The effort and expense required to establish and operate an effective industrial cybersecurity management system can be difficult or impossible to justify in the conventional sense. Responding to growing and evolving cybersecurity risks is not an option, but an imperative. Addressing this imperative requires that asset owners and other stakeholders look beyond their own sector or industry for guidance and direction, drawing on as broad a range of experience as possible.
Each element of risk (threat, vulnerability, and consequence) is, to some degree, shared or common across sectors. All users of industrial automation systems are susceptible to cyber-attacks, whether or not their respective facilities are deliberately chosen as a target. All share the same vulnerabilities associated with a common technology monoculture. Finally, the potential consequences are also similar and, in some cases, almost identical.
Common or shared risk requires a common approach, which in turn should encourage more sharing of effective practices and countermeasures. Combined with well-defined principles and fundamental concepts these become the basis for a common discipline for industrial cybersecurity that applies across all industry sectors.
The Case for Improved Industrial Cybersecurity Across Sectors
Asset owners in virtually every industry sector struggle with how to best address rapidly changing cybersecurity-related risks to their automated systems. One of the most common questions posed by these asset owners is “What is the business case for cybersecurity?”
This question implies that an effective cybersecurity response is discretionary. Unfortunately, it is not. In many sectors it is an imperative. The specific driving forces behind this imperative vary by sector. In some cases, there are regulatory requirements. Where binding regulations have not been defined, a responsible government agency may have expressed clear expectations in the form of guidance documents. Furthermore, with increased public awareness of the potential consequences of cyber-attacks, customers and other public stakeholders have come to expect that companies take the steps necessary to protect the integrity of their businesses and products and the information that they contain.
This imperative is common across sectors. All asset owners must reduce the risk of potential cyber-attacks or incidents through some combination of reducing vulnerabilities and mitigating consequences. In effect, effective cybersecurity has become a license to operate, particularly (but not exclusively) for critical infrastructure.
Shared but Unique
Many industries share several common characteristics. ARC has previously written about the importance of sharing information across industries and sectors based on this fact.
To a large degree, all sectors are in the same situation with regard to industrial or operations cybersecurity. Yet many still make an argument that a particular sector or industry is somehow “different,” requiring tailored or unique guidance and associated responses. This has led to considerable duplication of effort when developing guidance and related information.
Common Threats and Collateral Damage
The first component of risk is threat. Threats to industrial systems come in many forms. These range from direct attacks to non-specific attacks that capitalize on the nature of these systems and their availability or accessibility via the Internet. While many asset owners may feel that they don’t have a high enough profile to be the target of a directed attack, they can easily be subject to collateral damage when malicious software is released on the Internet. Recent cases of ransomware attacks illustrate this very clearly. Those releasing this software may not have an individual target in mind but are simply looking for situations where vulnerabilities can be exploited to encrypt data and demand payment for its release.
Although the data contained in industrial automation systems may not be as sensitive as customer billing data or personally identifiable information found in financial systems; its loss can result in a corresponding loss of production.
Technology Monoculture and Shared Vulnerability
Virtually all sectors that employ computer-based or automated systems use products from the same group of suppliers. With mergers and acquisitions, the number of major suppliers has decreased, with all using essentially the same commercial-off-the-shelf (COTS) technology for components such as databases, operating systems, and network components. This technology monoculture means that the vulnerabilities inherent in automation solutions are present in virtually all sectors.
When these vulnerabilities are detected and publicized it places the onus on asset owners to update or patch their installed systems as quickly as possible. In case where such patching may not be practical or even possible, it is often necessary to employ compensating countermeasures or controls to mitigate the vulnerabilities. Examples include the use of various isolation methods, up to and including disconnecting such systems from networks. Products such as industrial firewalls and unidirectional gateways are now available for this purpose.
A considerable amount of guidance is available in this area. This ranges from industry standards that describe accepted engineering practice to more focused guidance and practices developed within specific sectors. Suppliers of isolation devices (i.e., gateways and firewalls) also provide case studies illustrating the use of their products.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Cybersecurity, Critical Infrastructure, Risk Management, Sectors, Sharing, ARC Advisory Group.