By Peggie Ward Koon, Ph.D.
One of my favorite shows is NCIS Los Angeles. Every Monday night I sit in front of the tube to see what type of threat agents Callen, Deeks, Kensi, Sam, Nell, and Eric will encounter. Usually these episodes are all about crimes being investigated, either in the U.S. or at some remote place around the globe, by a fictional team of the Naval Criminal Investigative Service (NCIS). And these agents intervene to either mitigate or eliminate the threats. One of the most interesting episodes aired during the holidays and was entitled “Humbug.” The story began with the team investigating a case that at first glance appeared to be about a fire that was deliberately started in the server room of a cybersecurity company, See Bug Systems. See Bug Systems developed software to protect companies from cyberattacks. The company also produced malware that it used to test its software. And the owner of the company was being asked by the U.S. government to help prevent cyberattacks against U.S. mission-critical systems.
As the plot unfolds, the NCIS agents realize that the arsonists used the fire in the computer room as a diversion; the real threat is a file that was copied from the servers to a thumb drive. Eric explains that the thumb drive contains malware that can be used to shut down programmable logic controllers used in automation. This particular malware could be used to shut down electric power plants. And Sam explains that if the file got into the wrong hands, it would be disastrous. The file would allow its owners to shut down communications and electric power, resulting in no heat, no lights, and no electrical power—across the entire country.
When asked how this happened at a company that sells cybersecurity software, the owner said that a new security system was scheduled to be installed after Christmas. Of course there were many other twists and turns in the story, including the use of other malware to divert funds to a secret corporate account. There was deception, fraud, murder, and all the typical components of a classic episode of NCIS LA.
I really related to this episode for several reasons. First, it was all about cybersecurity—one of the hottest topics today. You can hardly watch, listen to, or read the news without encountering a story about cyberthreats. From the famous Sony Pictures hackers threat to identity theft at department stores and banks—cybersecurity is being discussed everywhere.
Second, it was about automation. More often than not, the cybersecurity discussion is focused on preventing threats related to identity theft, confidentiality, finances, intellectual property, or other types of enterprise data, information, or assets. But if you attend an automation seminar, participate in an automation webinar, or attend any conference on manufacturing, automation, or operational information technology (IT), a cybersecurity discussion or presentation is sure to be included as one of the tracks on the schedule. Cybersecurity is needed in automation, too!
Now I know that there is a plethora of television shows and movies focused on cybersecurity and cyberthreats. But this NCIS story is not just a story about cybersecurity, deception, fraud, and personal security breaches. In the NCIS Los Angeles episode, a fictitious company—like so many real companies—is not secure, because it failed to either identify and/or address both infrastructure and technology vulnerabilities. The episode raises awareness of a different type of cybersecurity—the type that addresses a threat to our nation’s mission-critical infrastructure—a threat that is real.
Finally, the episode highlights the need for automation companies that provide critical services—IT, power, food and pharmaceuticals, water and utilities, manufacturing, chemical, oil and gas, and others—to not only have secure systems and components, but also to have a workforce that has been trained to detect and deter cyberattacks affecting mission-critical operations.
Cybersecure operations: Understanding the threat and developing the workforce is key
According to the ISA website “Cybersecurity for the industrial enterprise is quite different from cybersecurity for other areas.” Enterprise security (whether for an office or even for a bank or credit card processor), is usually focused on confidentiality, integrity, and availability. The acronym CIA is often used to emphasize that securing these functions of the enterprise is paramount and that protecting the data on the servers is the first priority.
Operations security, or industrial control security, is different. In a manufacturing environment, the first priority is availability—to keep the plant running. Integrity and confidentiality are achieved if possible. Hence the acronym AIC is commonly used when referring to industrial control security. “ISA has developed the most comprehensive standard, ISA99, which has now become the global industrial cybersecurity standard IEC 62443. Also, the ISA Web site has textbooks, training, and a new certification program. The ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate is the first of several certification programs designed to provide clear evidence that you have understood and been trained to work in the very different world of industrial control security and systems.” Read more on the ISA website at Technical Topics > Cybersecurity.
ISA is also working to secure control systems using ISASecure™ components and systems from the ISA Security Compliance Institute. “The ISA Security Compliance Institute manages the ISASecure™ program, which recognizes and promotes cybersecure products and practices for industrial automation suppliers and operational sites. The ISASecure™ designation is earned by industrial control suppliers for products that demonstrate adherence to an industry consensus cybersecurity specification for security characteristics and supplier development practices.” Learn more about ISASecure™ and how to become part of the movement to secure critical infrastructure around the globe at www.isasecure.org.
Our government is also doing its part to raise cybersecurity awareness and to enhance our nation’s preparedness both with regard to critical infrastructure and workforce development. For example, the Cybersecurity Enhancement Act of 2014 was passed by Congress and signed by President Obama in December. The bill provides for “an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes.” The Cybersecurity Enhancement Act of 2014 also formalizes the role of the National Institute for Standards and Technology in continuing to develop the voluntary Cybersecurity Framework. It includes provisions to promote cybersecurity research; private-public sector collaboration on cybersecurity, education, and awareness; and technical standards, which include a federal cloud computing strategy. It also directs the National Science Foundation to continue the Federal Cyber Scholarship-for-Service, a program designed to “increase and strengthen the cadre of federal information assurance professionals that protect the government’s critical information infrastructure.” Scholarship recipients “agree to work in the cybersecurity mission of a federal, state, local, or tribal agency for a period equal to the length of their scholarship.” Read about the Cybersecurity Enhancement Act of 2014 at UMBC CSEE.
Why is this important?
As the 2015 chair of the Automation Federation, I have become acutely aware of the importance of workforce development for mission-critical operations and the importance of providing cybersecurity training as a part of that effort. On a personal note, two new nuclear reactors are being built near my hometown. These reactors will be a critical economical source of energy for the people like me in the surrounding areas. And because these reactors will be computer controlled, they also must be secure from cyberthreats. Recently I had an opportunity to tour the facility, and one of the first questions I asked was related to cybersecurity, including workforce development, at the plant. It is important to me, my family, and my community that the reactors are secure from cyberattacks and that the workforce is trained to identify, assess, and take actions to prevent cyberattacks.
Likewise I try to remain aware of what our government is doing to help ensure that our nation’s mission-critical infrastructure is secure from cyberattacks and that the workforce that supports those systems is properly trained, so that they understand and have the tools to detect and deter cyberattacks against those mission-critical operations.
What should you do?
Don’t say “Bah humbug!” If you are an automation professional or an employee, manager, or owner at an automation company, you will want to make sure that you and your workforce understand cybersecurity for mission-critical operations and that you and your teams know how to ensure that your operations are secure. If you are affiliated with an educational institution that trains personnel in mission-critical operations, you will want to understand what courses and resources are required to provide cybersecurity training for mission-critical operations. Find out more about cybersecurity and developing secure operations and a cybersecurity-trained workforce on the ISA website at Technical Topics > Cybersecurity.