Easing cyber security concerns

Users worried about cyber security think of the issue need to think beyond the technology issue and realize that people process, and technology all need to work together in harmony to achieve true security.

By Gregory Hale, ISSSource February 13, 2016

The fear of security can be a painful experience. Now it is time to finally ease that pain.

Last year clearly was the year of stronger awareness in terms of cyber security. While the security world became aware of the threat a long time ago, a general understanding of the potential for attack from the rank and file and from the executive suite became abundantly clear over the past 365 days.

Awareness, however, does not always mean action. This coming year has the potential to see more knee-jerk reactions to security incidents that battle-weary security veterans will continue to ward off. But it doesn’t have to be that way. Industrial control system (ICS) security professionals will continue to stress the importance of building a solid security program.

Much to the chagrin of experts analyzing the industry, users think of security purely as a technology issue, and it is to a certain degree. But it is so much more. The idea of people, process, and technology truly comes into play.

People continue to be the weakest link in security, but they have the potential to be the strongest asset. For that to happen, manufacturers have to train and force workers to think of security much like safety.

That scenario leads to creating a security process that leans on the various security standards out in the industry such as IEC 62443. Manufacturers need to focus on making sure everyone remains vigilant and on top of their games at all times.

There is solid technology out there that can reduce any kind of attack, but providers need to understand what they need to protect and then apply the proper technology. Users cannot just throw technology at the problem and expect results. There needs to be a well thought out plan that can’t take on the enormity of the issue all at once, but rather tackle the problem on a project-by-project basis that keeps growing. 

Safety and security

During this past year more manufacturing automation professionals understood the idea that safety and security do play hand-in-hand. While some principals do differ, the idea of understanding risk and mitigating that risk are the same.

Differences come into play when you look at the constant change evolving in security where countermeasures need to change almost on a daily basis, which flies in the face of the set-and-forget mentality that prevails in the industry. Added on top of that, the maturity level on the security front is not as evident as it is for safety.

On the other hand, safety has well-defined standards and practices where safety professionals have a greater degree of confidence that the system as it stands should provide a degree of safety for the process and the facility. Safety and security need to provide a united front where one area can learn and share expertise from the other.

Changing mindset

As mentioned, security does fly in the face of conventional thinking. That only makes sense. Bad guys don’t live by the rules, whereas manufacturing automation professionals live by rules or standards. What worked yesterday will surely work today and tomorrow. That thinking has to change.

That all means understanding the system and knowing when things are out of whack or not looking right remains a key factor moving forward. With the potential for advanced persistent threats (APT) infiltrating systems and taking up residence for a period of time to learn the ins and outs of a system, knowing the system and understanding what should and should not be going on is vital. That is where one technology, application whitelisting, can really pay dividends. Application whitelisting permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown programs, including malware.

One challenge when using application whitelisting in business networks is managing the constantly changing list of allowed applications. That burden reduces in control systems environments, because the set of applications that run in those systems is essentially static.

Whitelisting is not the only answer, but it is one solution to add to the arsenal needed to boost protection.

Building security from within

In keeping with the changing mindset refrain, security needs to focus on protecting from within compared to ensuring a hardened perimeter. The concept of the hard exterior worked years ago, but as the industry learned from Stuxnet, if someone wants to get into a system, it doesn’t matter if they have a hardened perimeter or an air gap, they will get in.

That means conducting a true system assessment becomes paramount to understanding what and where you have to protect. After all, you cannot design in security until you know what it is you are protecting. Documenting what users have installed is vital because they often don’t even know what they have on their systems. That can lead to building in zones and conduits, which can break the system down and partition it. It is then possible to do a risk assessment on each individual zone.

Threats: Inside, outside

Using the zones and conduits model also shows it doesn’t really matter if the attack is coming from the outside or the inside. The idea is locating the attack and mitigating it within the partitioned zone.

One misconception that ended up debunked over 2015 is more threats come from the outside. It became clear the inside threat was much more prevalent and caused much more discord for manufacturers.

The insider threat has become so much of a problem the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center created a guide to help organizations guard against malicious insider activity.

An insider threat is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems.

Personnel signs to watch out for include: Introverts, greed, or financial need, compulsive behavior, reduced loyalty, a penchant for minimizing one’s mistakes or faults, intolerance to criticism, moral flexibility, a lack of empathy, and a pattern of frustration or disappointment. 

IT/OT convergence

Like it or not, information technology (IT) and operational technology (OT) need to work closer to ensure a secure enterprise and plant floor. IT has been in the security game quite a bit longer than the plant floor so understanding them and correctly applying their knowledge is important. On the flip side of the coin, IT has to understand what the plant floor is all about and that keeping the system up and running is job one.

There are two sides to the firewall, which means IT operates on one side and OT the other. That does not mean the two sides are individual islands, it just means their expertise is predominant on the individual areas. Stronger emphasis on communications and understanding the true end result of keeping the system up and running and producing product remain vital moving forward. 

IIoT increases attack vector

The IT/OT convergence also plays into the increase in connectivity moving forward. So when you talk about increased connectivity, the phrase Industrial Internet of Things (IIoT) comes leaping forward.

While IIoT is the marketing phrase right now, whatever its moniker, the idea of increased connectivity is here to stay and has the potential to wreak havoc on the entire enterprise from the business side to the manufacturing front. The increase in potential attack vectors ratchets up many times over.

Greater connectivity means more knowledge, which means increased opportunities, and it all revolves around security. It also means security needs to have a stronger presence than it currently has.

While the industry talks about IIoT, few have moved forward on how they could reap the benefits. The good part is the movement is going to happen and if the manufacturer is smart, it can incorporate security from the beginning.

Experts have said the impact from the Internet of Things (IoT), which is IIoT’s big brother, could reach over $11 trillion by 2025. The following are five steps that could lead to a security IIoT implementation:

  1. Assess: Users must know what they have, where it is, what it does, and who owns and manages it.
  2. Migrate/update: Users should make Ethernet their foundation.
  3. Proper design: End users need to focus on the network and create a zone and conduit segmentation model.
  4. Protection: There are internal and external risks, which means there should be overlapping security.
  5. Monitor: Users need to monitor the network and make a plan that calls for regular maintenance, constantly monitoring the network, system failure alerts, and established response protocols.

Cloud coverage

Cloud usage is continuing its growth curve, but that doesn’t mean there are not growing pains in the process.

Critical applications like collaboration, storage, customer relationship management (CRM), and enterprise resource management (ERM) are moving to the cloud. This means the critical mass of corporate data will eventually migrate to the cloud.

The cloud offers numerous benefits, but fears of a not-so-secure cloud are keeping company leaders up at night because they have major IP they could lose if there is a breach.

The growth of the cloud and the corresponding expansion of the perimeter create a huge challenge for IT professionals looking to protect their enterprises from emerging attacks. An analysis of what data is truly important, added to an increase in user education and empowerment, will ensure security can keep up with the tremendous growth of the cloud.

Cyber insurance

Cyber risk is a major and fast-increasing threat to businesses with cyber crime alone costing the global economy $445 billion a year, with the world’s largest 10 economies accounting for half this total, one report said.

Almost 15 years ago, cyber attacks were fairly rudimentary and typically the work of hacktivists, but with increasing interconnectivity, globalization, and the commercialization of cyber crime, there has been an increase in frequency and severity of cyber attacks.

Cyber insurance is no replacement for robust security, but it creates a second line of defense to mitigate cyber incidents.

Increasing awareness of cyber exposures as well as regulatory change will propel the growth of cyber insurance. With fewer than 10 percent of companies currently purchasing cyber policies, one forecast is calling for cyber insurance premiums to grow globally from $2 billion per year today to over $20 billion over the next decade.

To show the growth of costs, with an increase of attacks on U.S. companies over the past two years, insurers are now hiking cyber premiums.

While the issue crosses industry borders, the manufacturing automation sector has been keeping an eye on the topic for years. On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million. While that number may seem large, that actually could leave companies exposed to the huge costs an attack could incur.

One of the challenges for insurers has always been to identify the scope of potential financial liabilities when it comes to a data breach. Much of that has been due to a lack of information to understand the potential financial impact of a breach. However, with the rise in breaches, insurers have data they need to assess risk, and the results are staggering.

That means insurers see the financial risks of a breach go beyond initial clean up. The price of cyber coverage, which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements, varies widely, depending on the strength of a company’s security.

Boomers departing the workforce

The issue of baby boomers getting ready to leave the industry has been a topic of concern for years, but the exodus is continuing and the remedy put forth by most manufacturers has been ad hoc at best.

One thing that will help is to have more automation to replace empty seats, but it also helps to standardize and make sure everyone has training and understands standard operating procedures.

With boomers retiring and taking their knowledge with them, that could hurt, but with younger more computer-savvy engineers coming in, there could be a boost in the initial understanding of the importance of thinking about security.

To say security in the manufacturing automation sector is top of mind for company leaders is an understatement; the catch is for the companies, big, medium, or small, to start moving forward with a plan, which can cut down on any pain from an attack.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, cvavra@cfemedia.com.

Key concepts

  • People need to be the strongest link in cyber security rather than the weakest link.
  • Understanding and mitigating risk are the same thing and need to provide a united front.
  • The Industrial Internet of Things (IIoT) has a great deal of potential for manufacturers, but it comes with cyber security risks that need to be addressed.

Consider this

What measures have you or your company taken to be better equipped for potential cyber security breaches?

ONLINE extra

See additional stories from Gregory Hale linked below.