Prepare now (yes, now) for the inevitable cybersecurity incident
By Marty Edwards
Almost every day we hear news of a company dealing with a cybersecurity problem. Ransomware. Data breach. Nation state. The loss of production systems from a single cybersecurity event can have a financial impact of hundreds of millions of dollars. Organizations that use any kind of automation system need to take proactive, defensive steps immediately to avoid significant business disruption and lost revenue.
Normally, I would be preaching the gospel of the NIST Cybersecurity Framework, the foundational elements set forth in the ISA/IEC 62443 standard, and the virtues of a sound risk assessment methodology. These methods have significant merit and are part of a comprehensive cybersecurity strategy. They simply take time to implement-and, in fact, many companies are just beginning their cybersecurity journey and do not know where to start.
Search no more. Start here.
Almost every risk assessment has a common theme-organizations do not understand what systems are important and do not properly segment the networks of these mission-critical operational technology (OT) systems from other enterprise systems, such as corporate information technology (IT) systems. I urge companies to find out: What are your most important business, and therefore system, functions? Where are these so-called "crown jewels"? Once you have identified that system or systems (it should be a small number), you need to protect them-and fast.
Step one: Disaster recovery
Make sure you have implemented a disaster recovery plan and be sure there are recent and functional backups of the entire system, including operating systems, application software, engineering, and configuration files. All backups should be kept "off the network." Recent ransomware attacks have spread automatically across networks, and organizations have discovered interconnections the hard way once their only backups were encrypted. Until you have a systematic process in place to perform and test these backups, do not pass go, do not collect $200.
Step two: Network segmentation
Network segmentation might not be as easy as it sounds and will require some network reengineering, but I did it over 15 years ago by grouping equipment logically by plant area, function, and vendor. Distributed control system vendor A equipment all goes on this network. Vendor B systems go on this other network . . . you get the picture.
With the help of your vendors, map the data flows between these networks, and keep those data flows to an absolute minimum. Your network design should consider what data needs to go where, so tweak the design if necessary. Bring your new networks together at a common demarcation point in the so-called "demilitarized zone." For the most critical systems, consider using fiber optics-based unidirectional gateway devices, so information can flow only one way, and intruders do not have an access path through the network connection. Most importantly, log the data that crosses these network boundaries (including refused connections) and review the logs routinely for anomalies.
With your networks separated into manageable and appropriately connected parts (what ISA/IEC 62443 calls "zones and conduits"), you can begin to implement other improvements, such as patch management. Grouping devices and systems logically in this way allows you to make improvements quickly, without the added complexity and risk of affecting the operation of formerly interconnected systems that are now on their own network.
At this point, I recommend against allowing remote access into these systems. If it is important enough to fall into the "crown jewels" category, it is important enough to call someone to walk over to a dedicated terminal to make required changes at 2 a.m. Why are you making changes at 2 a.m., anyway? Over time, as your cybersecurity plan matures, you can implement remote access systems with two-factor authentication. These systems are activated by authorized and trained personnel, only when needed, and all connections are monitored, recorded, and logged for forensics purposes.
These initial two steps, if taken now, will significantly lower your risk from an external network cyberattack. There certainly are many more steps to take in an overall cybersecurity strategy, and other threats to address, such as insiders. By taking these steps first, you will have accomplished what many have not and begun your journey down the pathway of sound cybersecurity management.
For additional resources, see www.automationfederation.org/Resources/IndustrialCybersecurityResources and www.isa.org/cybersecurityresources.