Cybersecurity Guidance for Small Businesses - What about Automation Systems?

Effective cybersecurity is a challenge for many small businesses; perhaps more so if they also have automated industrial systems.

The National Institute of Technology (NIST) recently released a new interagency report (NISTIR) to help small businesses improve their cybersecurity preparedness. NISTIR-7621 (Small Business Information Security: The Fundamentals) is based on NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity. A press release described the report as “…intended to present the fundamentals of a small business information security program in non-technical language.”

This is one of the more recent of many documents and guidelines available to small- and medium-sized business owners to help them address the security of their IT-related systems and solutions. Much of this guidance addresses the security of business-related systems and assets, with emphasis on protecting information loss and ensuring the operational continuity of those systems.

While such information is certainly relevant and useful, it may not be sufficient in all cases. In the United States, the Department of Homeland Security (DHS) has defined sixteen critical infrastructure sectors. Several of these include many small- or medium-sized companies that have industrial processes, employing some level of automation. Specific examples include Chemicals and Water and Waste Water. A similar situation also exists in other countries.

While it is generally accepted that securing automation systems requires different or additional measures than those used to secure general-purpose information systems, it is also true that smaller companies might have difficulty implementing much of the available guidance.

Standards and practices available in this area are often based on the assumption that engineering and operations resources are available to define, implement, and monitor the technology, business processes, and associated controls necessary to ensure the security of industrial control systems. Unfortunately, this is often not the case. Smaller operations are typically not staffed to include such roles. It is more common to have broadly-defined staff roles, with support and operation of IT systems only one of an individual’s responsibilities. Smaller companies may not even be fully aware of the risks they face or that they can contract for cybersecurity-related services.

Systems integrators often deliver automation systems in conjunction with packaged operations or equipment. Individual pieces of equipment may have come from different providers or integrators; making it difficult to assign overall accountability for cybersecurity. The reality is that this accountability ultimately falls on the asset owners, since they are the ones who would have to deal with the consequences from any breach or attack. Unfortunately, the combination of technical complexity and lack of specialized expertise often make it difficult for asset owners to fulfill their responsibilities in this area.

Asset owners need simple and straightforward guidance on how to secure automation systems, complementing what is available for general business systems. So who should provide this guidance, and how can it be delivered to those that need it? Standards development organizations (SDOs) like the International Society for Automation (ISA) can fill some of the need by developing recommended practices targeted specifically at small- and medium-sized businesses. Suppliers and systems integrators can also provide guidance and direction based a combination of their specific expertise and available standards. Also, many cybersecurity service companies can conduct assessments and design appropriate mitigation programs.

These and other stakeholders and contributors all have a role to play in ensuring that proven practices for automation systems security are available for companies of all sizes.