Cyber security is now more cost efficient for industrial control systems
Interest in industrial cyber security has grown in recent years. Once assumed to be the next tech fad, the topic has proven to be one the process automation community should take seriously. Increased attention to high-profile incidents and quickly developing technology, on both sides of the struggle, have placed a spotlight on the conversation.
With this heightened priority, users are gradually moving toward more secure digital operations. But, there is still much work to do. With a litany of complex solutions to choose from, cost efficiency is a common hurdle that operators have struggled to overcome when implementing cyber security. With operating budgets tightening all around the world, it is now time to ensure that expenditures made in this area not only meet their purpose-to protect systems and information-but are also viable spends that show return on investment.
In the following paragraphs, three keys to ensuring economically sound investing in cyber security for automation will be introduced. Starting with a brief look at the past, to use best practices and research to avoid unnecessary costs. Second, a look at the present, to outline how to best prioritize parts of the plant to best distribute a cyber security budget. Finally, a glimpse into the future, to discuss counterpoint strategy and ways to best set up a system with preventative measures.
Today, there is an understanding that the exploitation of standard IT technology, the implementation of larger systems, the availability of remote access, and the preponderance of wireless technology all mirror features seen in most enterprise systems. This opens the automation market to vulnerabilities that the IT world has been stammering to remedy for years.
Despite the risk, which must be managed, what is even more important is that there is an understanding that this trend toward commonality exists for a good reason: It decreases the cost of control system development, engineering, operation and maintenance over the entire life cycle. In addition, it eases integration with third-party systems so that data can be shared efficiently and functionality can be extended easily.
In addition, more and more control system engineers realize that, as a result of the increased commonalities between control system environments and IT environments, it now makes sense to involve IT departments and take advantage of their security experience, while at the same time remembering the differences between IT and OT environments. The different priorities of IT and OT are exemplified by the IT best practice: Typing in the wrong password three times in a row results in a system lockout. This is, of course, not desirable in a control system environment. Conversely, there are examples where IT security mechanisms have been implemented in the control system domain. For example, 10 years ago, the use of malware protection technologies such as antivirus scanners and the deployment of security updates in control systems, were much-disputed topics. Today, these mechanisms have been accepted by the industrial control system community and there is specific guidance on how to use them, taking the specific needs of control systems into account.
Looking for guidance and best practices
In search of guidance at the onset of planning, the first recommendation is: Do not reinvent the wheel. Considerable effort has been put into developing standards, regulations, and framework. SANS 20 Critical Security Controls, National Institute of Standards and Technology (NIST) Cyber Security Framework, NERC CIP, and IEC 62443/ISA 99 are but a few of these. Some of the most prominent experts in the field were involved in the development of these best practices, which cover more or less the same requirements- even though the requirements are segmented in different ways and described in different degrees of detail. Taking on the challenge to develop a best practice from scratch is overambitious. Therefore, stakeholders should take advantage of what is available as a cost-efficient action.
The challenge of having too many best practices is that users need to determine which is right for them. In addition, consultants, technology providers, and system integrators must position themselves accordingly. For example, imagine the scenario wherein five different control system engineers ask for compliance statements from six technology providers. They ask their suppliers to what extent the technologies they provide fulfill the requirements of a particular standard. First, imagine that each control system engineer prefers different best practices and, therefore, each supplier must complete five different compliance statements. This drives up cost, which likely will be shared by all stakeholders involved. If there is one standard that all control system engineers, system integrators, consultants, and technology providers can commonly develop and use, this can reduce cost of product development, documentation, specification work, and engineering throughout the lifecycle of an installed system.
IEC62443/ISA99 is considered to be the most prominent standard, as it is international in nature, and applies to control system users as well as suppliers. Being international enables parties in all countries to take advantage of it. The fact that it was developed by a wide range of stakeholders-and peer-reviewed by an even wider audience-ensures it’s nonbiased. Its wide scope provides relevant details to those who need them.
Risk, security zoning and security levels
The second recommendation is: Segment the efforts based on risk.
Most cyber security efforts are initiated by a risk assessment. This assessment does not have to be an advanced exercise. It starts by listing the assets that are to be included in the security work and designing a network diagram to determine dependencies. The reason for this is simple: One must know that an asset exists to protect it. Secondly, by ranking the likelihood and the impact of a potential incident, an appropriate ambition level of security countermeasures for a particular site can be set. The possibility of an incident can be affected by variables, such as the use of unsupported operating systems. It could be argued that the use of Windows XP, for example, increases the chance of an incident because Windows XP has a wide range of known vulnerabilities exploitable by malware. The magnitude of a given incident is partly determined by the scope of the directly affected subsystem and others that depend on it functioning correctly. For example, a safety controller can shut down an entire site, whereas an individual flowmeter likely cannot. The risk is determined by combining the magnitude of a potential incident with its probability. Therefore, combining high magnitude and high probability equals high risk, and combining low magnitude and low probability equals low risk.
Using the concept of security zoning, a system can be segmented into subsets of assets that have a similar risk level. One security zone can be separated from another by a firewall or by other means to limit the impact of an incident. Each security zone can then be assigned a target security level, which reflects the assessed risk level. To achieve a certain security level according to the IEC62443/ISA99 standard, a specific set of requirements has to be fulfilled. A system design with security equal to or greater than the target security level is assumed to provide sufficient protection.
The purpose of the risk assessment, system segmentation into security zones and assignment of security levels is to provide cost-effective security for a particular site. Most resources are rightly spent on the parts of a site with the highest risk.
The concept of security zoning and security levels is covered in detail in the IEC 62443/ISA99 standard.
The third and final recommendation is: Ensure the basics are in place before using more advanced countermeasures.
A basic rule-of-thumb to consider when selecting countermeasures is that it’s usually better to combine multiple countermeasures rather than heavily investing in just one or two. For example, do not expend all resources to buy the most expensive firewall. Instead, buy a reasonable firewall and invest in training, patch management, etc. Multiple overlapping defenses are harder to penetrate, whereas a single defense rarely protects against a wide enough variety of attacks. This concept is referred to as "defense in depth."
In addition, start with basic countermeasures before implementing advanced ones. For example, it is not uncommon for companies to receive a request to support advanced security information and event management solutions or intrusion protection/detection systems from system owners who do not have an operating patch management process, permission management or system segmentation in place. This is not cost efficient.
What are the basic countermeasures?
- Institute a cyber security policy that includes training routines, change-management procedures, data exchange principals, and responsibilities.
- Implement system segmentation, including firewall configurations.
- Enable endpoint protection, including host-based firewalls, disabling/removing USB ports, antivirus software, and Windows patching.
- Use permission management, including logical and physical access management that controls who has access to what.
- Use event logging, including logging of user actions in the systems.
- Implement incident response and recovery procedures, including a process description of how to recover from an incident. This procedure should include keeping an up-to-date backup, and a means to ensure that the backup can be used to restore a working system.
Cyber security for industrial control systems has evolved from being a buzzword into an increasingly mature market where copious guidance is available. There might even be too many best practices and guidance available for the market to function in a cost-efficient way. When control system owners are about to intensify their cyber security efforts, a recommendation is to exploit IEC 62443/ISA99. This offers guidance on how to rate a particular site’s needs. Rather than overspend, system engineers should use security zoning to spend resources in the right places. Finally, when selecting countermeasures, the basics should be in place before
implementing advanced solutions.
– Peter Ahlström has a M.Sc. in Industrial Engineering & Management from Lund University, faculty of Engineering, located in Sweden. He is currently working as global product manager for 800xA cyber security. Before taking on this role, he had various business development roles in Northern Europe and the Middle East. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, email@example.com.