Building an ICS cybersecurity ecosystem

Companies, governments, and vendors need to develop a cyber ecosystem that encompasses more than just the four walls of their organization to help mitigate a threat that becomes more sophisticated every single day.
By Anil Gosine February 14, 2017

Companies, governments, and vendors need to develop a cyber ecosystem that encompasses more than just the four walls of their organization to help mitigate a threat that becomes more sophisticated every single day. Courtesy: Anil Gosine, MG Strategy+Government organizations, private companies, and public-private partnerships that operate critical infrastructure are facing significant security risks as attacks against industrial control systems (ICSs) grow in volume. Control systems are becoming more interconnected and Ethernet-based architectures are more common for companies, despite their increased potential security risks. ICSs are an integral part of critical infrastructure that facilitates operations in vital industries that people rely on every day. Developing a cyber ecosystem that encompasses more than just the four walls of a company is critical in mitigating a threat that grows every single day.

Threats and cyber incidents—malicious or accidental—occur every day on industrial control networks. It is easier than ever to exploit vulnerabilities in industrial protocols, networks, and equipment. The past six years should have been a wakeup call to the industrial automation industry. ICSs became the primary target for these cyber attacks such as Stuxnet, Night Dragon, and Shamoon. The increased volume of attacks demands more effective operational cyber solutions that aggregate, analyze, and correlate data across multiple platforms into a near real-time visualization that depicts any potential threats that are emerging. Organizations have to look beyond their own perimeter and collaborate with their corporate partners, suppliers, and vendors on the potential impact of a cyber attack. However, all these complex systems of interacting devices, networks, organizations, and people make it a potential threat as well as a benefit.

Corporations and government organizations must collaborate to further develop critical infrastructure protection solutions that do more than meet the minimum requirements. Solutions must be targeted to the professionals tasked to keep critical infrastructure operating as well as make the business case that risk is mitigated. In the past, communication protocols and an isolated environment made ICSs largely immune to the malicious attacks that targeted corporate information technology (IT) networks.

As systems become more interconnected, though, achieving end-to-end security has to be a multi-vendor, organizational effort that creates cyber ecosystem. Fashioned and specialized threats developed by skilled cybercriminals, hacktivists, and governments are turning their focus toward critical infrastructure and their ancillary systems more than ever before. The effects of these attacks go far beyond the perimeter of the intended targets, which makes security more important than ever.

The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems: Automation, interoperability, and authentication.

  • Automation — enabling rapid incident detection and response. Automation is a strategy that incorporates making decisions with specified actions as a response to cyber situations at machine speed instead of human response speed.
  • Interoperability — enabling distributed threat detection across devices. Interoperability must remove the technical constraints from organizations, so that they collaborate seamlessly in cyber defense automation.
  • Authentication — enabling trusted communication for automated collaboration in a secure manner. As automated decisions are made, authentication provides the assurance that the partners involved are authentic.

Maintaining ICS integrity requires a thorough understanding of the communication standards used among all the various ICS components to maintain safe and efficient operations. In this cyber-physical layer, it can be difficult to spot communications errors, cybersecurity threats, and poor network health problems. The symptoms are obvious: sluggish human-machine interface (HMI) updates, unexplained shutdowns, and precarious failures of ICS components. A robust and healthy operational technology (OT) network is key to preventing these failures.

Potential ICS risks

There is a growing demand for many ICSs and sensory data to communicate with other commercial and enterprise level systems across the corporate network. This brings new risks and challenges that owners must face and mitigate against. There is so much data for them to sift through and there is a lack of skilled labor to help them process it, which means workers who are not qualified become an inadvertent cybersecurity risk.

Initial reports of cyber attacks to the ICS go back over 15 years. Since then the total volume has been exponential in growth and is much higher than the news reports ascertain. Widespread doubts and loss of confidence from the public towards these private and public entities results in deliberate suppression of information about attacks; but poorly disseminated information to the public also would cause knee-jerk responses and solutions that may not be best. Reporting cyber attacks to regulators, industry peers, and support organizations is a more sensible option. This helps create solutions, mitigate the risk of future attacks, and develop stronger defense strategies.

Security designed from inception

Historically, with security as an inconsequential concern, cybersecurity wasn’t designed and implemented into an ICS. Now it has to be integral to any project. The critical infrastructure sector must work closely with owners, industry, integrators, regulators, and vendors so effective cybersecurity measures can be integrated into the ICS from the beginning.

In general, the industrial sector needs to stop thinking of security as something to implement after the systems are installed. Security needs to be designed at the outset and managed at all layers across the enterprise. The most critical cyber component in ICSs are the devices and ICS cybersecurity should be focused on ensuring that the devices are safe and operate reliably.

Cyber threats targeting the ICS are changing and growing as cyber-attackers are continuously looking for new targets and criminal extortion is increasing. ICS security is no longer about preventing hackers or having a strong physical perimeter. An underground digital economy provides a multi-billion dollar incentive for potential corporate rivals or adversaries to exploit ICS vulnerabilities. More companies will be required to detail the approach they take to cybersecurity and detail what analysis and assessment they undertook for their technology vendors and service providers. Governments are realizing that cybersecurity is one of the most serious economic and national security challenges they face and are escalating their efforts to protect critical infrastructure vulnerabilities.

Initiatives by ICS vendors to reduce security risks to control systems is resulting in automation professionals being more effective in securing their industrial processes through a combination of control system design and best practices, technologies, and professional services. As the ICS represents the core of production, the cybersecurity processes must address both internal and external threats via multiple layers of defense that mitigate against various types of risk.

ICS vendors and automation professionals must be committed to providing an evolving set of products and services that help mitigate risks and improve security of the production assets. The solution also must include risk analytics that assemble and correlate data in a platform that provides actionable visibility into cybersecurity blind spots. This drives effective cyber risk management and creates a stronger cybersecurity posture. Solutions must enable organizations to understand their current business environment and provide contextual awareness of how their employees, supply chain, customers and attackers interact with their control systems, data, facilities and applications. In a globally intertwined world, the threat can and does come from everywhere.

Make cybersecurity a part of the organization’s culture

Traditional cybersecurity approaches are necessary but not sufficient to properly protect organizations. Organizations must be pushed to invest in best in class technologies, understand their ecosystem and work with trusted partners to protect the ecosystem together. The need for performing vulnerability assessments on a periodic basis must be understood by organizations for the value they provide. This allows a company’s staff to see the business process–and the applications and data that support it—as well as map the infrastructure that connect the hardware.

Anil Gosine is global program manager at MG Strategy+. Edited by Chris Vavra, production editor, Control Engineering, CFE Media,

ONLINE extra

See additional articles from the author linked below.

About the author

Anil Gosine has over 18 years of construction management, operations and engineering experience within the Industrial Sector with a primary focus on electrical, Instrumentation and automation process and systems in the U.S., Canada, and Central America. He has been heavily involved in the utility industry for over 11 years engineering, implementing and project managing a wide range of projects, utilizing a wide array of products and control system technologies within this industry segment. Anil is an active member of several professional organizations and independently participates in industry forums and technical committees for infrastructure development, industrial automation design and implementation, data analytics, and cyber-security processes. Anil is the global program manager for global industrial projects with MG Strategy+ and leads the Strategic Efficiency Consortium Security Workgroup with specific focus on cybersecurity metrics, threats, vulnerabilities, and mitigation strategies for ICS and security intelligence and analysis.