The need for significant improvement in the state of OT cybersecurity in critical infrastructures has been broadly acknowledged for almost two decades. Although the subject started to receive significant attention in the early 2000s, the reality is that the protection of operations systems from threats to their integrity and availability has been a concern of asset owners for much longer than that. While the threats and vulnerability components of the risk equation were traditionally physical and safety-related, increased network connectivity and the broader use of commercial off-the-shelf (COTS) computer and communications technology inevitably led to increased scrutiny of cybersecurity risks.
In the first several years much of the focus was on increasing awareness of the potential risk and providing general guidance on how to formulate a suitable response. This in turn led to increased efforts to develop standards-based on broadly accepted engineering practices. Although it may not have been the primary intent, over the past decade industrial cybersecurity has become a recognized discipline.
It is clear that a great deal has been accomplished, but just as is the case with similar areas such as safety and quality, it is more of a journey than a task with a defined beginning and a defined end. It is essential that we view improvements in cybersecurity as requiring improvements in multiple areas, including people and skills development, governance and process development, and improved technology.
Has the state of products and technology reached a point where we have what are clearly the best solutions for all expected situations? Of course not. These capabilities must and will improve. Have we reached the stage where we can implement the organization and governance that meets all requirements? Again, the answer is no. Clearly, there is more to be done in both these areas.
What about awareness and appreciation of the seriousness of the risk on the part of those making investment decisions? This has been a major area of activity since the earliest days of the critical infrastructure cybersecurity response, and it will no doubt continue to be so almost indefinitely. Some seem to have taken on the role of a modern-day Cassandra, cursed to utter true prophecies, but never to be believed. We have now reached a point where sounding the alarm and raising awareness is simply no longer enough. In the words of the proverb above, we can no longer be content with “cursing the darkness,” and must spend more time and give more attention to lighting the proverbial candles.
Why Information Sharing is Important
Specifically, everyone involved in addressing this imperative must look for every opportunity to turn their experiences – positive and negative – into useful and practical examples that others can learn from and use. We must see this as nothing less than an imperative or call to action that all can contribute to. Many may struggle with how we can best accomplish this. It really does not have to be complicated.
It can begin with simple things like sharing specific experiences and lessons learned in social media or forums dedicated to the subject of industrial cybersecurity. What has worked? What has not? What might you do differently if you were to do it again? Currently, much of this sharing is often filtered through product and service suppliers and commentators. Again, this is good but not sufficient. There must be more direct peer-to-peer sharing such as what happens at industry events like the ARC Forum. This information should be readily available to everyone, and not just those able to attend such events.
There have been several attempts to establish searchable repositories of incidents that people can learn from. Why not extend this model to include case studies at various levels of detail? The can be anonymized to protect confidentiality. Some of this is already being done, but shared information is often limited to those in a specific community, such as an industry group or information sharing and analysis center (ISAC). Standards committees such as ISA99 are also investigating ways to complement their formal standards with simpler and more practical examples. Clearly, this is not a new or revolutionary idea; we simply must engage more people. There are opportunities for you to contribute.