Security for industrial control systems, including supervisory control and data acquisition (SCADA) systems and distributed control systems, has always been a topic of interest, especially when addressing critical infrastructure such as electric, water and wastewater, oil and gas, chemical and others. Historically, most industrial control systems were uniquely different from traditional information technology (IT) systems because they were physically isolated; not connected to the larger enterprise system or other components; and using proprietary hardware and software , according to NIST Special Publication 800-82, "Guide to Industrial Control Systems (ICS) Security." When lower-cost, mainstream solutions became available, with common technology and Internet of Things, that started to change.
Industrial control systems rely on widely available computers, operating systems and network protocols, offering greater flexibility in system design and integration while also creating greater risks and challenges for those tasked with designing, building, maintaining and defending these systems. By transitioning to the use of widely available technology, system integrators and controls engineers are faced with securing platforms that are also readily available to bad actors looking to gain illicit access. Concurrently, global compliance mandates, such as the European Union’s General Data Protection Regulation (GDPR), are forcing companies to take more proactive steps to protect against cyber attacks. When facing these challenges and potential vulnerabilities, there are several ongoing precautions that can be taken to minimize risk while still benefiting from the convenience of modern connected systems.
Take action now
Fighting off a cyber attack as it is taking place is sometimes the only option, but preparedness can limit the likelihood of an attack by identifying and addressing vulnerabilities before they are exploited. Engaging with a third party to help to assess software vulnerabilities can prove beneficial for this process. There is no time like the present to take action as the world is only becoming more and more connected and vulnerable to attack.
1. Develop consistent internal guidelines. Clear internal procedures and specifications catered specifically to cybersecurity concerns are often the best starting point. To begin, formal documentation should address all requirements for third-party software, devices and components. Guidelines should be provided to potential vendors to help streamline the process of establishing a reliable supply chain. When the system is in place, procedures for both updates and testing should also be implemented. Where feasible, all products must be tested regularly and in isolation to help ensure continued expected security and an update schedule, covering both updates and patch releases, should be established. Change management should handle systems and their deployed patches. Proper control of the contents of a system should be managed regularly.
2. Beyond claims and guarantees. Vendor claims are a great place to start and product and system evaluations are a must, but the vendors themselves should also be fully evaluated to ensure adequate safeguards are in place. Finally, a vendor compliance policy should be implemented to outline clear requirements for system needs and security expectations. The end goal is to secure the supply chain with vendors who respect and understand the importance of cybersecurity, and those who do will often respect these policies.
3. Monitor and document. Implement a system to monitor the source and status (regarding updates) of every piece of software on every device. For ease, this system should pair seamlessly with your internal testing and scheduled updates.
4. Train. Employee training is absolutely critical. Even with the most stringent vendor selection guidelines and regimented update schedules, the single greatest vulnerability is often human error. Everyone with access to the system—even limited access—should be trained on proper precautions and recommended action.
5. Maintain a need-to-know philosophy. Only required parties should have back-end access to systems. If employees and software vendors are only given access to the systems they need and use, the potential for widespread malicious activity in the event of a breach is greatly diminished. Limiting what employees can access and the actions they can perform on systems to only what specifically falls under their roles helps to mitigate human error.
6. Plan. Develop a cybersecurity maturity plan. No organization has all the resources to accomplish its cybersecurity wish list annually. However, using some of the best practices that industry has defined and planning out how to get there over a multi-year effort helps organizations to develop a foundation of good cyber hygiene that the organization can grow and build upon. Try to avoid reactive policies or activity that doesn’t align with the plan unless it is to mitigate major issues. Obviously, the plan should be revised and modified regularly based on resources, events and technology.
With the current pace of growth in consumer and industrial technology—domains which continue to further blend together—is almost impossible to predict the cybersecurity landscape in the years to come. Despite this unpredictability, one fact remains as true as ever: A proactive approach to cybersecurity is the best way to be prepared for whatever takes shapes. By remaining diligent and aware of potential vulnerabilities and engaging with a third party for thorough evaluations and peace of mind, you can keep pace with changes in the larger cybersecurity landscape to help ensure that you are as prepared as possible to maintain security in the connected world.
ALSO READ: DHS cybersecurity director on avoiding security vulnerabilities when connecting to the IIoT