Awareness of the cybersecurity risks to industrial systems has increased significantly in recent years in response to several widely reported incidents. Analysis of and reporting on these incidents have identified the inherent vulnerabilities of commonly used products and technologies as well as the evolving nature of the threats. It is now generally accepted that either a targeted or non-targeted attack could trigger serious consequences.
The response to the increased risk has been inconsistent across sectors and companies. Larger companies may have the wherewithal and resources to mount a comprehensive response while smaller companies may struggle to provide even the simplest protections. Some responses focus almost exclusively on network security; others are limited to a particular product or technology platform. The most effective response requires a broader approach that includes the people, process, and technology aspects of automation systems.
An additional complication is that different stakeholders or participants have different needs and expectations. Automation suppliers are typically the most interested in definitive standards that can provide them with clear requirements to meet when designing and building products and systems. Asset owners ask for practical guidance in the form of practices or proven case studies. System integrators span these two interest areas. They benefit from functional and performance requirements when assembling systems and reference practices when defining how the resulting systems should be operated.
Expert interpretation is necessary to apply the requirements that appear in various industry standards (e.g., ISA/IEC 62443). Industry experts are currently debating how to best provide such interpretation. Some have developed simple tools like checklists or recommended practices, while certification bodies and compliance testing laboratories have proposed more formal profiles. Regardless of the specific format used, it is important that any interpretation needed is accurate and the guidance easily understood by stakeholders.
The Need for Improved Cybersecurity Profiles
Several high-profile incidents in recent years have led to increased awareness of the importance of addressing the cyber-related risks to industrial automation and related systems. While much of this may be motivated by concern about protecting safety-critical systems, many other risks must also be addressed. The objective of a cybersecurity management program is to address all relevant risks.
The primary driver for such a program depends on the situation. In some cases, it may be industry or government regulation. This is common for several sectors deemed to be part of the critical infrastructure. While other sectors may not have formal or statutory regulations there are nonetheless expectations for their response to cybersecurity risk. These may be either internal (e.g., board of directors) or external (e.g., trade associations). There are also operational drivers to improve cybersecurity. The most obvious is the need to avoid lost production resulting from either a targeted or non-targeted attack.
Several widely reported incidents in recent years have shown that it is possible to trigger serious consequences through either targeted or non-targeted cyber-attacks. The response to this risk varies across sectors and companies. The most effective response must include the people, process and technology aspects of automation systems.
Although the driving forces may vary by situation the major elements of the response are largely common across sectors. Typically, the first element of the response involves raising awareness of the potential risk. This includes explaining the nature of the threat and the prevalence of vulnerabilities in commonly used products and technology. It is essential that asset owners identify and rank possible consequences of a cyber-attack. These are often similar or the same as those for other threats and vulnerabilities.
Many asset owners ask for a checklist or similar simple tool that can be used to determine what must be done to address cyber risk. Several consultants and service providers have developed such lists. One notable example is the Center for Internet Security’s list of CIS Controls. Such lists can be useful for addressing what is commonly referred to as “basic cybersecurity hygiene,” but this is only the beginning of a more comprehensive response. Moreover, many of these basic controls are generic and not tailored for the industrial environment.
Standards as References
To fully address the cybersecurity needs of industrial systems it is necessary to follow the standards that have been developed specifically for that environment. Such standards may be sector-specific or developed to address the needs of a wide range of situations. However, standards typically describe what must be done, without becoming too prescriptive about how the measures are to be achieved. They typically include carefully worded normative requirements that describe exactly what is to be achieved and by whom (i.e., the specific role). The rigorous methodology used to develop such standards often results in arcane and very technical language in the standards. This can present a barrier to common use as many asset owners or end users may not be familiar with the language used. While standards provide valuable reference sources it is often difficult to use them without interpretation to define what is required for an effective cybersecurity program.
General guidelines are also available from a variety of sources. Some are derived from standards; others created based on practical experience. While standards deliberately avoid prescribing how a desired requirement must be addressed, guidelines commonly specify tools, methods, and technology.
Asset owners are often challenged by the number and variety of standards available. In the absence of specific direction from regulators or trade associations they must select one or more standards that address the requirements most appropriate for their situation. This in turn has led to the creation of many comparison documents or “crosswalks” that compare the coverage of two or more standards. Unfortunately, this can be very labor intensive as the source standards change and evolve over time.
Even when applicable standards and guidelines are clearly described and generally well understood, they are not always adopted and applied consistently or sustained over the long term. There are several possible reasons for this, ranging from lack of acceptance of the risk to an expectation that any cybersecurity program should have a return on investment. In many cases the improvements required to manage cybersecurity risk are implemented as part of a project, without adequate consideration for sustaining them over the long term.
Some of the more popular standards and guidelines are developed for specific industries or sectors. Unfortunately, individual facilities and their control systems may not fall neatly into a specific sector. For example, integrated facilities in the chemical industry may also include cogeneration plants that could benefit from guidance from the energy sector. Many major petroleum companies fall into both the refining (energy) sector as well as pipelines. In these situations, it may be challenging to determine which standards and guidelines are most appropriate for the situation.
These and similar challenges can make it difficult to balance consistency with the completeness of application. Those creating standards typically strive for the broadest possible coverage to achieve consistency in response. However, this can lead to difficulty and some level of confusion as those referencing the standards try to understand how specific requirements may or may not apply to their situation.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Cybersecurity, Practices, Profiles, Requirements, Sectors, Standards, ARC Advisory Group.