By Gregory Hale
A plant floor may appear to look the same today as it did 40 years ago, but the reality is, things are night and day different.
“Equipment hasn’t changed, but if you lift the hood, everything has changed,” said John Cusimano, vice president industrial cyber security at aeSolutions during a Tuesday session entitled, “IACS & SCADA Systems – Past, Present, and Future,” at the ICSJWG 2018 Fall Meeting in Cincinnati, OH. “It looks the same, but it is very different. Everything has changed and will continue to change.”
ICSJWG: Govt has to ‘Work with Private Sector’
Black Hat: Not So Secure Smart Cities
Black Hat: Breaking Down Safety System Attack
Black Hat: Get to Root Cause
Lessons Learned One Year After Triton
In the 1960s pneumatics and relays were the top technologies, then in the 1970s there was analog control along with pneumatics and relays, said Marco Ayala, senior lifecycle services manager at aeSolutions. In the 1990s, technologies all started to scale and in the 2010s, the industry was still using the same old analog technology on top of the new digital technology coming on line.
Ayala said with all the new technology options out there it reminded him of something his old boss said, “just because things change, it doesn’t mean you have to change it. We have to be smart with what we are doing,” Ayala said. “You have to differentiate between monitoring and control.”
Being smart with what a manufacturer is doing is more vital today than ever because the number of incidents are continuing to grow and users need to understand what is at risk.
“These systems are complex,” Cusimano said. “How we manage the risk brings engineering discipline into play.”
Cusimano pointed out the massive amount of costs associated with the well-known Wannacry and Not Petya ransomware attacks that ranged up toward $10 billion.
One way to defend against attacks is to understand and embrace standards.
“Standards are a good way to start,” Cusimano said. “They provide lots and lots of guidance. They have good information, but with all the information, it can make your head spin. If it isn’t secure, it isn’t safe.”
He then added, along with standards, users can follow some best practices, where they:
• Establish a management program
• Establish and follow good engineering practices
• Institutionalize and operationalize cybersecurity and make it part of the company culture
“It is very important to put together a guidance road map,” Cusimano said. “There is so much noise out there it is easy to get pulled off into a tangent.”
Part of the noise also comes from needing to patch all the vulnerabilities out there. In the manufacturing environment, patches are often not implemented or are installed after a long period of time. But in this world of Wannacry, where a patched Microsoft vulnerability didn’t get installed on a majority of manufacturing networks, users’ way of thinking needs to change.
“Patching is something we can’t ignore anymore,” Cusimano said.
“The point is to schedule patch management and how can you do it effectively,” Ayala said.
Part of creating a cybersecurity framework includes:
• Cyber risk assessment
• Security integration
• Security implementation
• Security operations
“It is important to create detailed assessments by visually and electronically inspecting data,” Ayala said.
While users must perform detailed vulnerability assessments, “it is important to do a deep dive on these systems,” Cusimano said. “It is amazing what you will find out there. It is invaluable.”
Document and Maintain
Part of what users need to do is document and maintain ICS information. They need a good asset inventory and good diagrams.
“That is easier said than done,” Cusimano said. “There are tools to help make the job easier.”
One tool to understand and manage risk is to conduct at cyber process hazard analysis or a cyber PHA. Taken from the safety side, a cyber PHA is a very structured systematic approach to learning cyber risk. In conducting a cyber PHA, a user can understand the real consequence if the system is compromised. It is a way of putting cyber vulnerabilities in the context if the system shuts down.
A security environment is very circular in that to create risk reduction, there must be a culture change focused on people understanding what to do and who to talk to on a continuous basis.
Part of the discussion also includes fostering a relationship between IT and OT security folks, “which helps create controlled conversations over risk,” Cusimano said.