Welcome to the Tipisodes edition of Process Safety with Trish and Traci -- the podcast that aims to share insights from past incidents to help avoid future events. I’m Traci Purdum, editor-in-chief of Chemical Processing.
Tipisodes is the newest installment of our Process Safety podcast series. As you might guess, it’s main purpose is to provide tips.
In this episode, we offer 7 steps for better cybersecurity.
The steps are based on a 2012 whitepaper that noted If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cybersecurity practices.
I reached out to the authors of that whitepaper to see if there were any updates. Eric Byers, CEO, aDolus Technology and a past podcast guest for Process Safety with Trish & Traci, said that the seven steps that John Cusimano and he highlighted are still very valid today. However, the details of each step should consider the changes to the threat (much more sophisticated attackers) and the interconnection of the plant floor and cloud. For example, it used to be enough to create a list of OT assets, such as PLCs and HMIs. With the supply chain incidents like PipeDream, SolarWinds and Log4j, that's no longer enough. Asset inventories must go beyond the physical and include the software (and version) running on a device, especially any 3rd-party components that get bundled into the typical OT device.
Here to give us the 7 Steps to ICS Security is John Cusimano, vice president of operational technology security at Armexa. John has more than 30 years of experience in process control, functional safety, operational technology and industrial control systems cybersecurity.
John has performed and led hundreds of OT cybersecurity vulnerability and risk assessments and helped dozens of companies establish OT cybersecurity programs. He is a voting member of the ISA 99 cybersecurity standards committee and is a Certified Functional Safety Expert, a Certified Information Systems Security Professional, Global Industrial Cyber Security Professional, and ISA 62443 Expert.
Take is away, John
The 7 Steps
Step 1 – Assess Existing Systems
Your first step is to do a risk assessment to quantify and rank the risks that pose a danger to your business. This is necessary so you know how to prioritize your security dollars and efforts. Far too often we see the assessment step skipped and companies throw money into a solution for a minor risk, leaving far more serious risks unaddressed.
While risk assessment might seem daunting, it can be manageable if you adopt a simple, lightweight methodology. The white paper provides an example, as well as tips on how to do this.
Step 2 – Document Policies and Procedures
We highly recommend that organizations develop ICS-specific documents describing company policy, standards and procedures around control system security. These documents should refer back to corporate IT security documents. In our experience, separate ICS security documents greatly benefit those responsible for ICS security, helping them clearly understand their security-related expectations and responsibilities.
You should also become familiar with applicable security regulations and standards for your industry.
Step 3 – Train Personnel & Contractors
Once you have documented your policies and procedures, you need to make sure that your staff is aware of them and is following them. An awareness program should be carried out, with the support of senior management, to all applicable employees. Then, a training program should be conducted. We highly recommend a role-based training program for control systems security, and we provide an example of one in the white paper.
Step 4 – Segment the Control System Network
Network segmentation is the most important tactical step you can take to improve the security of your industrial automation system. Eric has written about this in the article “No More Flat Networks Please” The white paper explains the concepts of “zones” and “conduits” and provides a high level network diagram showing them.
Step 5 - Control Access to the System
Once you've partitioned your system into security zones, the next step is to control access to the assets within those zones. It is important to provide both physical and logical access controls.
Typical physical access controls are fences, locked doors, and locked equipment cabinets. The goal is to limit physical access to critical ICS assets to only those who require it to perform their job.
The same concepts apply to logical access control, including the concept of multiple levels of control and authentication. Once authenticated, users can be authorized to perform certain functions.
Step 6 – Harden the Components
Hardening the components of your system means locking down the functionality of the various components in your system to prevent unauthorized access or changes, remove unnecessary functions or features, and patch any known vulnerabilities.
This is especially important in modern control systems which utilize extensive commercial off-the-shelf technology. In such systems, it is critical to disable unused functions and to ensure that configurable options are set to their most secure settings.
Step 7 – Monitor & Maintain System Security
As an owner or operator of an industrial control system, you must remain vigilant by monitoring and maintaining security throughout the lifecycle of your system. This involves activities such as updating antivirus signatures and installing security patches on Windows servers. It also involves monitoring your system for suspicious activity.
Finally, it is important to periodically test and assess your system. Assessments involve periodic audits to verify the system is still configured for optimal security as well as updating security controls to the latest standards and best practices.
Not a One-Time Project
Now the bad news - effective ICS and SCADA security is not a one-time project. Rather it is an ongoing, iterative process. You will need to repeat the seven steps and update materials and measures as systems, people, business objectives, and threats change.
Your hard work will be rewarded with the knowledge that your operation has maximum protection against disruption, safety incidents and business losses from modern cybersecurity threats.
