By Jim Montague, Executive Editor
Everyone is finally talking with each other about cybersecurity—and it's going to make all the difference in the world.
Of course, firewalls and other security hardware are essential too, but they're useless if not deployed by process control and IT engineers that have cooperated to securely link their plant-floor and business-level networks; developed and adopted common-sense software patching policies; trained their colleagues to follow cybersecurity best practices; and accessed supplier and government expertise to keep their cybersecurity efforts up to date.
For example, four panelists from the chemical industry, the security technology research sector and the U.S. Dept. of Homeland Security (DHS) presented a wealth of advice on practical cybersecurity this week at the Invensys OpsManage'11 conference in Nashville. The panel discussion, "Path to Vulnerability Resolution" was moderated by Ernie Rakaczky, program director for control system cybersecurity for Invensys Operations Management.
"The key to cybersecurity is collaboration," said Rakaczky. "It all comes down to controls, IT, and everyone else being responsible for mitigating security problems and balancing the risks in individual processes. As a result, we're focusing on vulnerability mitigation because there are a lot of opinions on how to do cybersecurity, and some researchers are launching vulnerability programs that are irresponsible and unprofessional. Some are even blindly posting controls information to the outside world. However, what users really need are the right communication avenues, so they and their vendors, laboratories, the government and other related parties can work together, follow the same rules and be more efficient about cybersecurity."
Mark Heard, control system cybersecurity lead at Eastman Chemicals, began by reporting that his company views process security as a routine business activity. "Cybersecurity must be taken as just another task that needs to be done to be a grown-up and stay in business," explained Heard. "Cybersecurity is a necessary layer in overall plant security—and safety. In fact, much traditional safety thinking can and should be directly applied to cybersecurity too. As a result, safety and security are simply good business. This is because undesirable incidents of any sort detract from the value of a business, so safety and security incidents have negative impacts on all stakeholders, including employees, shareholders, customers and the communities in which each plants operates. No one wants to have downtime and deal with clean-up regardless of whether it was caused by a design problem or a security issue."
Heard added that successful mitigation begins with doing site and application inventories, risk assessments and all other cybersecurity-related homework before it comes due. "Winning without fighting is best in cybersecurity, so planning and preparation are vital because there will always be faults and other items that need to be patched. However, a remaining problem is that cybersecurity is costly, so while you may end up with more resilient code, it can be hard to show that benefit on the bottom line," added Heard. "Fortunately, the operations side can learn from IT's five- to 10-year head start and adopt many of its methods for patching software and learning about the real costs of legacy systems. Running equipment until it rusts adds risk to commercial, off-the-shelf technologies."
Likewise, Pamela Warren, McAfee's director of critical infrastructure, reassured the OpsManage audience that the security research community cares about its many customers in the oil and gas and other process industries. "However, there's still a huge cultural divide between operations and IT, but many more participants are now saying they just want the usual whining to stop and the real work to begin," said Warren. "We've been very encouraged by some customers who have taken the time to meet for a couple of days offsite so they can begin a real dialog about securing their collective operations. In fact, some IT departments are even hiring operations staff members to come and work with them. Similarly, some CIOs are learning that they aren't just responsible for IT, but also for operations security."
Warren explained that McAfee has a good relationship with Invensys, and they're both devoted to cybersecurity in plant operations. However, many cyber threats are growing more numerous and more varied. "We deal with 70,000 to 100,000 new threats per day. That's a lot of malware. So, we're constantly working with the U.S. National Labs to check on how these threats might affect operations in many fields," said Warren. "We also have a mission of learning what more needs to be done to secure mobile and purpose-built devices."
Warren added that, "We're also working to understand threats closer to real time, so we can get solutions out faster. This isn't so much updating anti-virus software as it is directly protecting devices themselves. For example, this can include implementing application-specific white-listing, and then conducting testing to get it closer to real time."
On the government side, Kevin Hemsley, program director at DHS's ICS-CERT division, reported that there's been a dramatic increase in cybersecurity incidents recently. "In the past year, ICS-CERT has experienced a 753% increase in vulnerability handling, and this trend is expected to continue," said Hemsley. "Consequently, researchers with an interest in ICSs are increasing their work on control system vulnerabilities, and many with no background in control systems have started looking at control system products and finding vulnerabilities. These researchers, who wear hats with a range of colors, have all started paying attention to ICS vulnerabilities. Some want to improve the security of ICSs; some want vendors to write better code; some have a passion for hunting for and finding vulnerabilities; some report vulnerabilities found during security assessments; some want to build reputations, name recognition or promote consulting; and some just want a financial reward."
To update IT departments and other users about vulnerabilities, ICS-CERT regularly issues its ICS-CERT Alerts that provide basic information on immediate threats, and then periodically issues ICS-CERT Advisories that have longer-term recommendations for asset owners. To receive these update and other cybersecurity advice, Hemsley adds that interested process control and other asset users can sign up for a Control System Security Compartment portal access account at www.us-cert.gov/control_systems/ics-cert/.
Eric Cornelius, program lead at DHS, added, "I don't envy you guys at all. Process control engineers have a very difficult job on cybersecurity because every application and site has its own needs. But we really do care and want to share. However, a lot of useful information is going to have to come from you as well—from the engineers with the boots on the ground. We're big on collaboration, too. We're trying to view ourselves as an honest third-party broker. It may be hard for many of your to think of the government that way, but were trying to change our paradigm as well."