The need to improve industry response to address cybersecurity risk is well established. Each new incident report increases awareness of the risks faced. The nature of the risks continues to evolve as new vulnerabilities and threats are discovered. Beginning with the Stuxnet attack in 2010 a steady stream of incidents have shown that industrial systems are vulnerable to both general and targeted attacks. While they may accept the need to protect their critical systems better, many asset owners struggle to understand what type of guidance information is available and how industry standards can help them formulate their response. The number and variety of available standards and related sources and complexity of the topic add to the confusion.
An effective response to the threat must address all phases of the life cycle, from conception and selection through operations and support. Established standards reflect this need and provide requirements for all involved, from suppliers and integrators to asset owners and support providers.
Ultimately, the asset owner is accountable for securing automation systems used in critical infrastructure. To accomplish this, they must develop a program that employs the necessary experience and expertise in the context of developing a well-defined framework.
ARC has conducted extensive research in this area. Key findings include:
- The perception that too many standards are available is due at least in part to the tendency to over-apply the term “standards” to include other sources of guidance. It is essential to appreciate the difference between standards, guidelines, and other sources of information.
- Standards come in several forms, including prescriptive, normative, and informative. It is important to choose the standard(s) most appropriate for the situation. For example, participants in regulated industries may have little choice as to the standards they must follow.
- Standards developed primarily for and by one industry sector can often be applied successfully in other industries with the appropriate interpretation.
The Need to Address Industrial Cybersecurity
Improving the level of cybersecurity for industrial automation systems has been an imperative for nearly twenty years. This is particularly true for systems used in critical infrastructure sectors such as energy, chemicals, and critical manufacturing, but there are also implications in other industry sectors.
In recent years there have been several widely reported incidents involving attacks on industrial control systems. In 2010 an attack, subsequently named Stuxnet, reportedly compromised control systems in Iran, causing damage to centrifuges used to enrich uranium. Several other direct attacks have been reported since then. To the extent they are connected to the Internet (directly or indirectly), industrial systems are also vulnerable to non-targeted malicious software. This includes the growing number of ransomware attacks such as Notpetya and Wannacry.
Media coverage of high-profile cyber-attacks has increased awareness of the potential risk to systems used to monitor and control pipelines, power plants, manufacturing facilities, transportation, and other parts of the critical infrastructure. The potential consequences include not only information loss but also comprised manufacturing operations and supply chain disruptions. Senior company management and board members now understand that inadequate cybersecurity is a possible weakness in their businesses.
In many cases, this increased awareness has led to more support and resources to extend cybersecurity management systems to include automation and related operations systems as well as business information or back office systems. This in turn requires the expertise of additional disciplines, including automation engineering and process safety.
While there has been considerable progress in some sectors, more improvement is required. The nature and extent of the risk evolves continuously as new threats and vulnerabilities emerge. The level of understanding of the potential risk is still not where it needs to be.
Many asset owners have come to accept the need to make improvements, but often struggle to develop practical and effective plans. Faced with a variety of possible responses it is often difficult to select and plan the most effective countermeasures for the situation. A lack of resources with the skills and experience required compounds the problem.
Table of Contents
- Executive Overview
- The Need for Industrial Cybersecurity
- Challenges Faced
- Planning a Response
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us