October 2019

Cybersecurity

Securing industrial systems in a digital world

The development of industrial control systems (ICS) over the past two decades has changed the face of many industries.

The development of industrial control systems (ICS) over the past two decades has changed the face of many industries. Operational technology (OT)—largely industrial equipment—has become increasingly connected, and the integration of information technology (IT) components allows such devices to leverage software that drives data collection and analysis, resulting in enhanced performance and ultimately “smarter” machines.

With these benefits come vulnerabilities, including the possibility of malicious actors gaining access to critical assets through networks. The growing recognition of cybersecurity threats to critical infrastructure (e.g., energy, water and transportation) has brought the topic into the spotlight. Further, regulatory requirements on these industries have increased. Standards and policies have been created to address the rapid technological changes; however, it is still challenging for companies to implement needed processes and keep personnel up to date and aligned, given the pace of change.

Meanwhile, the cyber threat landscape continues to increase. According to IBM, the number of attacks aimed at ICS increased by 110% in 2016 compared to 2015.1 In addition, leveraging third-party vendors and new cloud-based services results in additional areas of risk previously non-existent in ICS.

Designing products to be secure from cyberattacks only became a topic of concern about a decade ago, and the prevailing sense at that time was that isolation (“air gap”) and limited availability of technical knowledge (“security by obscurity”) protected ICS products. This false belief was quickly dismissed as wishful thinking after the Stuxnet cyberattack, and vendors began to respond to customer demands for more secure products. However, with often heterogeneous equipment and lifecycles counted in decades, it will take time for secure components to become the norm.

In this article, the authors will share insights to enhance your understanding of the ways in which governance, technology and business requirements intersect. It will also illustrate ways in which organizations can leverage digitalization opportunities to better manage increasing risks. It will break down these risks to help your organization address these sometimes-overwhelming challenges. Further, it will offer recommendations for organizations to improve their cybersecurity postures in a holistic and sustainable model.

The impact of real cyberattacks

The following events offer an overview of the history of cyberattacks on ICS and help give a clearer picture of the potential negative impacts of weak cybersecurity. These events include:

  • Stuxnet (2010)—Designed to disrupt the Iranian nuclear development program, it was the first publicly known example of a cyber weapon. Stuxnet was a self-propagating application (i.e., a worm) that was spread via USB drives and network connections. Able to operate undetected for an extended period of time, it took over the programmable logic controller (PLC) that was controlling the uranium enrichment centrifuges and ultimately caused these to break down at an accelerated rate.
  • German steel mill cyberattack (2014)—This event was the second confirmed case of a cyberattack causing physical damage. Attackers used a spear-phishing campaign to capture user credentials. They connected through the business systems to the OT network and caused massive damage when a blast furnace had to be shut down abnormally.
  • Havex/Dragonfly (2014)—This event included victims from multiple industries, including energy, manufacturing and pharmaceuticals. The malware campaign used multiple attack vectors. These were spear phishing, waterhole poisoning and replacing suppliers’ support websites. It installed remote-access trojans (RATs) on systems inside the targets’ networks. These RATs were coordinated and updated via the internet.
  • Ukraine power grid (2015/2016)—This event caused blackouts to parts of the Ukrainian power grid in December 2015 and 2016. In 2015, approximately 30 substations were shut down. The attackers infiltrated production supervisory control and data acquisition (SCADA) networks of three power companies. Workstations and servers were infected with malware. Reconnaissance efforts were carried out over an extended period and other actions further disrupted restoration efforts. The 2016 incident utilized an automatable tool, and reconnaissance activities were carried out independently. An analysis showed that its full capabilities were not used.
  • WannaCry (2017)—This ransomware attack impacted Windows servers, specifically around vulnerabilities in system updates. The malware requested Bitcoin payment from victims. It was a known vulnerability that could have been solved with patch management.

Prevention would have been possible in all of these cases if proper security controls had been in place.

Meeting cybersecurity challenges

Companies operating ICS face several challenges due to the developments and risks outlined previously.

Regulatory requirements. To address cybersecurity risks, the number of regulations and standards that have been created by governments, industry groups and private organizations has grown considerably over the past 10 yr. Organizations must go through the effort of understanding the regulatory environment, determine which regulatory requirements are applicable to them, and then continuously monitor for updates and changes to regulations to confirm compliance with the latest versions. In addition, there is a very real threat that, even when organizations attempt to faithfully comply, a lapse in proper execution can expose them to potential fines.

Although necessary, meeting regulatory requirements and the endless focus on compliance, plus the reporting and documentation that this entails, can consequently be both daunting and taxing. Nevertheless, this is necessary because, in many cases, compliance is a precursor to doing business with customers. It is considered a way to show that the minimum cybersecurity requirements are being met.

Compliance is a byproduct of security. Organizations need to look at security from a holistic standpoint, and not from a “check-the-box” or bare-minimum-compliance standpoint.

Recommendations for how to approach security more comprehensively are detailed in the following sections.

Workforce shortages. The three foundations of cybersecurity are people, processes and technology. While many organizations’ policies focus on the latter two factors, it should be noted that people are just as critical for maintaining a robust security posture.

The tremendous changes in technology are now resulting in increased demand for new skills and skill combinations; the current demand for cyber professionals is not being met. Cost pressures and workforce reductions only compound this situation and can result in documentation slipping through the cracks and, ultimately, in a lack of compliance with regulatory requirements.

Many companies address this shortfall by building collaborative teams drawn from both IT and OT staff within the organization. Other organizations turn to third-party providers to deliver IT/OT expertise that is shared among multiple customers through managed services. Automation of routine security maintenance tasks and reporting can significantly reduce this burden, as well.

A positive effect is that retraining programs and a greater interest in the cybersecurity space from a professional education perspective are becoming increasingly common. Some of the major cybersecurity training programs and certifications are:

  • SANS Institute—The largest provider of cybersecurity training, with a side focus of preparing people for cybersecurity certifications and other widely recognized programs in the industry
  • Certified Information Systems Security Professional (CISSP)—An independent information security certification, it is considered a rite of passage for Chief Information Security Office professionals
  • Global Industrial Cyber Security Professional (GICSP)—An ICS security certification recognized within industry.

Cyber asset inventory. It is not always a given that organizations have a full inventory or visibility of all the components across their operational enterprise, or in their ICS or those of third-party service providers. This can have a negative effect in the case of a vulnerability, as an organization tries to understand the impact and react accordingly. Where a cyber asset management system is not already in place, manual effort is required, resulting in increased costs and lengthy reaction times.

When installing new equipment or systems, organizations should also install programs that present a report of their asset inventory in real time (e.g., number of servers). Such a system also allows users to access multiple versions of products to determine their susceptibility to vulnerabilities.

The greatest challenge during incident response is the triage process. Asset inventory solutions take the triage process from being a manual effort to being automated, thereby shortening reaction times and reducing costs.

Lifecycle of products. Historically, ICS security was not designed with cybersecurity as a priority. While organizations may have more opportunity to implement cybersecurity standards in new products and systems, for older ICS, it can be more difficult. This difficulty notwithstanding, organizations are still expected to address the cybersecurity needs of these previously installed systems, which are likely to have many fewer support options.

This means that remediation needs for older ICS are at times unknown to the organization, and, when known, can be challenging and costly. In addition, many product lifecycles are counted in decades rather than years, and it is not always straightforward to find capital to replace or upgrade products quickly.

Together with ICS security providers, organizations should evaluate their existing operations base and prioritize remediation. A risk assessment will highlight what is worth fixing immediately. Organizations can prioritize and still greatly impact their risk posture.

Moving forward, organizations need to ensure that their programs and systems are secure by design and also secure by default so that they do not have the same challenges in the next generation of products.

How to implement baseline security measures for every ICS organization

In addition to addressing these challenges, the following are some recommendations for ways to address cybersecurity at each pillar of the cybersecurity lifecycle. The authors’ company uses six pillars to address cybersecurity, which include:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover
  • Comply.

Ability to identify. An organization should establish a comprehensive security program with the support of the executive team. Executive leadership determines the budget for the overall company based on its level of risk tolerance; a strong cybersecurity program will require a significant investment, and large budgets are awarded aligned to organizational priorities. Executive leadership also has the authority to encourage and enforce that employees follow new cybersecurity procedures, as opposed to ad-hoc uncoordinated security. Before beginning to put measures in place, it is essential to align the program to corporate risk appetites and to obtain executive support of the roadmap.

Very few companies have complete, up-to-date and documented records of their entire networked systems and assets. The concept of a cybersecurity audit is not new, but has been uncommon for ICS. However, due to the challenges that companies have had in keeping documentation up to date, these records are an appropriate place to start. External or third-party audits can be a useful tool to drive companies to do a better job at maintaining an up-to-date inventory of all hardware and software. This includes documenting configurations, mapping networks, and identifying vulnerabilities and exposures. This information is essential to risk management.

Ability to protect. Systems and devices usually do not ship configured for maximum security but for ease of use and access. Ports and services—which may not be called for in the actual workplace environment—may be left open by default. Hardening these assets (e.g., turning off software features and functions or enabling key access requirements on devices) reduces risk by decreasing the number of ways a malicious actor can attack them.

As ICS environments become more reliant on connected computers for operational purposes, it is important to manage and apply user permissions and security policies across the entire ICS environment. Using a domain server with an active directory or a lightweight directory access protocol (LDAP) can help push consistent security policies to all user machines. User permissions can be assigned to specific roles to ensure that every user has the least number of privileges allowable for executing their job. Security policies and user permissions are powerful tools to enforce best practices for things such as password policy, file access and removable media.

Applying software updates and patches often receives low priority until an incident occurs. Challenges exist to patching, including compatibility questions, uptime requirements and manufacturer warranty constraints—and, in some cases, these may prohibit updates entirely. A program for updates and patch management allows an organization to evaluate the risks in installing or delaying patches, and to determine its best plan of action, which may involve adding layers of other security controls around unpatched systems. Tools to automate the backup and patching of systems can significantly reduce the labor burden and cost of applying patches.

Due to the growth of digitalization, many companies have embraced new connectivity at a rapid pace, unintentionally leaving networks with unprotected or inadequately protected points of access. Segmentation is key to reducing the impact of security breaches by adding control points and inhibiting the spread of malware. While companies have made efforts to segment their network, this has not always been achieved with optimally secure results. The outcome is that companies may think they have segmented networks, but they may actually have a flat architecture, which opens up more risk. Organizations are encouraged to review network diagrams on a periodic basis to ensure that the network matches what has been documented.

Ability to detect. Vulnerabilities in networked systems are discovered frequently, and it is the responsibility of the organization to become aware of these as soon as possible. Actively monitoring sources such as the ICS Cyber Emergency Response Team (ICS-CERT), vendor websites and industry journals is a best practice for an organization to increase awareness. A more proactive approach is to subscribe to receive push notifications, which are specifically related to a system’s installed components. Product and system suppliers must provide options for customers or any affiliate to confidentially report a security concern to promote timely remediation.

It is becoming increasingly important to monitor ICS-specific protocols and to define the anomalies to normal operations. With this monitoring comes the need for log collection, aggregation and analysis. Because the ICS industry is production focused, there are challenges with trusting intrusion prevention system (IPS) active blocking policies that may interrupt operations. However, several passive monitoring technologies can help identify a potential threat without adding to the risk of disruption. As the industry becomes comfortable with the analysis of these cybersecurity anomalies and more readily allows implementation of active prevention policies, additional protection from cyber threats to the ICS environment will be possible.

Ability to respond. It is highly likely that all organizations will eventually experience a security incident. The impact of that event is largely determined by the strength of a company’s incident response program. Thoroughly planning and communicating what actions are to be taken by each party ensures a coordinated response and greatly reduces the potential negative impact. Having a strong communication plan—with already drafted holding statements—helps customers, and all those impacted, feel more comfortable in the case of an incident. Holding incident response exercises allows companies to practice and gain familiarity with roles and responsibilities.

Ability to recover. Organizations must be able to back up and restore their systems to a near-real-time position regardless of whether the event was caused by a cyberattack, human error or physical failures. Unfortunately, some organizations only find out that proper backup and recovery plans do not exist until after the event has occurred. This will greatly reduce the speed of recovery, which will increase the overall negative impact of the event. Ensuring that networking devices, human-machine interfaces, controller configurations and PLC configurations are backed up on a regular basis is imperative to a quick recovery. A planned and tested recovery strategy is key to reducing the impact that a cyberattack may have on your environment. Tools that can automate backup can also reduce the burden of performing routine backups to employees.

Ability to comply. Security is a product of people, processes and technology, and organizations often forget that these people include every individual with access to their networks and assets. Security awareness training for all personnel is a necessity to not only educate everyone on their role, but to also change corporate culture to one that prioritizes a robust security posture.

Effective risk management

Risk can be broken down into two categories: operational risk and cyber risk. In terms of operational risk, the effects tend to be more tangible, including equipment failure, personnel safety or environmental impact. In contrast, the goal for cyber risk is to manage an organization’s exposure to vulnerabilities that may cause data loss, privacy concerns or reduced network security. Ultimately, uptime, efficiency, revenue loss and reputational damage are key focus areas, regardless of the type of risk.

These challenges (e.g., cyber asset management, increasing industry standards, cost pressures and staff reductions) make measuring cyber risk difficult. The following are best practices to measure cyber risk:

  1. Choose a consistent method to quantify cybersecurity risk. In theory, this is simple; however, in reality, it is more challenging, as the method must be adjusted to align to a company’s unique use case.
  2. The holistic organization (not only IT/OT/technology) should set the risk thresholds and obtain acknowledgment from the organization at large. The risk threshold must be easy to understand. For example, a threshold must explicitly define what is acceptable vs. unacceptable, as opposed to measuring risk on a scale of 1 to 5. It is critical to make measurements easy to comprehend for all.
  3. Align the cyber risk to enterprise risk. Traditionally, risk has been presented to company executives and the board collectively. Boards are evaluated on measuring risk in an organization and are personally liable for decisions made. A main reason that cyber risk management seems more complicated than it might actually be is because of the distinction in how risk rolls up to management.
  4. Security is a continuous effort. Organizations should strive for increased cyber risk management maturity levels each quarter, year and period.

Cybersecurity information sharing

Information sharing is one of the key activities that organizations can engage in to optimize their efforts in meeting cybersecurity challenges. The aim of the organizations listed in TABLE 1 is to coordinate efforts between government and industry (in some cases, across multiple sectors), allowing information, knowledge and expertise to be shared. An organization should select information sharing groups to stay up to date on what may be relevant to their given industry or company.

 

Cybersecurity governance

Many standards, regulations and guidance documents are available. Developed by one or more corporations, associations, regulatory bodies or standards organizations, some may be voluntary or mandatory. For example, such works support compliance, improve risk management and outline recommended procedures as related to cybersecurity. It is important to know which ones are mandatory and/or advisable for your organization. The authors’ recommendation is for organizations to leverage this information to best fit their business model. Some of the most widely recognized standards, regulations and/or guidance documents are detailed in TABLE 2.

 

Takeaway

Security is a journey, not a destination. Organizations that embrace this are better equipped to achieve lasting improvements in their levels of cybersecurity risk. Business and technology are dynamic, and risk factors change frequently in response to both internal and external events. Cybersecurity programs must continually look for new potential risks and periodically review past decisions to determine whether new information affects their assessments and actions taken. Collaboration in some capacity must occur to truly cover all bases when it comes to cybersecurity; engaging original equipment manufacturers and service providers is key. Therefore, organizations should seek guidance among their peers, third parties, experts and authorities in their cyber journey. With the growing awareness of cybersecurity challenges, and how to surmount them, come opportunities for organizations to be successful in this dynamic digital age.

LITERATURE CITED

  1. Kovacs, E., “IBM reports significant increase in ICS attacks,” Security Week, December 2016, online: https://www.securityweek.com/ibm-reports-significant-increase-ics-attacks

The Authors

Related Articles

From the Archive

Comments

Comments

{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}