By Gregory Hale
With security awareness sky high, you would think a basic course on security would not be needed, but with more IT security professionals coming into the ICS realm, the reality is it is probably needed more today than ever.
IT folks understand security, there is absolutely no doubting that, but do they understand the nuances of the OT environment? The quick answer is no.
While it may also be fun to talk about all the attacks that grab the headlines, make no mistake, most attacks, whether malicious or accidental, occur from the inside.
“It is alarming what is happening, but there is a relatively small amount of attacks,” said Jeff Lund, senior director of product line management at Belden, during his Tuesday session on an introduction to cyber security at Belden’s IEI Design Seminar in Orlando, FL. He said you don’t have to look very hard to find headline grabbing events like the Ukraine power grid attack this past December or an attack of a water treatment plant reported in the Verizon Data Breach report. “Those attacks are about 10 percent of all attacks, but they are getting all the press. Most attacks are accidents or human errors,” he said.
Erik Schweigert, manager of software engineering at Belden who joined Lund in the presentation and then led a group through a Tofino security appliance demonstration, agreed.
“There are plenty of threats out there and 80 percent of them are unintended,” he said.
Lund talked about some noted attacks that occurred over the years like the Browns Ferry nuclear plant issue where two circulation pumps failed, or the Hatch nuclear plant where a software update went bad and caused the system to crash forcing the plant to scram. The recovery time for that incident took 48 hours.
Those two case were a prime example of a cyber incident that was not attack driven.
“Cybersecurity is much more than hackers,” Lund said. “You want to protect against hackers, but that is not the only reason for security.”
Security helps keeps systems up and running, but there are challenges involved because: Patching is difficult, IT techniques can be difficult to conduct in an OT environment like at active scan which can shut down a system.
Security can be complicated, but professionals need to make it simple, practical and easy to use.
Here are three keys to a successful security solution:
Lund then talked about Belden’s 1-2-3 approach to security.
1. Secure industrial networks: This talks about defense in depth
2. Secure industrial end points
3. Secure industrial controllers
“Security is an ongoing process, you can’t just put it in and say you are done,” Lund said.
ICS cybersecurity is all about improving system reliability, reducing unplanned downtime, increasing productivity, decreasing operating costs and ensuring safety.
Whenever you talk about security and basics the same thing has to be said over and over again, but security is not a set and forget solution. Rather it is an ongoing process. Users always have to monitor and manage vendors for security updates. In addition, users have to consistently monitor systems for unusual activity and they have to manage configuration changes. They also have to investigate changes and anomalies.