By Ernest A. Rakaczky
Collaboration within the process control cyber security community is imperative and for the most part, our biggest challenge today is how quick we can get there.
Over the past years, we have read and listened to quite a few people talking about the value and need to collaborate as we move forward in defining cyber security measures in process control. These measures range from standards, guidelines, best practices, specific technologies, among others. What we need now is to rally behind the idea of collaboration and why we get so close but fall short.
There are three major ingredients needed for true collaboration to take place:
• Parties working toward a common goal;
• Parties that have established a trusted relationship; and
• Parties that understand their own boundaries and are willing to respect the boundaries of others in a collaborative environment.
Before we review each of the above in more detail, the intent here is to address more of the thought process and sensitivity each contributor in a collaborative effort needs to establish. In general, this community can bring members together from very different areas of interest like users from:
1. The end user community
2. Government agencies
3. Control system vendors
6. Standards groups
7. Security technology suppliers
8. System integrators
10. Sector specific industry groups
Working Toward a Common Goal
Within this objective, it is pretty clear and by far the one area everyone is continuously working toward, and that is, a safer and more robust critical infrastructure. But it is also the one objective that seems to be the cause of many collaborative efforts to quickly breakdown. Many times, it seems everyone is working on different timelines, from a 10-15 year strategic industry roadmap to a vulnerability being discovered so we need to alert the world yesterday. I know this may be looking at it from two separate ends of the spectrum, but for all those activities, even in between, we need to make sure we establish that timeline from the onset and that it is well understood and agreed upon by all parties involved.
Likewise, it is imperative the collaborative groups establish and take ownership of the areas they are going to take responsibility for resolution. This is a clear way to ensure understanding of timelines and also set the foundation of establishing a trusted environment.
Establishing a Trusted Relationship
Within the control system cyber security community, there are many pockets where this trusted relationship is well established and where the biggest contributing factor is time. A majority of this community has been working together the better part of the past 10 years; we are now at a point where time is no longer on our side so we need to quickly build from this base a much broader trusted community, a task much easier said than done.
Unlike 10 years ago, we do have a great program in-place that does facilitate and nurture our ability to grow this trusted base and that is through the current Industrial Control System Joint Working Group (ICSJWG) program. It clearly has the foundation in place to bring all interested parties together and actively participate. There is no better way to gain trust and at the same time ensure your concerns, ideas, solutions, guidance, etc. are being heard and contributing to a possible resolution effort.
From bi-annual face-to-face meetings to monthly sub-working group calls, you can clearly see the growth of this trust and a much broader/mixed participation from the various community groups.
But as this group grows it becomes even more evident and critical that we all establish a respect and an understanding of each member’s boundaries, for without this respect, trust will never be possible.
Respecting the Boundaries
One element we do not talk about much is the overall life-cycle of a control product; I bring this up because it is also in this life-cycle many of the boundaries exist. It is within the various life-cycle phases we see clear crossover from various community members, areas of responsibilities, areas of ownership, and areas of resolution control.
Granted, members cross over many different boundaries but members have a more direct focus on a given life-cycle timeline.
Fundamentally there are three major life-cycle phases:
• Control product developed
• Control product implemented
• Control product supporting an operational requirement
From this understanding we clearly see that within these life-cycle phases the majority of time for the control product is supporting an operational requirement. This was the primary focus and effort spent in establishing standards, compliance, best practices, etc., a very tactical but very necessary effort. However, efforts also focused on control products already obsolete and/or at the end of their supported life-cycles.
Now let’s look at company WIDGET Controls and they just released their new control product, if WIDGET Controls has not addressed cyber security in the first two life-cycle phases, we are faced with the same issues for the next 10-15 years. That is the scenario so many researchers are focusing on and at times frustrated with control system applications today. It is also one area, where the control system vendor has full control and ability to make a long-term difference.
Although there are definite life-cycle boundaries within the control product, the community of interest has pretty much a vested interest and requirements in all life-cycle phases.
So how can we establish some sort of balance and help to facilitate as these boundaries get crossed?
Once crossed, the level of urgency, communication, mediation, and others get escalated and many times we lose focus. It is at this junction where we need to learn to respect the areas we have no physical control and trust those that do, and trust they will take ownership through resolution. At the same time we must build on the established US-CERT/CSSP programs in place and leverage tools, information, training and most important their ability to be that foundational point of true collaboration.
Ernest A. Rakaczky is the program director, control system cyber security, Invensys Operations Management.