‘Security is one of the leading inhibitors to widespread adoption of IIoT applications’
Larry O’Brien, Vice President, ARC Advisory Group, USA.
The flipside of connectivity is the vulnerabilities that come along. How serious is the threat?
Most process industries have been engaging in remote connectivity of some form or another for quite some time, and there are several solutions available on the market today that provide secure remote connectivity to systems and devices. Most of the large end users are aware of the threat that remote connectivity provides, but if you get into some of the other industry segments outside of the traditional heavy process industries, this isn't always the case. Some examples include critical infrastructure applications like container ports and smart buildings, where they are more behind in their adoption of secure connectivity solutions. The push toward IoT and edge computing is complicating this scenario because these solutions are different from traditional industrial control system architectures.
It is no longer possible to compartmentalise systems and treat their security as a bounded problem. The convergence of products and technologies means that “everything is connected,” which requires a much broader perspective. In addition to looking at a broader range of solutions and technology, we also must take a longer perspective in terms of the timeline or lifecycle.
How can organisations address the issues of cyber attacks and IT security in the age of connected plants?
Companies can draw from a wealth of materials offered by standards bodies, such as the IEC and the 62443 industrial cybersecurity standards, which is the primary standard of reference for industrial applications. Companies must also invest in training and new employees. Most industrial companies will train people from within in cybersecurity. Make sure you get your training from a reputable source, such as SANS Institute.
Designing an effective cybersecurity management program for automation systems is a complex endeavour. It begins with identifying assets and defining the scope of the system to be protected. This is followed by an assessment of risk to determine the most appropriate security controls and countermeasures. Asset owners must then implement and operate these controls in a consistent manner to ensure continued protection.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal with such threats?
Security remains one of the leading inhibitors to widespread adoption of Industrial IoT applications. Zero-trust security, where the hardware doesn’t trust the software and vice versa, is emerging as the baseline for edge implementations. End-to-end secure encrypted network designs are necessary. The migration toward using Linux and other standard operating systems coincides with a migration away from secure-by-configuration, which relies on implementation; to a secure-by-design emphasis that enables more standardised approaches. Scalable device access and authorisation strategies are paramount, as are data encryption and intrusion protection. Make sure device authentication occurs before connection is enabled, an improvement over legacy procedure.
A leading cybersecurity player recently demonstrated internal vulnerabilities like USB devices. Are employees adequately trained?
Holistic and comprehensive cybersecurity governance builds awareness and effectiveness across the entire enterprise. This requires C-level involvement and engagement to be successful. Success also requires collaboration horizontally, between engineering, IT, and operations. This collaboration should be embedded into the organisational structure.
Managing risk and adopting a risk-based approach to cybersecurity will be increasingly necessary in the age of convergence. Adopting methodologies from the process safety sector like process hazard analysis risk matrices is a good foundation for implementing the principles of the IEC 62443 cybersecurity standard.
Do companies compromise security by their unwillingness to spend, attributing it to risk appetite?
For many end users in manufacturing and critical infrastructure, cybersecurity policy focuses on countering potential threats by reducing exposure to phishing, beefing up password security, etc. ARC Advisory Group’s maturity model for cybersecurity enables end users to measure their own overall level of security and sophistication. Many end users are realising, however, that they cannot possibly address every threat all the time and are thus looking at the science of risk management to help prioritise their efforts.
Significantly, cybersecurity risk is no longer limited to the cyber world but can have very real consequences in the physical world. These risks exist along a spectrum of severity that ranges from simple unplanned downtime in operations to a plant explosion or release of hazardous materials. Stuxnet, which proved that physical assets like nuclear centrifuges can be destroyed through cyber attacks, gave birth to this realisation. And even though the initial attack resulted in a safe plant shutdown, TRITON/TRISIS malware showed that process safety systems could be compromised and reprogrammed maliciously so as not to shut down a plant or process in case of an abnormal situation.
Since the malware and attackers will only get more sophisticated over time, we can no longer view safety and cybersecurity as separate domains.
Is there an ideal solution that reaches a fine balance?
ARC developed the Industrial Cybersecurity Maturity Model to help industrial managers understand their cybersecurity challenges without having to become cybersecurity experts. It enables managers to balance cybersecurity investments with their willingness to accept cyber risks and the cost benefits of additional security layers.
ARC’s model breaks cybersecurity into a set of steps that incrementally reduce cyber risks. Each step addresses a specific, easily understandable, security issue like securing individual devices, defending plants from external attacks, containing malware that may still get into a control system, monitoring systems for suspicious activity, and actively managing sophisticated threats and cyber incidents. Each step has an associated set of actions and technologies that can be used to accomplish its goals. The model also shows the human resources and tools required to sustain and utilise the technology investments effectively.
Larry O’Brien is part of the cybersecurity and smart cities and infrastructure teams at ARC, with a 20-year background in process control, process safety, and field devices/field networks. Larry has also supported many of ARC’s end user clients in the oil and gas and refining industries and has conducted several supplier selection workshops.