By Gregory Hale
There are huge differences in security implementations between the industrial domain and the IT side.
“For us to be able to achieve industrial security on the manufacturing floor, we need to have resources that understand both control and security at the same time,” said Tamer Soliman, head of service operations, Industrial Services for Siemens Industry, during his “Risk Driven Industrial Control System Cyber Security Investment” webcast Tuesday. “We can’t use straight out of the box enterprise security concepts and apply them on the plant floor.”
The differences, Soliman said, between industrial security and IT security is on the OT side users are looking at the AIC model, while IT works with the CIA model.
While all the letters represent the same thing, the difference in order is very important.
AIC stands for availability, integrity and confidentiality, while CIA stands for confidentiality, integrity and availability.
Levels of Importance
Availability on the industrial side is most important. The plant needs uptime, where the system and the process remain operational. “They can’t have a downtime of anything less than .3 seconds,” Soliman said.
On the IT side, downtime of minutes is acceptable. “They can walk out to the coffee machine to get a coffee, the network could be back and available again,” he said.
In terms of who is deploying the system, on the industrial side it is control engineers, while on the IT side there are networking experts, he said. The assets protected on the industrial side are control systems, while on the IT side it is PCs, servers and printers.
When security comes into play in an industrial setting, there are quite a few stakeholders that have their own specific focus on security, he said.
Plant managers know they have a limited budget, but they want to keep the lines running, while a production manager wants the lines to remain up and running and a maintenance manager sees cyber security increasing visibility into the network, Soliman said.
From the IT perspective, the enterprise IT manager sees there is a change of perspective on the shop floor and can see the opportunity to secure it along with the enterprise network, all within budget. The cyber security officer sees ICS cyber security is becoming a reality, sees the need for specialized industrial cyber security expertise.
Triangle of Security
To help create a secure industrial environment, there is a triangle of players that help set a security scenario: Policy makers, automation vendors and manufacturers.
In short, they all need to hand off ideas, concepts and solutions to ensure a secure environment. “All three are working toward a common goal and the common goal is to securing our industrial facility,” Soliman said.
Policy makers put in place things like standards, certifications, audits, he said. They share common interests. For automation vendors, security is integral to product development and manufacturers need to understand risks and make the proper security decisions for the right equipment they need.
Each party has a role to play. Policy makers put rules in place. Vendors understand the rules and put them in place. Manufacturers make sure the rules apply to them and then give feedback to the vendors.
Giving feedback is important as by 2020 there will be 50 billion connected devices, or almost 7 devices per person globally, Soliman said. That compares to 2003 when there were 500 million connected devices. “That is how fast the world is moving,” he said.
The very nature of security means the environment is very dynamic. The threat landscape continues to change where there are diminishing attack costs, but an increase in complexity. “The cost of launching an attack is becoming lower day after day,” Soliman said.
One of the ways to tackle the attack onslaught is to adopt standards to protect processes. “The threat is real as attacks grow and it won’t get better when it comes to exposure,” he said. “Security is a continuous exercise. For you to be secure in your facility, you need to have security everyday and every time.”
Here is what could occur when a company suffers an attack:
• Production uptime slows, could result in loss of revenue, increase in downtime
• Health and safety
• Public impact
• Intellectual property theft
• Damage brand image
Use of Standards
In talking about standards, Soliman discussed what he called the most commonly known standard and that is the NIST security framework.
The voluntary framework from the National Institute of Standards and Technology (NIST) released this past February as directed by President Obama in Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The framework consists of existing standards, guidelines and practices and provides guidance for reducing cyber security risk for organizations within the critical infrastructure. The framework was the result of a year-long process in which NIST served as a convener for industry, academia and government stakeholders.
Part of working with that framework, users need to be able to identify the threat and then apply the change and put the facility in the proper protection level. Then there is the detect phase, which ensures the ability to detect an incident. Then there is the respond to the incident phase and then, after that, the recovery stage.
The work with the phases of the framework, there is a three-step approach:
• Assess the risk and know your security posture and develop a security roadmap
• Take the roadmap and start implementing it bit by bit
• Continuous security services through monitoring and maintaining security levels achieved
“We need to be prepared to react quickly to mitigate the risk and recover from it,” Soliman said.