Collaboration? Yes, that’s how we’ll build a robust cybersecurity landscape
Assessing the key players and strategies
By Andrew Kling
Ten years ago, cybersecurity was a trend, a small but important issue industrial manufacturers were just aware of. But today, with the threatscape increasing exponentially in scope and scale, cybersecurity is completely revolutionizing industrial manufacturing around the globe. It is time for the industry as a whole to reassess how it will secure and protect its people, assets, and operations from attack.
Cheaper computing power and connectivity are why cybersecurity has become the problem it is today. The Industrial Internet of Things (IIoT) and other emerging trends (e.g., digitization) bring true business benefits, but reaping the most value from these initiatives requires manufacturers to unify their operations and business processes in some way. One common way is by bringing the information technology (IT) functions that have historically controlled the business closer together with the operational technology (OT) functions that have historically controlled the manufacturing process. More intelligent, connected devices empower better visibility and control of more than just real-time operations. Plant managers can begin to control other critical business variables in real time, too, including safety, reliability, and, especially, operational profitability. This is the culmination of closing the OT-IT divide.
The promise of that approach is that manufacturers gain better, real-time visibility and control of their business performance, but connecting the business layer with the operations layer increases the entry points for potential hackers. And because many-if not most-of the systems that control our most critical and volatile manufacturing operations were installed decades ago, long before cybersecurity was a consideration, we are never safe from an intrusion. What is more, many of today's progressively bold, innovative attacks are perpetrated by malicious actors, such as nation-states, who effectively have unlimited time, resources, and funding. Such attacks aim to disrupt industrial activity for financial, competitive, political, or social gain. When you put it all together, it means every connected system must be viewed and assessed within the context of a comprehensive cybersecurity program.
Last year, the world's first known cyberattack on a safety instrumented system occurred. Commonly referred to as Triton, this incident remains a call to action for the global industrial process and manufacturing industry. In the year since, the industry has taken a step forward in cyberattack preparedness. Plant asset owners are addressing cyberrisks with more vigilance, and vendors continue to harden their solutions with cybersecurity built directly into the products.
These are important, positive steps. But industry has a long way to go, and the focus must be on facilitating and increasing collaboration among everyone associated with it.
When any attack or attempted attack happens, it is easy to point the finger at whoever is deemed responsible or question what could have been done differently. This sort of examination, both internally and externally, is necessary so that we can learn lessons and mitigate the risks of other attacks.
But finger pointing does not get us very far. Cybersecurity in industry affects a wide variety of players, including plant asset owners, suppliers, designers, process engineers, plant operators, third-party providers, integrators, standards bodies, academia, and government agencies around the world. Suppliers regularly collaborate with their plant asset-owner clients and with standards bodies, and so forth. Too rarely, however, do competitors within the space-whether foreign governments, suppliers, end users, or integrators-pool best practices and provide guidance to (or seek it from) those vying for market share.
When it comes to cybersecurity in mission-critical facilities, lives are at stake, as are massive operations. Fifteen years ago, the cyberthreats of today were unimaginable. The spirit of open and honest collaboration must thrive for us to best address cybersecurity in the decades ahead.
Start with standards bodies
One does not become an industrial cybersecurity expert overnight. Fortunately, experts do exist-starting with standards bodies that set detailed guardrails and best practices.
Although regulation and legislation vary by country, cyberattacks are border agnostic. Attacks-both attempted and successful-targeting a facility in any one country can have detrimental consequences worldwide. Therefore, it makes sense to have in place international standards and agreements on cybersecurity best practices.
This includes initiatives from ISA, including IEC 62443, a set of standards developed by the ISA99 and International Electrotechnical Commission (IEC) committees to improve the safety, availability, integrity, and confidentiality of components or systems used in industrial automation and control. Adopted by many countries, these standards can be used across industrial control segments. There are also others, including ISO/IEC 27001, which provides requirements for an information security management system (ISMS).
These standards are not set in stone, either, but instead evolve to reflect a changing threatscape. They become stronger when the wide range of companies and organizations working within the industrial space share their experiences and insights, as well as actively participate in refining these standards. For end users, a strong security culture has its foundations in a close tracking of and adherence to evolving standards, protocols, and best practices.
However, standards bodies are just one piece of a broader matrix of organizations that set guidelines and therefore must collaborate to address the monumental and ever-evolving task of cybersecurity. They must work hand-in-hand with government agencies.
With many of today's attacks being perpetrated by nation-state actors, strategies and protocols set by government agencies can make an impact. In 2013, the U.S. government directed the National Institute of Standards and Technology (NIST) to develop a framework that would become an authoritative source for cybersecurity best practices. Other countries have similar standards or are actively working on local versions. In some countries, like France, these standards are even carrying the weight of law. These cybersecurity standards create an ordered, structured approach to addressing cybersecurity challenges. They can help translate vague, fear-based concerns into common-sense risk analysis, risk tolerance assessment, and risk avoidance.
In 2018, hundreds of cybersecurity bills were introduced or considered in the U.S. The bills range from addressing reform in consumer credit card reporting to how data is collected on connected devices.
Jurisdictional legislation and regulation such as this can be effective, but across all governmental organizations, the key lesson is that effective and lasting cybersecurity programs are codified via defined roles, responsibilities, authorities, and executive order. Such action is a clear indication of institutional support for cybersecurity efforts and helps to reduce friction and confusion.
But governments can do much more than rely on political leaders to introduce legislation. The many three-letter governmental agencies in the U.S. (e.g., NSA, FBI, CIA, and DHS) have a responsibility to actively share knowledge. This can happen via the normalization of a trust-based relationship with the private sector, such as in Information Sharing and Analysis Centers (ISACs). Involvement between government and private-sector partners enables timely information sharing and mitigates risk across the industrial world.
Governments can set the parameters, but it is a monumental job to try to enforce manufacturers and end users into compliance. That is why incentives can help, especially by giving guidance to regional policymakers and granting funding that is connected to national cybersecurity priorities. Such funding would encourage asset owners to take initiatives that strengthen their industrial assets from attack and otherwise improve their cybersecurity posture.
There is more than one way to keep equipment, software, and operating protocols regularly updated. While there are different schools of thought on what works best in the carrot-versus-stick debate, incentives can promote broader adoption of cybersecurity standards through the development of upgraded vendor solutions (instead of relying solely on regulations and harsh financial penalties).
When considering incentive-based programs that financially reward companies for regularly updating their equipment and software, staff should be trained to remain compliant with the latest standards and regulations. The government helps prevent potentially catastrophic events from occurring; the plant receives funding to encourage reinvestment in the latest secure technology, staff training, and funding of liability management initiatives. As with most aspects of cybersecurity prevention, a balance of regulation, standards, and incentives is often the best practice.
Sharing from public to private
Although communication between governmental bodies can be lacking, the framework for north-south communication between the public and private sectors is strong. This is where ISACs have an important role. ISACs are nonprofit organizations that serve as a central resource for gathering information on cyberthreats to critical infrastructure and providing two-way information sharing between the private and public sectors. They assist federal and local governments with information pertaining to cyberthreats. More than 20 exist within the U.S., Europe, and Canada. ISACs have verticalized, industry-specific expertise in a wide range of disparate segments: automotive, financial services, oil and gas, real estate, and even retail.
Each of these groups consists of industry experts who anonymously share cybersecurity intelligence vertically with government agencies. From there, the government disseminates this information to all relevant players in that specific industry. This model encourages vendors and other industry actors to share their experiences so that others can both benefit and advise.
While ISACs encompass the vertical, communities of interest (COIs) provide more horizontal guidance. COIs address communication among peers at the vendor and asset-owner level, not just with the government. An example of a COI is the SANS industrial control system (ICS) community, an initiative that equips security professionals and control system engineers with security awareness, work-specific knowledge, and hands-on technical skills for securing automation and control system technology.
In COI settings like this, companies within the industry can have open discussions with competitors around cybersecurity, without tipping their hands as to specific scenarios. By removing any sense of competitiveness, they instead instill a sense of community. For communities such as these to be most effective, they must include not only vendors, but asset owners, cybersecurity researchers, standards bodies, and even universities. There must be rules of engagement for discussion, but those with a vested interest and a part to play should be encouraged to participate. Otherwise it is not a true community. From public to private and across both levels, open and honest collaboration is essential to hardening our defenses against cyberattacks.
Where do we go from here?
Ongoing malicious attacks are our new reality. The good news is we have the means to confront them-as well as to build and advance a resilient "detect and response" cybersecurity strategy across all levels of an industrial enterprise-but only if we take immediate, collective action.
We should be encouraged by the progress made over the past year, but there is always more work ahead. In fact, building cybersecurity resilience is an ongoing pursuit. We all recognize that cyberattacks can be made against any industrial control and safety system anywhere in the world, no matter who designed, engineered, built, or operates it. That means no single entity can solve this global issue. Instead, end users, third-party suppliers, integrators, standards bodies, industry groups, and government agencies must work together to help the global manufacturing industry withstand assaults on the world's most critical operations, thereby protecting the people, communities, and environments we all serve.
In a pervasively connected world that is aggressively closing the IT-OT divide, it is up to us, the manufacturing and ICS experts, to ensure legacy, pre-IIoT critical infrastructure systems and assets are able to shut the door on future Triton-like attacks. To do that, we must encourage transparency, open communication, and ongoing collaboration-not just vendor to vendor, but across every layer of the industrial cybersecurity ecosystem. Now is the time. Our future depends on it.