These changes expose new vulnerabilities in Industrial Control Systems, and a result, opening the door to increased cyber threats that are more sophisticated and targeted than ever before.
In order to gain insight on how to best monitor and secure industrial infrastructure operations, we turned to 10 influencers who shared their thoughts on what IT and OT personnel can expect in 2018, and how to prevent cyber threats from disrupting critical operations in the coming year.
1. General (Ret.) David Petraeus
Partner, KKR & Chairman, KKR Global Institute
Retired Four Star General and Former Director of the CIA
The big idea in cyber security is that no single product or application will provide the level of security needed. Rather, what is required is a comprehensive approach that integrates a number of different products and includes enterprise management and network operations monitoring, all specific to each firm's situation.
The overall process should include identification of all devices that touch the network; minimization of the available attack surfaces (in part by moving to the cloud); identification and removal of all known malware and viruses; and then establishment of comprehensive, integrated cyber security that includes a specific network architecture for the firm that seeks to protect.
In particular, it should also address the firm's most important data, perimeter security, AI-enabled endpoint security, identity verification, anomaly detection, system administrator background checks and monitoring, work force training and monitoring, network hygiene monitoring via a 24X7 operations center, physical/site security (especially of switches and servers), security of power for the site, redundant data backup, incident response protocols and remediation procedures, and even cyber risk insurance. And, of course, if industrial operating systems are involved, the comprehensive security should include Indegy.
2. Mark Weatherford
Chief Cybersecurity Strategist, VArmour
Former Deputy Under Secretary for Cybersecurity at Department of Homeland Security
Regulations and compliance requirements are going to continue to grow as a significant part of our security lives. The electricity and financial sectors are already living with burdensome cybersecurity compliance standards and it’s inevitable that other sectors are going to feel this kind of pain – sooner rather than later.
There is a growing and distinct lack of sympathy within the legal community for companies who have suffered a security incident and then learned that they were either derelict or slipshod in the implementation of security controls.
While some people say they are blaming the victims rather than the criminals, it’s hard to argue for the victim when an organization has been obviously negligent. The government loves nothing more than to find a gap that needs to be filled and in the case of cybersecurity, they’ve found their opportunity.
There are currently 184 bills, resolutions and amendments in the US Congress that directly and indirectly highlight cybersecurity. In 2018 we’ll see a growing number of industries targeted with greater cybersecurity regulations.
3. Sid Snitkin
Vice President & GM Enterprise Services, ARC Advisory Services
ARC’s research shows that most industrial companies have already invested in the cybersecurity technologies and practices recommended by automation suppliers and security consultants.
But these passive defenses, like firewalls and anti-malware software, are not enough to protect operations from the growing threats of advanced, targeted attacks by sophisticated cyber criminals and nation states.
To deal with these risks, industrial organizations need a defense program that enables them to actively respond to incidents. This includes continuous system monitoring that detects and alerts on incidents in real time, and a staff of people who can quickly analyze and react to suspicious behavior.
As this is a shared IT-OT concern, companies need to recognize the urgency of this situation and finally develop a strategy for overcoming the cultural barriers that have plagued more effective integration of IT and OT cybersecurity programs.
4. Brian Harrell
President and Chief Security Officer, Cutlass Security
Senior Fellow, Center for Cyber and Homeland Security (CCHS), GW University
Whether you call it convergence, a holistic security approach, or the integration of the IT/OT/Physical security disciplines, the benefits far outweigh the negatives. Arguably, convergence can be defined as the integration of logical security, information security, operational security, physical security, and business continuity.
Today, we see many companies within the critical infrastructure sectors gravitate towards a combined security organizational chart as this is an effective and legitimate way to ensure cooperation and accountability. The ability to systematically collect and analyze threat data and to accurately report the current security condition is critical in the face of emergent hostile attacks and enables security professionals to detect threats and maintain situational awareness.
A security operations center (SOC), which relies on cameras, perimeter intrusion detection, and motion activated alarms depend on IT infrastructure for success. Likewise, a company’s cyber infrastructure, NERC CIP program, and industrial control systems rely on physical security mitigation measures to keep systems inaccessible to physical threats.
As malicious actors increasingly focus on manufacturers and other industrial targets, IT and OT must work together to protect the business. Without convergence, the “silos” of security can leave gaps in the overall risk posture and promote duplication of effort. This is a tremendous waste of resources that could better be allocated for infrastructure “hardening”. It only makes sense that we start to see merged security programs.
5. Joe Weiss
PE CISM CRISC ISA Fellow
Managing Partner, Applied Control Solutions
Network segmentation is not only important for control system networks, it is also important for safety systems. Segmentation should include control systems from business networks as well as high criticality ICS networks from lower criticality ICS networks. Segmentation should also include safety system networks from non-safety system networks.
6. Lucian Fogoros
Co-founder, IIoT World
Building an Industrial Controls Systems Security routine is no longer an option, but a necessity. It needs to be a top priority for any industrial company decision maker as failing to take action can not only cost your job but may lead to legal troubles and massive losses.
According to a recent report from Cybersecurity Ventures, ransomware damages in 2017 would reach $5 billion- 15 times increase in the last two years.
According to the same source, global damage costs in connection with ransomware attacks are predicted to reach $11.5 billion annually by 2019. Ransomware is just one threat. Protect your organization or expect disruption!According to a recent report from Cybersecurity Ventures, ransomware damages in 2017 would reach $5 billion- 15 times increase in the last two years.
7. Bengt Gregory-Brown
VP of R&D and Co-founder, Control System Cyber Security Association
There are clear and immediate steps to increase security and resiliency of every industrial network, such as segmentation and auditing, but the crux of our insecurity problem lies in lack of visibility.
Estimates vary, but we continue to see dwell times of months between bad actors breaching systems and our discovering them.
We have got to be capturing anomalous behavior and taking action to shut down infiltrations much, much faster, and that requires knowing what our normal ICS network traffic looks like and having intrusion detection systems in place to notice abnormalities.
8. Ken Modeste
Leader, Cyber Security Services, Underwriters Laboratory
Begin plans to secure your supply chain. Start identifying all elements of your supply chain and begin requesting data on the security practices of the affiliated vendors. To understand strengths and weaknesses of your facilities, you need to identify the components of the facility, and begin looking at the supply chain for these components. What components are they made out of? Where is the software coming from? (e.g. open-source, commercial, internally developed).
What are the practices deployed into the supply chain to ensure that optimum cybersecurity hygiene is considered as well as price and feature set?
Understanding all the components of your facilities, how they are made, as well as its contents, will help you develop a plan to address weaknesses and enhance strengths. You can use this process over time to start vetting supply chain vendors and removing those that do not adhere to your organizations security practices.
If more companies do this regularly in 2018, the industry as a whole will see a gradual increase in the security effectiveness of systems, as the market will begin demanding this type of action more and more frequently.
9. Tom Alrich
Independent Consultant, Tom Alrich LLC
An important part of cyber security is supply chain security. Except for the military and a few other organizations, this hasn’t been a big priority - especially in ICS.
However, with CIP-013, the new NERC CIP standard for supply chain security likely to come into effect in 2019, that situation will change this year. All ICS security professionals, not just those in the electric power industry, need to read up on supply chain security and start to make it an explicit goal of their organization.
10. Ernie Hayden
MIPM, CISSP CEH GICSP(Gold) PSP Owner/Principal, 443 Consulting LLC
For 2018 my first recommendation to any and all organizations relying on industrial control systems (ICS) is to hire a qualified, experienced company or individuals to conduct a thorough ICS security assessment of the organization and facilities.
The security assessment should include both cyber and physical security inspections of systems, buildings, and property looking for vulnerabilities as well as strengths/good practices. The vulnerabilities need to be identified and a recommended corrective action should be documented.
The vulnerabilities should then be assessed relative to their resulting risk to the plant/enterprise and classified as Critical, High, Medium, Low or Informational. Hence, the management can take this list of issues and focus their resources -- i.e., manpower and money -- on the higher risk issues first. Such an assessment is a great way to start the year and can help with budgeting, resource assignment and identification of key concerns.
Of course, anything potentially affecting safety or production should be attended to first.