What used to be a problem for someone else to worry about is proving to be a concern that can no longer be ignored by anyone.
Cybersecurity is now one of the major risks facing the valve industry, and it is not a problem that can merely be solved by other parties besides the intended victim. Like industrial safety, addressing cybersecurity must be enterprise-wide to be effective—involving business leaders, engineers and information technology (IT) professionals across the workforce.
The accelerated convergence of IT with operational technology (OT) has introduced new cyber risks into process control environments, opening up the possibility of remote actors stealing data, disrupting processes and causing physical harm to machines and the people around them. Alongside the many operational, economic and safety benefits of interconnectivity, new vulnerabilities mean an enterprise cannot simply rely on an “air gap” to keep a plant isolated from external threats.
Meanwhile, growing threats from increasingly capable nation state-backed hackers, organized crime syndicates, terrorist networks, political agitators and common criminals seek to steal intellectual property, compromise business data, capture sensitive employee data and in some cases, undermine safety-instrumented systems to make a variety of physically dangerous attacks possible. This upward trend is undeniable: the Industrial Control Systems (ICS)—Cyber Emergency Response Team at the U.S. Department of Homeland Security reports a 210% increase in security events targeting ICS systems in three years. Meanwhile, the 2018 Verizon Data Breach Investigations Report showed that in the manufacturing sector, 86% of breaches are targeted attacks, suggesting they are the work of sophisticated attackers, who are less likely to be dissuaded by the costs involved. This is a much higher percentage than is found in other industries.
A significant roadblock in cybersecurity has been the common misperception it is a technology problem looking for a technology solution. With this view, cybersecurity matters would be handled by technologists in the IT department, who are expected to find technical solutions to a technical problem. In other words, the thinking is that if the technology was fixed, the problem would go away.
The disconnect here is analogous to believing that an epidemic is contained by deploying more doctors (after all, this is a medical problem, right?), when in fact the most significant countermeasures are hygienic behaviors exercised by the population at large, such as washing hands and getting immunizations. While doctors play a critically important role, they cannot contain an epidemic by themselves.
Similarly, cybersecurity is an ecosystem challenge looking for an ecosystem response. As such, many of the security measures necessary to protect the enterprise (including ICS) are adjacent to, integrated with, and reinforcing technical measures. While some technical measures may be sophisticated, many of the most effective measures are fundamental to security in the same way that good hygiene is fundamental to biomedical security.
EXCELLENCE IN ESSENTIALS
The confusion around cybersecurity is understandable, particularly given the relative newness of the topic for most working professionals. There is also a lot of noise to process in the form of news reports, regulatory requirements, products and services, internal policies and the countless options available for the budget-constrained businesses.
As it turns out, however, the data consistently yields common themes for how organizations are compromised and what needs to be done to prevent breaches. For example, the vast majority (nearly 85%) of cyber incidents reviewed by another recent Verizon report (2016 Data Breach Investigations Report) exploited known vulnerabilities for which there are known solutions. This means attackers compromised the business by exploiting a publicly known software vulnerability for which a patch was available (in 71% of cases, the patch was available for over a year). Another regular problem is the weakness of configurations, which are software settings left in an exposed state, rather than modified to reduce the likelihood of compromise. According to a Dimensional Research study commissioned by Tripwire, 60% of respondents are not using common hardening standards from authoritative sources such as the Center for Internet Security (CIS) or Defense Information Systems Agency. Finally, humans remain the most common avenue of attack through social engineering tactics such as phishing emails designed to trick a user into performing tasks the attackers desire (e.g., clicking a link or opening an attachment.)
For these reasons, cybersecurity frameworks such as the CIS Controls and National Institute of Standards and Technology (NIST) Cyber Security Framework exist. These outline the foundational security controls every enterprise needs to implement. For security of industrial automation and control systems, a well-developed set of guidelines is available in the form of ISA/IEC-62443 [International Society of Automation/International Electrotechnical Commission] publications.
The fact is that these frameworks have been available for many years, but organizations still struggle to implement basic security measures, which underscores the importance of excellence in the essentials: focusing on mastering the foundational basics of security as the main effort, then building upon those basics with supplemental or more advanced capabilities as time and resources allow. This back-to-basics approach requires discipline and focus. Leaders must understand the importance of, and hold their teams accountable for, implementing, security frameworks. It also requires making the important trade-off decisions in favor of better- performing essentials, rather than chasing the mirage of a technological panacea (often in the seductive form of new tools). First and foremost, technological innovations should reinforce foundational security controls.
To assist with this approach, the security team at Belden, an industrial and enterprise connectivity firm, advises a 1-2-3 approach to industrial cybersecurity. First, organizations must secure industrial networks. This includes proper segmentation and zoning. A reference architecture for this is the Purdue Model, which delineates levels based on function and security risk. Second, organizations should secure industrial endpoints, which include workstations, human-machine interfaces and data historians (a common operating system in these environments is Windows XP, which has been out of support for years and is highly vulnerable). Third, industrial controllers must be secured.
By emphasizing excellence in these essentials, the owner-operator of a process control environment can remain focused on implementation of foundational cybersecurity frameworks and avoid the many pitfalls of chasing quick fixes that do not align with the disciplined work necessary for effective cybersecurity.
Needless to say, excellence in the essentials includes the most important component of any organization—its people. Humans remain the greatest vulnerability of any business, but also its greatest asset. They are necessary to design, build and manage process control systems, and human behavior has a greater impact on the state of security than any other factor.
This is why cybersecurity is an enterprise-wide challenge requiring a cross-functional, interdisciplinary response. Everyone in an organization should be performing basic security-oriented tasks. For example, all employees should protect their authentication into enterprise systems. This means using unique, work-specific passphrases for important accounts; and, when possible, using multi-factor authentication (such as biometrics or one-time use codes). It also includes measures to protect sensitive information by sharing only what is necessary with authorized individuals, using encryption for transmitting information and being watchful for common phishing techniques via email. A working group under the National Initiative for Cybersecurity Education at NIST recently published a guidebook, Cybersecurity is Everyone’s Job, that outlines essential tasks for individuals based on their job function within an enterprise. These guidelines serve as a good starting point for non-technical, non-security professionals.
Much of security is guided by mindset. Awareness, caution and reporting of suspicious behavior can have a tremendous impact on the state of security across an enterprise. Ultimately, human behavior is a cultural phenomenon, as culture (including organizational culture within a business) establishes values that drive behavior and define acceptable norms. To build a cybersecurity-oriented culture, then, the organization must engage in proactive culture-building. This requires strong leadership, reinforced by effective governance, performance management, training, education and collective learning from mistakes. Occupational safety is a fundamental component of organizational culture in sectors with process control systems. In much the same way that human behavior has become more safety-oriented in recent decades, so can human behavior become more cyber-secure.
Cybersecurity is a clear and present challenge for organizations in the valve industry; but it is not an insurmountable one. By implementing excellence in the foundational security controls of human behavior essentials, an organization can substantially improve its security posture and build greater resilience.
Leaders can take steps to understand cybersecurity well enough to make informed executive decisions, integrate cyber risks into the broader enterprise risk management process, build a cyber-secure culture, hire the right people and drive cross-functional collaboration. Even in automated environments, nothing happens on its own. Process control environments require careful planning and execution, and so do the cybersecurity measures needed to operate successfully in the modern world of converged IT and OT.