Theres evidence of more than 100 cyber incidents, whether intentional, malicious or accidental, in co-author Joe Weiss Real-Time ACS database. These include the 2003 Northeast power outage and the 2008 Florida power outage. Neither incident has been described as a cyber event by the power companies and transmission companies involved. In fact, these companies continue to state that they have very few critical cyber assets with most stating they have no power plants that are critical.
So what do we know, and what do we do about it? Industrial control systems (ICS) are an integral part of the industrial infrastructure supporting the nations livelihood and economy. They arent going away, and starting over from scratch to secure them isnt an option. ICSs are systems of systems, and need to be operated in a safe, efficient and secure manner.
The sometimes-competing goals of reliability and security are not just a North American issue, but truly a global one. A number of North American control system suppliers have development activities in countries with dubious credentials. A large North American control system supplier has a major code-writing office in China, and a European RTU manufacturer has code written in Iran.
While sharing basic constructs with enterprise IT business systems, ICSs are very different systems. Vulnerability disclosure philosophies are different, and applying the wrong one can have devastating consequences.
A major concern is the dearth of a workforce educated to cope with the problem. There are probably less than 100 living control system cybersecurity experts and currently no university curricula or ICS cybersecurity personnel certifications. Efforts to secure these critical systems are too diffuse, and do not specifically target the unique ICS aspects. The lack of ICS security expertise extends into the government arena, which has focused on repackaging IT solutions.
However, the convergence of mainstream IT and ICS systems requires that both mainstream and control system experts acknowledge the operating differences and accept the similarities. ICS cybersecurity is where mainstream IT security was 15 years agoin the formative stage and needing support to leapfrog the previous IT learning curve. Regulation, regulatory incentives and industry self-interest are necessary to create an atmosphere for adequately securing critical infrastructures.
What can you and your company do to protect yourselves? The following recommendations, taken from a report to the bipartisan commission producing position papers for the incoming U.S. administration, provide steps to improve security and reliability of critical systems, and most are adoptable by any process industry business unit:
- Develop a clear understanding of ICS cybersecurity;
- Develop a clear understanding of the associated impacts on system reliability and safety on the part of industry, government and private citizens;
- Define cyber threats in the broadest possible terms, including intentional, unintentional, natural and other, such as electromagnetic pulse (EMP) and electronic warfare against wireless devices;
- Develop security technologies and best practices for field devices based upon real-world scenarios and actual and expected ICS cyber incidents;
- Develop academic curricula in ICS cybersecurity;
- Leverage appropriate IT technologies and best practices for securing workstations using commercial off-the-shelf operating systems;
- Establish standard certification metrics for ICS processes, systems, personnel and cybersecurity;
- Promote/mandate adoption of the NIST Risk Management Framework for all critical infrastructures or at least the industrial infrastructure subset;
- Establish a global, non-governmental cyber incident response team (CIRT) for control systems staffed with control system experts for vulnerability disclosure and information sharing;
- Establish a means for vetting ICS experts rather than using traditional security clearances;
- Provide regulation and incentives for cybersecurity in critical infrastructure industries;
- Establish, promote and support an open demonstration facility dedicated to best practices for ICS systems;
- Include subject-matter experts with control system experience at high-level cybersecurity planning sessions;
- Change the culture of manufacturing in critical industries so that security is considered as important as performance and safety;
- Develop guidelines for adequately securing ICS environments similar to those in the Sarbanes-Oxley Act.
Like process safety, process security is itself a process and must become part of the culture of inherent safety and security we all must develop.
Walt Boyes is Controls Editor in Chief. Joe Weiss is president of Applied Control Solutions and author of ControlGlobalsUnfettered blog.