Industrial control system (ICS) cybersecurity has come a long way over the last decade.
Today, we have well-established guidance for securing industrial plants and SCADA systems, including IEC-62443, NERC CIP, and the NIST Cybersecurity Framework. Industry and governmental efforts to build awareness of cyber risks have also been successful. Most industrial companies today appreciate the need for cybersecurity investments and have implemented a variety of technologies to protect plant assets and SCADA systems.
A lot of managers believe that this has solved their problems. But ARC Advisory Group research shows that many facilities are still at risk. Staffs are overwhelmed with security hygiene tasks and lack the expertise to understand and deal with security alerts. This misalignment between technology investments and cybersecurity maturity has resulted in a lot of money being wasted and plants that are operating with a false sense of security.
Companies need to recognize and address their cybersecurity resource challenges if they ever hope to achieve the levels of security they desire. They need to focus internal resources on the most critical actions and leverage external resources to fill remaining gaps. Implementing a cybersecurity management solution that can help people manage these tasks is essential for efficiency and effectiveness. A proper secure remote access platform is also needed to enable external support from vendors and cybersecurity experts.
These actions will help companies overcome past oversights, but a proper cybersecurity program isn’t driven through a rear-view mirror. Smart companies will also strive to ensure that their cybersecurity programs don’t fall prey to new developments that might undermine their defenses. ARC Advisory Group has identified a series of developments that companies need to learn about and evaluate with respect to their cybersecurity impact. This spans developments like the deployment of industrial IoT (IIoT) within plants; automation technology advancements, like open process automation, SDN and edge gateways; cloud-based supervisory applications; tighter integrations between IT and ICS systems; and the ultimate shift to IIoT as a platform for distributed control.
Current industrial cybersecurity standards were developed based on various assumptions. These assumptions also justified the use of siloed cybersecurity efforts. However, recent incidents like WannaCry demonstrate that the loss of a production planning or customer management system can be just as disruptive to operations as the loss of a plant or SCADA system.
Protecting the integrity of industrial control systems is necessary but is simply not sufficient to protect organizations from major business disruptions. Deployment of IIoT is also undermining basic assumptions regarding perimeters and functional segregation.
Future industrial cybersecurity strategies will need to anticipate the shift from siloed programs to a single corporate ICS-IT-IIoT strategy; expansion of cybersecurity resources to include vendors, cybersecurity service providers, and cloud service providers; a shift in focus from system security to device-level security and people to device access control; and policy management that can create defensible use cases within unstructured IIoT environments.
To learn more about these critical issues, watch the author’s presentation in the upcoming Tripwire University: Industrial Cybersecurity event on November 7, 2017.
You can also learn more about the ARC Advisory Groups 2018 forum in Orlando, here.
About the Author: Sid Snitkin is a senior member of ARC Advisory Group where he has primary responsibility for developing the strategic direction for ARC’s cyber security products and services.
Sid has over 30 years of experience in automation, information systems, and manufacturing, with particular emphasis in the Metals Industry. Sid has been with ARC for over 16 years and has published numerous studies and strategic reports on Asset Lifecycle Management, Supply Chain Management, Analytics, and Industrial Cyber Security. Prior to ARC his professional career covered a broad range of engineering, managerial, and senior executive positions with global electrical and mechanical equipment suppliers to the Metals Industry.
Sid holds a B.S. and M.S. in Physics from Carnegie Mellon University, and an M.B.A. and Ph.D. in Operations Research and Artificial Intelligence from the University of Pittsburgh. In his spare time, Sid also teaches MBA courses in Statistics, Operations Management, and Risk Management. His teaching career spans 20 years and includes positions at the University of Pittsburgh Katz Graduate School of Business and the University of Mary Washington in Fredericksburg, Virginia.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.