Protect sensitive systems by taking them offline
“Today, digital means connected,” said Marty Edwards, director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security (DHS) during his keynote address last week at the ARC Advisory Group’s Industry Forum in Orlando, FL. “Everything is connected to everything. If it isn’t connected, it will be.”
So, what Edwards, a longtime security expert with DHS and before, said next seems a bit surprising, but also realistic. No, it is not about throwing as much technology as possible at the issue, it is the exact opposite to a degree. “Now that we are connected, we have to think of security. The two don’t really work together,” he said.
That is where what Edwards calls cyber informed engineering comes into play. “Find the most critical functions; find that basic function and take it off line,” he said. Think about safety systems. With some safety systems becoming more digitalized there are shut down functions that once you push it, it stays shut down. That could be good or bad, depending on the process and the situation. Because once the process shuts down, a reboot is in order.
That is why, he said, the user needs to “look at functions and find the one or two areas that could be a problem. We do need to take care of those life safety functions.”
By taking those vital “crown jewel” functions off line, that does not absolve anyone of also have a security program. “You still need to do basic cyber security functions,” he said. Find out the vital parts of the process and protect it. While he is advocating taking certain systems offline, he is not pushing for an air gapped environment.
“Air gap does not necessarily work,” he said. “Air gapped often means neglected.” Edwards is also not giving up on today’s technology. “Ten years ago you could not use IT technology (in an OT environment) because it would break,” he said. “I think there is quite a bit of IT or IIoT (Industrial Internet of Things) security products right now. I think that is a good thing for industrial security. Overall this is a good message.”
But vulnerabilities exist and there is a danger point for some areas. He listed the medical device sector as a hot button. There are devices implanted in patients and then connect to a device sitting on a bedside table that also sends information back to a doctor’s office. What is the potential for something happening if the device is not secure?
That means users need to understand security and have a basic plan of attack. “At least do some separation, segment, do due diligence, patching, perimeter control, train your people, do logging,” he said. When it comes to security, the reality of it all is if a bad guy wants to get in, it doesn’t really matter what you have done; if you face a nation state, they will figure out how to get in.
That means in the end, security is all about understanding risk management and getting a firm grip on what you have and what you need to protect, while also understanding the massive amount of surface area a manufacturer needs to protect. On top of that, no one can afford to protect everything, plus not everything needs heavy duty protection.
“You can’t protect everything,” Edwards said, “it won’t work."
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Joy Chang, CFE Media, firstname.lastname@example.org.
See related stories from ISSSourced linked below