Governmental organizations, private companies and public-private partnerships that operate critical infrastructure have never faced such significant security risks as attacks against Industrial Control Systems (ICS) grows in volume. From greater inter-connectivity of control systems, more use of Ethernet based architectures and complex threats being copied by other attackers; these and other factors are introducing additional risks for critical infrastructure and industry in general that must be planned for, evaluated and mitigated against. Industrial control systems are an integral part of the critical infrastructure that facilitate operations in vital sectors such as electricity, oil and gas, water, transportation, food, pharmaceutical and chemical. Threats and cyber incidents, malicious and accidental, occur every day on industrial control networks. It is now easier than ever to learn about industrial protocols, networks and equipment for the purpose of figuring out to exploit their vulnerabilities. The past five years should have been a real wakeup call for the industrial automation industry. For the first time ever, ICS has been the primary target of sophisticated cyber-attacks like Stuxnet, Night Dragon, and Duqu; with the most destructive post-Stuxnet threat being the malicious malware known as Shamoon.
Corporations and governmental organizations must collaborate to further develop critical infrastructure protection solutions that do more than meet the basic requirement of the ICS and satisfy the regulators. Solutions must be targeted to the professionals tasked to keep these critical infrastructure industries operating and be effective in making the business case that risk is mitigated. In the past, due to the technology, isolated environment and communication protocols used in industrial control systems, they were mostly immune to the malicious software attacks that have now infected corporate IT networks. With the distributed, interconnected and greater use of non-proprietary technology in today’s control systems, achieving end to end security has to be a multi-vendor and organizational effort. Fashioned and specialized threats developed by highly skilled cybercriminals, nation funded IT professionals, political protest groups and hacktivists are now focusing on critical infrastructure and their ancillary systems more than ever before. Sadly, the effects of these attacks are felt far beyond the perimeter of the intended targets.
As the business and financial needs of an organization have to deal with the pressures of increasing productivity, the unavailability of highly-skilled labor and making use of ever increasing data; there is a rapidly growing demand for many industrial control systems and sensory data to communicate with other commercial and enterprise level systems across the corporate network. This brings new risks and challenges that owners must face and mitigate against. The initial reports of cyber-attacks to the ICS goes back over fifteen years, since then the total volume has been exponential in growth and is much higher than the news reports ascertain. Wide spread doubts and loss of confidence from the public towards these private and public entities results in deliberate suppression of information about attacks; but poorly disseminated information to the public would also cause knee-jerk responses and solutions that may not be best. Reporting of cyber-attacks to regulators, industry peers and support organizations can allow the rapid development of solutions, mitigation of risk from attacks, stronger defense strategies against attacks and overall protection of the critical infrastructure of a nation.
Security Designed from Inception
Historically, with security as an inconsequential concern, cyber security wasn’t something that was designed and implemented into the industrial control system. Now it has to be integral to any project. The critical infrastructure sector must work closely with owners, industry, integrators, regulators and vendors, so that effective cyber security measures can be designed into the industrial control systems from the initiation of a project. The industrial sector also needs to stop thinking of security as something to implement after the systems are installed, but rather design security in from the beginning and manage it at all layers—device, controller, process and across the enterprise. The most critical cyber component in industrial control systems between data, devices, networks, and people are the devices. ICS cyber security should for this reason be focused on maintaining the reliability and safe operation of our ICS devices.
Cyber threats targeting the ICS are changing and growing as cyber-attackers are continuously looking for new targets and criminal extortion is increasing. ICS security is no longer merely about preventing hackers or having a strong physical secure perimeter. A new underground digital economy now provides a multi-billion dollar incentive for potential corporate rivals or adversaries to exploit YOUR ICS vulnerabilities. More and more companies will be required to detail the approach they take to cyber security and detail what analysis and assessment they undertook on their technology vendors and service providers. Governments are increasingly identifying cyber security as one of the most serious economic and national security challenges and are escalating their efforts to protect critical infrastructure vulnerabilities.
Initiatives by ICS vendors to reduce security risks to control systems in response to growing cyber security threats is occurring and resulting in automation professionals being more effective in securing their industrial processes through a combination of control system design and best practices, technologies and professional services. As the ICS represents the core of production, the cyber security processes must address both internal and external threats via multiple layers of defense which mitigates against various types of risk; A Risk Informed Electronic and Physical Defense-in-Depth Methodology. ICS vendors and automation professionals must be committed to providing an evolving set of products and services that help mitigate risks and improve security of the production assets. The solution must also include risk analytics that assemble and correlate data in an innovative platform that provides actionable visibility into cyber security blind spots, before it’s too late; as this drives effective cyber risk management and creates a stronger cyber security posture. Solutions must enable organizations to understand their current business environment and provide contextual awareness of how their employees, supply chain, customers and attackers interact with their control systems, data, facilities and applications. In a globally intertwined world the threat can and does come from everywhere.
Make cyber security a part of the organizations culture
In February 2014 the National Institute of Standards and Technology (NIST) issued the Framework for Improving Critical Infrastructure Cyber security. The purpose of the Framework is to help organizations manage cyber security risks in a cost-effective way based on the business needs of the critical infrastructure sectors. One of the key standards referenced in the NIST Framework is ISA-62443-2-1: Establishing an Industrial Automation and Control Systems Security Program. The target audience for this standard is the asset owners and operators responsible for establishing and managing a utility’s cyber security program. Unlike other security standards that cover only technical considerations for cyber security, ISA-62443-2-1 focuses on the critical elements of a security plan relating to policies, procedures, practices and personnel. As such, it is a valuable resource to management for establishing, implementing and maintaining a utility wide security plan.
The National Infrastructure Protection Plan, developed by the US Department of Homeland Security published in 2007, a Water Sector-Specific Plan that addressed risk-based critical infrastructure protection strategies for drinking water and wastewater utilities, regulatory primacy agencies, and an array of technical assistance partners. The Plan described processes and activities to enable the protection, and increased resilience, of the sector’s infrastructure.
ISA Secure program is based upon the IAC security lifecycle as defined in ISA/IEC 62443. This Conformance Certification independently certifies industrial automation and control (IAC) products and systems to ensure that they are robust against network attacks and known vulnerabilities.