Cybersecurity: A Constantly Moving Target
The world as a whole is becoming increasingly connected. In the world of industrial control systems, this is an exciting trend and it is helping ease communication between devices and facilities around the world, but it is also exposing companies to increased risk.
The world as a whole is becoming increasingly connected. From consumer products to industrial control systems (ICS), nearly everything is connecting to the internet, communicating with the cloud, and taking advantage of the latest technology. In the world of ICS, this is an exciting trend and it is helping ease communication between devices and facilities around the world, but it is also exposing companies to increased risk.
By connecting an ICS to the internet, companies are essentially creating an access path for possible malicious activity. If unauthorized access is gained, both proprietary and confidential information are at risk and there is the chance that bad actors can steal data, take control of the system, and/or establish a cyber-ransom situation.
Data communications and control technologies such as ICS are critical in today’s increasingly global economy and this high value makes these systems attractive targets to cyberattacks. When third-party software is used in an ICS, the risk is heightened; however, despite software being one of the most damaging points of vulnerability, it is often overlooked as a point of weakness. An important first step toward securing systems is acknowledging that security risks are in a constant state of evolution and the only way to truly manage risk is by remaining diligent.
Change is the Only Constant
In 2016, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) finalized work on 290 incidents. Of those incidents, the critical manufacturing, communications and energy sectors accounted for 63, 62 and 59 incidents, respectively. That’s more than 63 percent of total incidents, according to ICS-CERT Year in Review FY2016. In addition, the first known cyberattack to result in a physical impact to a power grid was also reported in 2016.
To help reduce the number of incidents, all entities working within critical infrastructure must comply with mandated or recommended cybersecurity requirements and practices. For example, the European Programme for Critical Infrastructure Protection (EPCIP) adopted requirements for the transportation and energy industries in the European Union (EU), and the North American Electric Reliability Corporation (NERC) has taken similar steps in the energy industry in North America. However, to make a real impact in this area, companies and industry alike must remain agile to the changing landscape of cyberattacks.
Though ICS cyberattacks have been an issue for years, their prevalence and prominence is helping to bring the conversation into the mainstream. In part, this is because of evolving tactics, shifting motives and the nature of the parties involved. As more ICS come online in the coming years, associated CPUs and network power will be cataloged, essentially creating a target list for cybercriminals, according to Security Week. With that, due to shifting political climates around the world, it’s likely that hacktivism—the act of illegally accessing a computer system for politically or socially motivated reasons—will begin to enter the ICS space as will the demand for ransoms in exchange for system control. This means that potentially devastating ICS malware will likely start to work its way into the world.
All of this is to say that the sophistication of cyberattacks is constantly evolving. Risk management requires a consistent effort to stay one step ahead of bad actors. This effort can be as simple as remaining diligent with the purchase, creation and use of ICS software. Fortunately, there are a few steps you can take to help secure your ICS and your business to prevent or minimize the damage from a cyberattack.
A Stronger Supply Chain for Stronger Software
When developing and/or sourcing software for a connected ICS, ensuring that reliable, internal processes are in place for the vetting of vendors and the assessment of software security is often the easiest way to stay secure.
1. Develop Security Specifications: Before selecting software or shopping for vendors, establish a set of formal requirements to cover all third-party products and software-containing components. Once established, these requirements should be included with every request for proposal (RFP) and vendor agreement.
2. Implement Independent Due Diligence: All new suppliers of software or software-containing components should be evaluated to determine if software safeguards meet security specifications (from #1). This due diligence has two components: 1) Third party evaluation can provide an independent assessment of offered protection while also freeing internal recourses to focus on higher-value cyber-related assessments. 2) Regular follow-up audits must be implemented to ensure risk management efforts remain current.
3. Commit to Scheduled Testing: Validation testing using a non-production environment should be completed when the product is acquired and throughout its use where possible. Small test beds of representations of the production environment allows for an opportunity to validate new software updates and configurations, and detect vulnerabilities.
4. Employ Track and Trace: Constantly monitor the source of all software, firmware and components to ease access to updates, patches and technical support. A concept of a bill of materials should be expanded to support not only hardware products in the system and their components, but also firmware, software and third party and open source components.
5. Update Regularly: With easy access to updates, patches and technical support, regular updates become easy. Often times, up-to-date software can provide the best defense against a cyberattack. Remaining current with software updates and patch releases helps keep software running safely while also keeping security measures up to speed with the evolution of technology.
6. Seek Technical Industry Updates: Get regular product updates and cybersecurity notifications from ICS-CERT (https://ics-cert.us-cert.gov/). These updates, from a branch of The National Cybersecurity and Communications Integration Center (NCCIC), provide regular control systems advisories, reports and countermeasures.
7. Limit Access: Understand the protected environment and limit access to only privileged systems and operators. For example, IoT and internet systems should be separated and segregated, and should be connected to duplicate data systems and stores that are protected from the actual OT environment.
8. Schedule Continuous Training: Employees are the first line of defense. Implement regular staff training to ensure all necessary parties are aware of the necessary protocols.
Of course, there’s no way to completely eliminate the risk of a cyberattack. In today’s connected world, companies must remain vigilant in their efforts to minimize risk, and reliable internal processes are often the best place to start. UP
Ken Modeste, Director of Connected Technologies, UL
Ken Modeste is the cybersecurity lead, principal technical advisor and subject matter expert for UL’s Cybersecurity Assurance Program. He helped develop UL’s series of cybersecurity standards that tests network-connectable devices for known vulnerabilities and software security. A key developer of the cybersecurity strategy for UL, Ken is responsible for strategically identifying long-term growth opportunities that align with UL’s mission to address public safety. He is responsible for creating the laboratory, hiring and training all personnel and developing programs and services to support UL’s client’s security needs. Ken has a proven track record in leading large diverse teams delivering commercial enterprise software in rapid environments with major business financial commitments. His leadership and analytical skills have helped develop and execute long-term software strategies. Previous to his engagement at UL, Ken served for 12 years as an engineering manager with GE. He began his career as a software engineer for GTech Corporation, after completing a Bachelor of Science degree.
Link to UL’s cyber page: https://industries.ul.com/cybersecurity