Identifying and overcoming cybersecurity challenges
By Paul J. Galeski, PE, CAP
Today’s cyberthreat landscape is constantly changing with a growing list of highly publicized attacks against the government, retail stores, and business information networks. The number of incidents against industrial networks is also growing—and they often go unreported.
Most of today’s industrial networks are not isolated from corporate business networks or the Internet. In fact, many of the recent gains in productivity are a result of integration between business and industrial control networks. Productivity techniques that have become commonplace, such as just-in-time manufacturing and lean inventories, are only made possible through the use of a highly integrated network. The conduits that permit data exchange between these networks make the industrial control network as vulnerable to attack as the business network. In addition to this obvious path, employees using universal-serial-bus drives or contractor laptops are potential points of infection by computer viruses. Remember cybersecurity is not only protection from unauthorized access, but also from inadvertent damage.
Most companies know they must address cybersecurity, but there is little understanding of the risks, problems, and answers. Here is a frank assessment of the issues, along with suggestions for action.
There have been countless articles, webcasts, conferences, videos, and other discussions of cybersecurity defensive strategies, but few provide sufficient detail to help structure an effective program. I recommend using the ISA/IEC 62443, Industrial Automation and Control Systems Security standard, or if applicable, the API 1164 Pipeline SCADA Security standard, as starting points. Most standards call for a complete inventory of all industrial network cyberassets, network layouts, communication paths, and identifiable vulnerabilities. Performing inventory to the level of detail required is very time consuming, which is why most plants have not completed this first crucial step. However, without this step, other attempts at formulating a defensive strategy can fall flat.
How much is enough? It depends on what is at stake. If a business has not quantified the risk, it might be all but impossible to get funding to implement mitigation policies and equipment. Would an extended disruption of your process effect profitability, or even worse, safety or the environment? How much is this worth to you and the shareholders? Knowing this number will help overcome the largest challenges to cybersecurity: funding and implementation.
You can view cybersecurity in a similar light as a process safety system. A well-designed safety system balances the potential of loss to the business with the cost to implement appropriate safety measures. This is no different for a cybersecurity program. In a simple sense, if you determine a likely cybersecurity incident may cost the company millions of dollars or lost production, spending a fraction of this potential loss on mitigation is just good business.
Given the age of many of the components in most industrial environments, most assets on industrial networks have no provision for their own security. They have no capability to encrypt communication between devices, and they use unsecured communication protocols. Many new devices are no better. This is changing, but not fast enough.
Implementing a comprehensive cybersecurity program, users often find they do not have enough qualified people with the skills to understand and implement defensive strategies for industrial networks. Companies should expect to contract with knowledgeable firms, while at the same time committing to formal employee training. Cybersecurity threats are constantly changing, requiring an effective cybersecurity program to be evergreen.
So now what? There are many items we could add to the list, but these are actions you can take now:
- Know your industrial network. It seems obvious, but it is the most overlooked item.
- Perform a vulnerability assessment to define, identify, and classify the security vulnerabilities in your industrial control system.
- Follow up your vulnerability assessment with a security risk assessment to determine the likelihood and consequences of a successful cyberexploit.
- Define and implement cybersecurity policies and procedures and add tools and technologies as needed.
- Educate your employees about cybersecurity and prevention.
- Leverage your employees with knowledgeable outside resources.
- Actively participate in the development of industry-based cybersecurity standards and working groups.
No system will ever be 100 percent secure. Business analysis should balance quantifiable business risk with prudent investments to achieve results “good enough” relative to the consequences and downside risk of a cyberattack.