By Gregory Hale
Safety and security are just good business.
“Cyber security is a necessary layer in the overall safety and security package,” said Mark Heard, representing the American Chemistry Council Cyber Security Program and electrical engineer control systems engineering at Eastman Chemical during the “Path to Vulnerability Resolution: Cyber Security Panel Analysis” meeting today at Invensys OpsManage ’11 in Nashville, TN.
“There was a lot of attention placed on safety in the 80’s,” Heard said. “It was safety by design. That is what we want to do with security. You will start with the premise that you may not be anywhere right now, but you can be in a significantly different place in 10 years.”
Having a secure system in place keeps systems up and running and adding more to the bottom line.
“Safety and security are simply good business. Downtime is bad all the time. We work hard to make sure plants are running all the time,” Heard said.
Until someone can come up with a better business case for security, Heard said the best model right now is the cost avoidance scenario. “Security, like safety, costs money. But the money you make on the back end makes it worth it.”
To avoid any kind of high costs suffered because of an incident, users need to be ready for anything an attacker throws at them.
“There are no shortcuts,” Heard said. “You have to do your homework before it is due. You don’t want to not be prepared when an incident is happening. There will be incidents affecting your system, but you need to be prepared.”
Being prepared is also all about working with the IT department, something that has been an issue in the past, but is working a bit smoother these days.
“You have to work with the IT department, they have a head start (on cyber issues); they know what they are talking about,” Heard said.
Pamela Warren, director of global public sector and critical infrastructure initiatives at McAfee, said she sees IT, operations relationships thawing.
“There is a cultural divide between IT and operations, but it is time for the whining to stop. You have to see each other as partners,” she said.
There is also the aspect of taking care of what you bring to the table.
“As a control system supplier, we need to take care of what we can control,” said Ernie Rakaczky, program manager for control systems cyber security at Invensys Operations Management. “There is a lot of tactical information out there and we have to be thinking long term.”
From Warren’s perspective, there are more issues out there than just threats. One is the cultural divide, the other is ICS vendor security where they have to take ownership of their product line. The other area is the change in the threat landscape. “We see between 70,000 to 100,000 different threats a day,” she said. “That is mostly malware, which at first looked for financial information, but now we see it looking for data.”
At the end of the day, though, there needs to be a collaboration between users, researchers and suppliers.
“From our perspective, it is all about working together,” she said.
Working together is key to disclosing vulnerabilities and Zachary Tudor, program director in the computer science laboratory at SRI International, said there are “some people in the industry that are doing some things that are borderline unethical or potentially illegal” to release vulnerability details.
He said some researchers could find a vulnerability and then force the company to pay them or they will release the information. That is something he said “could be considered extortion.”
In a perfect world, which actually does come about quite a bit, a researcher finds a vulnerability, informs the offending company or the ICS-CERT and then they all work out the problem.
Kevin Hemsley, who leads the ICS-CERT Vulnerability Handling team, said there are more people reporting issues with ICS-CERT.
“In the last year we had an increase of 753 percent in vulnerability reports over last year,” he said. “I don’t see that getting any lower anytime soon.”
With such a massive increase in vulnerabilities reported, it is easy to understand why Eric Cornelius, Chief Technical Analyst for the Department of Homeland Security’s Control Systems Security Program, said it was only a matter of time before manufacturers suffer some type of an attack so they should have a plan and be ready.
“You need to be proactive in cyber security or else you will pay,” he said.