By Gregory Hale
Security is a multi-faceted endeavor – any security professional will tell you that – but one key aspect is not focusing on just one area, but rather keeping up with everything, which could end up feeling like a juggling act.
But it doesn’t have to be that way if you follow four pillars of security.
“There are challenges for asset owners,” said Chris Da Costa, global operations cyber security manager at Air Products and Chemicals, during his talk entitled “Cybersecurity Requirements for Industrial Control Systems – A balancing Act,” at the Siemens Automation Summit 2018 in Marco Island, FL. “A key aspect is quantifying cyber risk and conveying it to senior management. If you are breathing you know there are cyber risks out there. We all have to deal with limited budgets dealing with cyber risk.”
Da Costa talked about IT/OT cooperation, continuous vulnerabilities and patches, product obsolescence and pressure from regulators. In addition, there are plenty of new tools and products to address security.
“The new tools are a good thing, but it is also a bad thing in knowing what is a good product and what is not,” he said. “If it ain’t broke, don’t fix it way of thinking; those days are gone. New technologies are great, but there are security problems – that is why I don’t have any hair left.”
That is where a good security plan needs to come into play.
“We want to help put a cybersecurity program framework in place,” said John Cusimano, director of industrial cybersecurity at aeSolutions, who co-presented with Da Costa. “Having some structure to your program helps.
Cusimano talked about four pillars that can be a core base for a cybersecurity program:
• Risk management: “Cybersecurity is really a risk management event,” Cusimano said. “Just like safety programs which are risk-based, risk management is a fundamental part of any security program.”
• Operations maintenance
We find companies sometimes spend too much time in one quadrant, but you have to keep a balance between all quadrants,” Cusimano said.
Da Costa and Cusimano then discussed the four pillars.
In cybersecurity governance, “It is a sure sign to fail if you don’t have proper governance,” Da Costa said. “You need a cross functional team and it needs to be chaired by the organization that owns the OT risk. It also need to be responsible for managing overall program.”
With cyber risk management as Cusimano said it is all about risk management.
“A lot of times we get caught up in the shiny new tools out there, but it is all about risk management,” Da Costa said. “If the tool doesn’t help clean up risk, then why use it? You need to do a deep dive into what your vulnerabilities are. If not you might be caught up into risk theater.
“As a part of risk management, you need to perform a vulnerability assessment. The key is to consistently understand what the risk appetite is for your company. It is important to adapt a risk matrix for security. Understand what it is you are trying to protect.”
Part of creating a risk management profile is to conduct a vulnerability assessment.
“What I have noticed is people have confused risk with vulnerabilities and consequences,” Cusimano said. “Cyber risk = threat x vulnerability x consequence. What we have found is people will do a gap assessment and confuse that for a risk assessment; same with vulnerability. Also, a pen test is not a risk assessment.”
“A risk assessment is a cyber PHA (process hazard analysis), which is a very structured systematic approach to learning cyber risk,” Cusimano said. “What is the real consequence if the system is compromised. It is a way of putting cyber vulnerabilities in the context if the system shuts down.”
In the implementation phase, Da Costa said, by this point, you have determined the design architecture. If you are moving toward that in a brownfield environment, it may not be an immediate jump, “you may have to get there in steps.”
On the operations side, the mission is to monitor and maintain but remain flexible enough to face any issues.
“Your adversaries are out there and they are fine tuning their attack so you have to be able to adapt,” Da Costa said. “As threats are coming in, you need to make sure you can adjust to potential attacks. There will be people knocking on firewalls and don’t get in, you should be aware because eventually they will if you don’t address it.”