Table of Contents
- Executive Overview
- Industrial Cybersecurity Challenges
- Limited Cyber Risk Management Options
- Maturity Essential for Sustainable Defenses
- Developing an Effective Cybersecurity Investment Plan
ARC Advisory Group research indicates that most industrial managers now appreciate the risks of cyber attacks on their facilities. While some are still reluctant to take the necessary steps to address these risks, many have invested in cybersecurity solutions following standards like ANSI/ISA-62443 and NERC CIP. They expected that this would solve their problems but are finding that this is just the start of a never-ending stream of requests for additional cybersecurity technology and resources to manage changes and analyze reams of data.
All industrial managers want secure facilities, and many are frustrated with their inability to justify investments and take control of efforts that seem to be like “chasing their tails.” They don’t want to become cybersecurity experts but need to be sure that the organization has an appropriate plan for managing cyber threats. This includes being sure that efforts focus on real and relevant (to the company) cyber threats and consider everything needed to keep the associated risks at acceptable levels. They also want a clear way to understand and evaluate additional investments that may be required to address new threats.
This report provides industrial managers with the information they need to evaluate cybersecurity programs and requests for additional cybersecurity investments. The information should be useful for companies just starting their cybersecurity journeys as wells as those with existing programs.
The report begins with a discussion of different kinds of cyber risks, risk mitigation options, and advice on how companies can identify their most critical cyber challenges. This is followed by a description of ARC’s cybersecurity maturity model, that shows the risk mitigation benefits of individual cybersecurity actions and provides a rational roadmap for implementing a sustainable, defense-in-depth strategy. The roadmap reflects the critical relationship between cybersecurity maturity and effective deployment of advanced cybersecurity defenses. Each level in the model also has well-defined benefits and requirements for people, processes, and technology that managers can use to evaluate and justify investment requests.
Industrial Cybersecurity Challenges
Industrial control systems (ICS) with a multitude of microprocessors and networking components are at the heart of every modern industrial operation. A cyber compromise to any one of these control system elements could have serious consequences, including damage to physical assets, operational disruptions, safety incidents, and environmental compliance violations. Recent developments in IT, automation, and business processes often increase the likelihood that such an event will occur.
Cyber attacks can arise from outside or inside a facility and can compromise the control system’s networks, endpoints, or people involved in the operation. Attack goals can be theft of critical information or disruption of facility operation and the effects may be immediate or occur over an extended period of time.
While susceptibilities vary, all control system elements are potential targets for internal and external cyber attacks. Conventional PCs used for workstations, HMIs, and servers can be targets for malware entering the system through external interfaces or local USB ports. Process controllers are generally less susceptible to common malware but can still be compromised by people who gain access to the system and understand process control.
Legacy Systems Present the Biggest Risks
Automation suppliers understand these weaknesses and new systems generally incorporate the recommendations of popular ICS cybersecurity standards like ISA/IEC 62443. Unfortunately, a large majority of industrial sites have legacy systems that were designed before cyber threats became a concern. They lack even the most basic security features and create a major cybersecurity risk for owner-operators.
Standards can serve as useful guides for securing systems but are not intended to provide complete answers. Every industrial control system has unique risks and cost-benefit tradeoffs that must be considered in the design of defenses. Site-specific factors also need to be considered when determining the timing and sequencing of investments, the need for business process changes, and the training requirements for personnel. Understanding a site’s specific risks and the mitigation benefits of different cybersecurity actions is essential for developing an appropriate plan.
Many Kinds of Attacks Possible
Cyber threats to industrial operations come in a variety of forms and flavors. Systems can be infected through non-targeted attacks by general hackers hoping to snag unsuspecting internet users and steal their personal information or lock up systems for ransom. Systems are also susceptible to specific, targeted attacks by hacktivists, cyber criminals, terrorists, or nation states with intentions to damage the organization. Insider attacks are comparable to targeted external attacks, but launched by employees who may have malicious intent or have been tricked by external attackers into divulging passwords or downloading malicious files using infected USB devices, DVDs, etc.
The likelihood and impact of cyber attacks vary according to the sophistication of the threat actor. Non-targeted attacks by unsophisticated hackers are most common, but their impact is often limited to a single PC and by standard anti-malware software and the common use of redundant, hot backups for critical PCs. Targeted attacks are far less likely, but the potential impact can be much worse as these threat actors have more damaging goals and better capabilities and resources. Organizations need to be concerned with all kinds of cyber threats, but the goals and sophistication of targeted attacks make them the most worrisome for owner-operators.
Cyber Attack Categories
Cyber threats are very dynamic. Vulnerabilities change rapidly and attackers frequently shift their focus and attack methods. Trying to address individual threats is fruitless and can quickly overwhelm organizations. An alternate approach is to focus efforts on three specific attack categories: privilege misuse, malware injections, and insecure protocol exploits.
“Spear phishing” is the most common method attackers use to compromise individuals within an organization. These attacks use social engineering techniques and weaknesses in a company’s security culture and practices to steal passwords and exploit an employee’s IT privileges to inject malware into systems. They are particularly dangerous because they can provide a foothold for attacks on critical devices that bypass other layers of defense.
Attackers directly inject malware into control devices using vulnerabilities in the software. Malware injections can occur through external network connections or internal attacks launched at the device. Researchers identify new vulnerabilities on a daily basis, so smart companies assume that sophisticated attackers can exploit any system to which they gain access. Even when vulnerabilities are known, many remain unpatched for extended periods awaiting operational downtimes. Sophisticated attackers also exploit “zero-day” vulnerabilities. These are weaknesses that software vendors are unaware of or still evaluating. Keeping attackers away from control systems is the only protection against these kinds of attacks.
Exploiting insecure industrial protocols is another way that attackers can disrupt operations. This is particularly true for SCADA systems. Popular protocols like Modbus and DNP3 lack basic handshaking and authorization features that are essential for secure information exchange. Sophisticated attackers are well aware of these kinds of vulnerabilities and have easy access to the documentation needed to construct commands to disrupt the operation of devices like RTUs and PLCs.
Limited Cyber Risk Management Options
Managing ICS cyber risks is conceptually the same as managing other risks that industrial organizations face. Companies need to evaluate their risks by assessing likelihood and impact and then decide what actions, if any, are necessary to protect critical objectives like financial performance, safety, compliance, operational continuity, etc.
Companies have four options for managing any risks: accept, avoid, transfer, or mitigate. For ICS cyber risks, the effectiveness of some of these options can be limited:
Accept – Companies justifiably accept certain business risks. But even if the likelihood of attack appears extremely low, it’s not a good idea to simply accept all cyber risks. Companies frequently assess the likelihood of a risk by the occurrence of similar events within their company, industry, or region. But reports of cyber attacks are rare because they are infrequent, and companies are reluctant to make their intrusions public. This makes it easy for companies to underestimate the true risks. It’s especially important to consider these assessment challenges when evaluating highly unlikely attacks (“black swan” events) that could have devastating impact. Furthermore, since attackers often continuously adjust their attack strategies, history is a poor predictor of future cyber attacks.
- While it would be tempting to do nothing to protect a device that does not appear to be vulnerable and/or critical to operations, this is not always the best approach. Companies need to be sure that an attack on such an apparently benign device cannot provide a launchpad for attacks on other, critical devices. As this can be difficult to verify, most companies choose to invest in at least some level of protection for every device. Less expensive options include less frequent patching, use of traditional anti-malware instead of application whitelisting, etc.
Avoid – Companies can try to completely isolate their control systems from all external communications but have to understand that this only helps with external attacks. Consideration must also be given to how isolation might constrain a company’s ability to optimize plant performance. Even when these types of constraints are acceptable, the decision should include a plan to eliminate any possibility of internal attacks. Smart companies consider avoidance options, but do not expect this to be a panacea for all ICS cybersecurity challenges.
Transfer – Sharing risks with a third party is currently not a viable option for ICS cybersecurity. While now available for some commercial IT systems, cyber insurance would be prohibitive for most industrial systems. The potential impact of an ICS cyber attack could be much worse than loss of information. In addition, there is even less historical information available to help insurers establish reasonable rates for ICS cybersecurity.
- While cybersecurity service providers might seem like another option for sharing risks, it is unreasonable to expect that they will accept more than a portion of their service revenues. In most cases, this would be negligible compared to the potential loss of a significant plant intrusion.
- Risk sharing is also limited in that it only addresses the financial implications of a cyber attack. Industrial companies also need to consider the non-financial impacts of a successful cyber intrusion of an industrial control system.
Mitigate – Mitigation is the most common approach that industrial companies use to manage ICS cybersecurity risks. A variety of technical and procedural options are available. As many have overlapping and complementary benefits, ICS cybersecurity experts and standards groups generally recommend a portfolio of such actions so attackers would have to overcome multiple obstacles (defense-in-depth).
Choosing the Right Mitigation Actions
Cyber risks can be mitigated by reducing the likelihood or impact of a cyber intrusion. Likelihood mitigation is proactive, using procedures and technologies to detect and block attacks before they reach their target. Mitigating the likelihood of attacks is particularly helpful in managing the risks of attacks by people with limited skills and resources, like general hackers, hacktivists, and less-sophisticated cyber criminals.
Impact reduction can be proactive or reactive. Companies can leverage lessons learned in safety management and proactively modify systems and processes to minimize impact. Reactive technologies can be used to detect intrusions that may have overcome proactive defenses. These technologies detect unauthorized configuration changes and anomalous behavior and often include incident management support to help organizations rapidly isolate, remove, and recover from the intrusion. Impact reduction is particularly important for defending facilities against insider threats and external attacks by groups with the expertise and resources to overcome proactive defenses and inflict significant damage.
The table above summarizes the most commonly recommended mitigation actions and their applicability for different kinds of threats and risk reduction goals. While there is some overlap, actions generally focus on one kind of mitigation, likelihood reduction, or impact reduction. The applicability of each action is also generally limited to specific kinds of cyber threats. Accordingly, companies need to select a portfolio of mitigation actions that addresses their specific cyber concerns and risk reduction goals.
Maturity Essentials for Sustainable Defenses
ARC research shows that the effectiveness of cyber mitigation efforts depends upon the company’s cybersecurity maturity. Basic defenses, like access control, are only effective when solid processes are in place to manage access control and privileges. Sophisticated defenses, like intrusion detection, are only effective if the company has the resources to maintain rules, review alerts, and investigate suspicious behavior. Intrusion prevention is generally not even used for ICS cybersecurity because of the fear of false positives disrupting operations.
Cybersecurity maturity reflects the company’s investments in cybersecurity people, processes, and technology as well as its experience in cybersecurity management. Maturity grows over time as companies learn more about their unique cybersecurity challenges and cybersecurity solutions. Managing basic mitigation technology prepares the company for successful rollouts of more sophisticated solutions. While maturity growth can be accelerated with the infusion of cybersecurity experts and use of cybersecurity managed-services, a company must still be prepared for these steps and recognize the importance of maintaining alignment between cybersecurity investments and the organization’s ability to manage them.
ARC Maturity Model for ICS Cybersecurity
ARC developed an ICS cybersecurity maturity model to help organizations understand and use cybersecurity maturity in their planning. This model reflects ARC’s research across a wide spectrum of industrial companies, security experts, and ICS cybersecurity solution suppliers.
Maturity levels in this model represent a recommended sequence of cybersecurity objectives and an associated set of defensive actions. Every maturity level adds an additional layer of cybersecurity protection and prepares the company for advance to the next level. As shown in the following figure, each layer also has certain costs and support requirements. Costs and resources for early stages are minimal and the risk reduction benefits are significant, so ARC recommends that every company strives to achieve these levels. Advancing to higher levels needs to be tempered by a company’s specific cyber concerns and resources.
Actions associated with lower maturity levels tend to reduce likelihood; those associated with higher maturity levels focus on reducing impact. Some of the mitigation actions in this model provide alternative ways to address certain risks. Others are complimentary and should be implemented together to ensure that the objective of that level is achieved. The positioning of actions reflects the level’s objectives and the lowest maturity level at which most companies find the action sustainable. The specific mitigation actions that a company chooses at any stage will also depend upon factors like industry, kinds of facilities, tolerance for risk, and resources available for ICS cybersecurity investments.
ICS Cyber Risk Management Maturity Levels
ARC’s ICS cybersecurity maturity model reflects a layered approach to implementing an effective, defense-in-depth cybersecurity strategy. Security is developed outwardly from defense of individual assets to perimeter protection of facilities and monitoring of the external threat landscape. Focus also shifts from protecting devices and building a security culture to managing sophisticated technology and anticipating attacks.
These steps encourage companies to do the obvious and easy things first. This minimizes initial investments and resource requirements and enables every industrial company to achieve at least a minimal level of cyber protection. It also allows companies to improve their security posture while they develop the necessary cybersecurity maturity to avoid wasteful investments on technology that they cannot manage or utilize effectively.
Some key characteristics of ARC’s ICS cybersecurity maturity levels follow:
- Secure – Companies achieve this initial maturity level by establishing basic security within their people, processes, and ICS technologies. Plant personnel are educated in cybersecurity threats and secure behavior and physical security practices are strengthened to limit all unnecessary access to plant devices. Complete, accurate asset inventories are developed for all ICS devices and these devices are “cyber-hardened” to remove unneeded ports and processes. Access privileges are also limited to the specific needs of specific users. A proper management of change program is implemented to ensure that systems are kept up to date, backups are consistently created and managed, and known vulnerabilities are patched promptly. As the number of devices and passwords can be large, software to manage updates, patches, and access controls is also recommended. The cost of these mitigation actions are generally small for industrial companies with good operation and maintenance practices.
- Defend – Companies at this maturity level use practices and technology that can block known cyber threats at network boundaries and ICS Devices. Next-generation firewalls with intrusion detection/prevention capabilities are used at plant perimeters to block attacks through external network connections. Anti-malware software in individual endpoint devices is used to defend against USB-based attacks and as additional defense against network-based attacks that may get through perimeter defenses. Demilitarized zones (DMZs) are also inserted in the system architecture to isolate plant systems from enterprise IT networks. Unidirectional gateways offer an alternative, more positive, approach to blocking network-based attacks and limiting the effectiveness of USB-based attacks by eliminating any possible communication with command-control servers. While each of these actions requires some investment, most companies consider this level of risk management mandatory. The necessary technology is generally included in ICS system maintenance budgets and ICS personnel are trained to implement and maintain this technology.
- Contain – Companies at this level of maturity have implemented the relevant actions to block most attacks and are focused on reducing the potential impact of intrusions that overcome those defenses. They invest in technologies that limit the ability of malware to execute within infected assets and the ability of malware to propagate or affect other cyber assets within the control system. Where applicable, application whitelisting is used to block malware execution within the cyber asset, particularly PC-based devices with static configurations. Zone firewalls are used to limit propagation by isolating control zones (e.g., plant areas). Host-based firewalls and device firewalls that understand industrial protocols are used to provide “message whitelisting” for commands issued to critical control equipment. Investment costs at this level grow substantially due to the need for additional equipment over and above what’s needed for process control. Resources with more specific cybersecurity expertise are also required to maintain the many rules required for effective application and message whitelisting.
- Manage – Companies at this level of maturity have implemented all of the relevant proactive steps to prevent and contain intrusions but are still concerned about malicious insiders and sophisticated attacks that might exploit zero-day vulnerabilities. Their goal is to minimize the potential impact that an intrusion might have on operations and they invest in technologies that help them quickly identify and remove system intrusions. This includes security information evaluation and management solutions (SIEMs) to help detect, manage, and analyze suspicious behavior, as well as solutions that monitor asset configurations and network traffic patterns. Developing a comprehensive incident management program is equally important at this point as it can significantly limit the damage of any incident. Achieving this level of maturity requires additional investments in technology and a dedicated team of cybersecurity experts to monitor findings, remove malware, and restore normal operations. Given that such expertise is limited, companies may find it better to outsource these activities.
- Anticipate – Companies at this level of maturity have implemented all relevant actions to prevent, contain, and manage compromises to their control systems. To further reduce risk, these companies try to anticipate new threats and rapidly adjust their defenses. They rely upon threat intelligence services to advise them of the kinds of threats occurring in their industry and geographic regions. Suppliers of these services leverage error reports from suppliers of installed firewalls and anti-virus software, honeypots, and incident reports from a variety of cybersecurity research groups. While most threat intelligence services focus on enterprise systems, some of these systems are in critical industries that utilize industrial control systems. As enterprise systems may become launch pads for ICS attacks, companies with mature ICS cyber risk management can also find value in enterprise threat information. Recognizing this, some threat intelligence companies are developing services specifically for the ICS cybersecurity market.
Developing an Effective Cybersecurity Investment Plan
ARC developed its Cybersecurity Maturity Model to help companies establish a rational roadmap for their cybersecurity investments. The process consists of four major steps: identifying the facility’s critical cyber risk concerns; evaluating the facility’s As-Is maturity level; determining an appropriate To-Be maturity level; and developing an investment plan to transition the organization from the As-Is state to the desired To-Be state in a timely manner that respects the need to develop required maturity for each step.
Assessing the Organization’s Real Cyber Concerns
Companies can determine their cyber risks by assessing the likelihood and impact of the different categories of threats described in this report. In doing this, they should recognize that the likelihood of untargeted attacks by hackers and unsophisticated cybercriminals is essentially the same for every company, but the potential impact depends on the specific facility. On the other hand, the likelihood of a targeted attack is site specific, depending on factors like industry, company, and geographic region, but the impact is generally large for any operation (or attackers would not expend the time and resources to launch such a sophisticated attack).
ARC research can be helpful for testing the reasonableness of a company’s risk analysis. The following charts show the concerns of end users that participated in ARC’s recent Industrial Cybersecurity Survey. Values represent the percentage of respondents that considered the issue a major concern. These companies are mostly concerned about insider threats, including both accidental changes and malicious acts, and general hackers. Malware attacks that enter the system through USB devices and service personnel laptops is the attack vector of most concern. The survey results also show how these concerns vary by industry and geographic region.
Most of the participants in ARC’s survey work in North American chemical plants, refineries, and power generation plants. These industries are the major buyers of ICS cybersecurity products and services. This might create a bias in concern with hackers, as the impact of even minor process disruption can be large in these industries. Discrete manufacturers might have more tolerance for nuisance malware infections.
Determining the As-Is Maturity Level
It is essential for companies to establish a clear understanding of their current (As-Is) cybersecurity maturity level. This is best done through collaborative workshops with representatives from all relevant disciplines who have insight into how well the company’s current people, processes, and technology capabilities meet the goals and requirements of each maturity level. This group should assess the organizations As-Is cybersecurity maturity by considering the goals and actions associated with each maturity level. For each action, the group should consider the benefits actually being received and identify any gaps that might exist in the maintenance of technology, compliance with policies, and use of the information that may be generated. The As-Is maturity level corresponds to the lowest level at which all goals are fully met, and all actions are being adequately supported so that the goals are being sustained.
Companies may find that they have already made investments in solutions associated with higher maturity levels. Most companies will want to sustain these investments as they can be useful in the future as the company reaches these levels. However, primary attention should be given to those goals and actions associated with the next higher maturity level. Solidifying capabilities in this stepwise manner will ensure that the company’s journey to the To-Be level is efficient and effective. Such an approach will also ease the concerns and burdens of people who are trying to get value from technology for which the organization is not yet prepared.
Determining an Appropriate To-Be Maturity Level
The cybersecurity maturity that a company should strive for depends upon their specific risk of certain categories of cyber attacks and their willingness to accept those risks. Secure or Defend might be an appropriate To-Be maturity level for an operation with very little risk of a targeted attack, if the company is also willing to accept occasional malware intrusions. Manage would be more appropriate for most process manufacturers, and critical infrastructure in a high risk area might choose Anticipate as their To-Be goal, particularly if management is risk-adverse.
Companies can operationalize these kinds of characteristics by considering the risk reduction requirements of their unacceptable cyber risks. If likelihood reduction is adequate, a low maturity level might be appropriate. If impact mitigation is needed, a higher maturity level is required. The company can use the table of cyber mitigation actions presented earlier in this report to relate mitigation goals to specific mitigation actions and the maturity model to relate mitigation actions to maturity levels. Every cyber risk category should be considered in the analysis and the highest maturity level identified becomes the company’s To-Be goal.
The concerns of the typical company in ARC’s cybersecurity survey require actions to reduce the likelihood and impact. Using the analysis above, ARC would recommend Manage as the appropriate To-Be cybersecurity maturity goal.
Building an Effective Investment Roadmap
The As-Is and To-Be maturity levels provide endpoints for the company’s cybersecurity program and intervening levels provide road markers for monitoring and managing progress. ARC’s cybersecurity maturity model provides the specific actions that need to be implemented at each step.
The next step is to develop an implementation plan. Transitions between maturity levels provides a good basis for developing individual initiatives that associate investments with specific benefits. Depending upon the company’s resources, breaking maturity transitions into a series of smaller steps might be helpful and enable continuous progress. This is particularly important in cases where resources must be added. Considerable time can be required to hire people and/or select service providers and there is no reason to postpone implementing other actions that don’t require new resources.
The final implementation plan provides the information that managers need to have confidence in the company’s cybersecurity strategy and gain control of their cybersecurity investments.
Industrial cyber attacks present real and significant risk to all industrial organization and merit immediate attention by every industrial manager. However, this does not mean that managers should blindly approve every request for more cybersecurity resources and more sophisticated cybersecurity technology. On the contrary, ARC research strongly suggests that overly aggressive efforts to protect plants can actually lead to overburdened staffs and a net reduction in plant cybersecurity.
Cybersecurity investments need to carefully planned and progressively implemented to ensure that each action is appropriate and has the necessary foundation for success. Effective plans integrate a variety of stakeholder perspectives on risks and risk tolerance. They also reflect a proper understanding of the mitigation capabilities, implementation challenges, and support requirements for every cybersecurity action that is taken.
The information in this and other ARC cybersecurity reports can be helpful to managers who want to ensure that their programs meet these criteria. ARC cybersecurity analysts are another source of information for managers who are concerned about their company’s cybersecurity strategy.
If you would like to buy this report or obtain information about how to become a client, please Contact Us
 Unidirectional gateways and data diodes can provide this kind of isolation without some of the drawbacks, but ARC considers use of such solutions mitigation, not avoidance.