Build Better Cyber Security

The prospect of doing anything — let alone running a cyber-security program — perpetually may seem overwhelming. However, this daunting task is achievable by breaking it into three key steps: inventory, integrate and implement (Figure 1).

INVENTORY ASSETS
The first step in developing any security program — physical, cyber, or both — is assessing a plant's current measures. In terms of cyber security, this means taking inventory of assets.

In industries where cyber-security regulations already are in place, operators must provide a list of their critical cyber assets. Getting started on an inventory immediately can help chemical makers ensure they're not left scrambling. CFATS doesn't explicitly call for such a list today — but may as its cyber component evolves.

A cyber inventory provides plants with the information needed to make informed decisions about cyber-security priorities. In addition, regulatory bodies require such an inventory for judging whether a facility is in compliance or not. Finally, a comprehensive asset inventory eases end-of-life planning, upgrades and long-term management of key safety or legacy process control and other systems. So, developing such an inventory is a great place to start.

Most facilities don't know precisely what's plugged in on the plant floor; it isn't always easy to determine. Managing compliance requires a robust inventory, including:

• IT inventory (operating systems, IP addresses, user permission levels, etc.);
• operational inventory (control systems and software, etc.);
• logical inventory (the network locations of assets);
• physical inventory (the real locations of assets); and
• security system inventory (what security solutions are in place, and where they sit).

Performing a physical inventory provides crucial insight into who has access to the asset; it also allows for a visual inspection of the asset, which can lead to important information that isn't available through other means. For example, have some assets on the plant floor been powered down or decommissioned? What about assets that aren't plugged in, or that have open ports, switches and modems that are supposed to be turned off when not in use? Does an asset have multiple network cards for accessing different network segments? Laboratory information management systems and centralized data historians are good examples of assets that often connect to multiple networks. Without a visual inspection it would be easy to miss this information, which is an important consideration for incident response plans and backup and restoration programs.

It also is essential to inventory existing security applications, including where they sit and how they function. Most facilities have at least a dozen isolated lists of information provided by various security applications or point solutions — for example, user security settings in Windows Active Directory, an inventory of critical systems in the backup system, anti-virus, intrusion-detection and patch-management applications, network access rules and controls (acceptable paths, what machine can connect to which network), and various sets of documentation ranging from policies to procedures to checklists and technical standards.

A detailed cyber inventory underpins many of the subsequent steps in creating a best-practices compliance program, such as identifying and addressing vulnerabilities and establishing mitigation and remediation plans. The more accurate and complete an inventory, the easier it will be to make thoughtful decisions about a security program, including understanding the impact on operations of rollout of, say, an anti-virus application.

INTEGRATE DATA SOURCES
Once the inventory has been completed, the challenge is tying this information together for a holistic view of the plant's cyber assets. There's no sense in pulling all these data from the various areas and duplicating them in a separate database (doing so would create an information management nightmare). The alternative is to compile a "master list" of all information sources in a facility with links to the supporting data and underlying information. This higher-order database is similar in function to a site map for a complex website, and is really a logical model of a facility. Most plants likely can generate it from the inventories they've already completed. This master list enables sites to keep tabs on their critical information, provided processes are in place to ensure it's kept up to date.

A key aspect of managing a security program is integrating all security data sources and making that information accessible and actionable.

Take the example of an access request. Whether the request is for electronic or physical access, most facilities today would need to go to a host of spreadsheets to cross-reference the user name against training records, electronic access clearance level, and even background or clearance checks. The bits and pieces of the information plants need to determine whether to grant the request reside in various data sources, formatted differently in each. Now imagine a single interface able to display a user and list his or her specific clearances, training and certifications taken (with time stamps).

Tools to automatically monitor and manage the security program as well as document changes are essential to a robust security management program. A tool that interfaces with best-in-class security software, e.g., for protection against viruses, patch management or backup/virtualization, can provide immense value in managing a plant's data and security program — if it's set up right, that is. A recommended approach is to implement a database with front-end portal capabilities for viewing relationships and interdependencies and reporting on them.

IMPLEMENT WORKFLOWS
The third fundamental aspect of a successful security program is the ability to keep it up to date (and fully documented). The longer plants manage the program, the more difficult and more important this becomes. As many managers can testify, the average employee can become complacent over time. Usually the first areas to suffer are administrative or seemingly unimportant recording and tracking tasks. To combat such lapses, it's imperative to establish and regularly review workflows. Done properly, they guide personnel through each stage and proof point, embedding procedural and policy objectives into day-to-day tasks and providing some form of verification or documentation. Such workflows can play a crucial role in ensuring proper management, maximum security and getting the most value from security spending, while minimizing the "people" risk factor.

In essence, specific workflows reflect the application of corporate or regulatory policies and procedures. One simple example involves ensuring new employees are granted access to critical systems based on relevant clearances and certifications spelled out in various programs such as CFATS, the Transportation Worker Identification Credential, etc.

Let's take a closer look at the request-for-access example. By extending the framework to include training and personnel data, plants can add a workflow to manage and automate such requests.

The application could submit the user name to a process that grants user access to specific workgroups or roles within the facility. If the role and clearance required already are defined, the application now can manage — automatically and without error — whether or not to grant access.

Further, workflows can monitor the time stamps associated with various clearances, training and certifications, automatically notifying users when these are about to expire. Similarly, removing users who no longer require access (due to employment termination or retirement, for example) from all information systems becomes simple, either by providing a comprehensive report or by automatically disabling accounts. A plant also can apply automated workflows and management of information to log review, patch evaluation and deployment, general change management, etc.

To the extent possible, all policies and behaviors should have a corresponding workflow with some form of verification or documentation. This can range from a simple key sign-in/sign-out sheet to a full-fledged change-management regimen for patch evaluation or upgrades.

To properly reflect an organization's policies and procedures, workflows must be dynamic. If, for example, an application upgrade is high risk due to the systems involved, the workflow must manage additional levels of approval and consultation. A dynamic workflow should accommodate reassessment, extra information, and reassignment of tasks or reporting. Of course, it also must capture any and all additional actions taken. This is especially true for key process control and safety instrumented systems, etc., that are critical to safe and reliable plant operation.

An additional necessary aspect of workflow is the ability to tie the changes and reports back to the systems to verify the data. If a user can mark a task or change complete without having done it and this isn't caught, the omission may go unnoticed. So, a loop-back mechanism, whether electronic or manual, is an important element of any workflow tool.

Implementation using electronic tools essentially involves embedding specific reporting and tasks into a step-by-step workflow that then verifies the particulars against the end-system data, effectively enforcing the policy. In turn, this ensures consistency of reporting, content and workflow across different people, shifts and locations within the organization. As an added bonus, the plant gains an effective change-management tool. If the system is hooked into existing corporate communication tools like instant messaging or Active Directory (for access review, revocation, control, etc.), the processor has the building blocks of a dynamic security-management program.

CHANGING THE CULTURE
The three-step process of creating/managing cyber inventories, integrating data sources and implementing workflows essentially forms a blueprint for establishing a strong cyber-security program.

But one crucial element — corporate culture — ultimately will determine whether this program is maintained effectively. A successful security program depends upon ongoing buy-in by people at all levels in an organization.

In light of the unrelenting move toward increased regulation, putting off implementing cyber security really is just postponing the inevitable. And delay can have serious repercussions for the success and cost of a security program.

In the chemical industry, it's fair to say that physical security now matches worker safety in priority. In the U.S., CFATS certainly has spurred increased emphasis on effective physical security measures. Cyber security, though, is a different story. Often, it falls below other priorities such as alarm management, process improvement and environmental controls.

Processors must think beyond the mechanics of compliance and realize that cyber security really is about ensuring safe, reliable and expected system behavior.

And chemical makers, like manufacturers in all industries, must view cyber security exactly the way they do safety — as a permanent program, not just as technologies that are part of a finite project.

RICK KAUN is Edmonton, Alta.-based manager of Honeywell's Industrial Cyber Security Division. Email him at [email protected].