at TXOne are honored to interview Teemu Kiviniemi, Solution Manager, OT Cybersecurity Services at Valmet, who plays a pivotal role in cybersecurity decision-making for Valmet products. We’re excited to share this interview with you and hope it provides inspiration for others who recognize the importance of cybersecurity.
Q: What is the major focus of your business?
Valmet is a leading global developer and supplier of process technologies, automation, and services for the pulp, paper, process and energy industries. Our newly released flagship product, the Valmet DNAe Distributed Control System (DCS), enhances process automation across multiple sectors. We strive to deliver superior user experiences, fostering autonomous operations with optimized field applications and reliable execution results.
Although biggest concern is not the new deliveries, but our older systems in the installed base. Valmet also has two other DCS brands, maxDNA and Valmet D3. They can also fully utilize Valmet Cybersecurity Services offering including TXOne technologies.
Q: What makes you so dedicated to cybersecurity?
Cybersecurity is crucial for DCS for multiple reasons. Our DCS encompasses essential services considered critical in many countries. Successful cyberattacks can disrupt these services, leading to significant economic and safety impacts. Compromised DCSs can result in dangerous manipulation of machinery, causing physical damage or catastrophic failures. Cyber breaches can also disable safety systems, endangering workers. Maintaining operational continuity is vital for a reliable DCS, and cyberattacks can cause costly downtime, disrupting production. Moreover, cybersecurity safeguards intellectual property and trade secrets from competitors and nation-state actors. While standards like NERC CIP and IEC 62443 are often mandated with legal penalties for DCS, our primary goal is to implement truly robust cybersecurity measures to combat evolving cyber threats and ensure system resilience. In summary, we believe cybersecurity is essential to protect infrastructure, ensure safety, maintain operations, and exceed regulatory compliance in industrial environments.
Q. What is the reason to make TXOne Stellar as a default component of Valmet DNA?
Our goal is to offer products with practical and effective cybersecurity measures. At the company level, Valmet is ISO 27001 certified. For our product design lifecycle, we adopt the Security Development Lifecycle Assurance methodology and are certified according to the requirements of IEC 62443-4-1. To enhance security further, we aim to extend our coverage by following the IEC 62443-4-2 reference model, ensuring our products are built with robust security measures.
To achieve this, we offer the Cybersecurity Essentials package, which includes antivirus protection, patch management, asset inventory, and system recovery. TXOne Stellar plays a crucial role in providing a robust layer of protection at the endpoints, working in tandem with other components to deliver comprehensive security services for our customers.
Q. Specifically, what features in Stellar are most appealing for DCS users?
In areas covered by Valmet DNAe, not all environments are constantly connected to the Internet. The ability to operate on-premises is a key differentiator. Ensuring operational continuity is paramount for control automation. Service availability is always the top priority and cannot be compromised, even for cybersecurity reasons. The small system footprint further enhances Stellar’s appeal.
Moreover, our on-demand cybersecurity consultancy, which includes SIEM and SOC connections, is a significant part of the Valmet Cybersecurity Service portfolio. We firmly believe that Stellar’s CPSDR capabilities will provide unique cybersecurity insights supported by operational contexts. This will enhance our platform’s visibility into potential system risks, allowing us to respond proactively.
Q. Apparently, you cannot install an endpoint anti-malware agent on your controllers or I/O hardware. Does cybersecurity concern exist on the hardware without a Windows operating system?
This is a frequently asked question regarding OT security. In short, being immune to ransomware does not make systems 100% secure. In control automation, controllers are designed to respond to instructions, even if they come from a malicious source or are triggered by human error. Although DCSs are highly vertical-specific and may have a narrower attack surface than general PLCs, we must remain vigilant. The actions controlled by DCS are always critical to the adopting organizations.
Q. Then, how do you protect the non-PC-based hardware in the Valmet DNA family?
As outlined in the Valmet Cybersecurity Services portfolio, we employ layered security measures. We also adopt a layered approach to safeguard our hardware. Beyond endpoint software, we utilize network appliances as a second layer of protection, and the EdgeIPS product series from TXOne is our tool of choice.
Not all network security products meet our stringent requirements. We need solutions robust enough for extreme environmental conditions and capable of analyzing the ICS protocols we support in Valmet DNA, such as OPC DA, OPC UA, PROFIBUS, PROFINET, Ethernet/IP, and Foundation Fieldbus. The EdgeIPS series is technically suitable for our needs and financially viable due to its diverse selection, ranging from a 2-port palm-sized model to a 96-port rack that can protect 48 connected assets simultaneously.
Q. How do you define a system that is sufficiently secured? What constitutes the ideal level of cybersecurity?
Cybersecurity literature often emphasizes the necessity of implementing risk assessment, deploying layered defense strategies, safeguarding and backing up data, as well as monitoring and responding to incidents, among other measures. However, it’s crucial to recognize that a system completely devoid of cybersecurity concerns is likely not operational. Rather than striving for absolute perfection in cybersecurity, our focus lies in establishing adequate security measures that can be effectively managed by personnel in operational technology (OT) environments, all while maintaining a keen focus on achieving operational objectives. This is precisely why we’ve integrated cybersecurity into our offerings and chosen to collaborate with TXOne, leveraging its OT-centric approach to product design.