Based on the experiences of myself and others, I provide the following general recommendations:
- Develop a clear understanding of ICS cybersecurity, including associated impacts on system reliability and safety for industry, government and private citizens.
- Define cyber threats in the broadest possible terms, including intentional, unintentional, natural and other electronic threats, such as electromagnetic pulses (EMPs) and electronic warfare against wireless devices. ICS cyber security threats are more than malware and botnets.
- Change the culture around critical infrastructure so security is considered in the same context as performance and safety.
- Get operations and IT to work together.
- Establish a means for vetting ICS experts, rather than using traditional security clearances or IT certifications.
Next, on the administrative and procedural side:
- Get senior management support because improving ICS cybersecurity will fail without it. Then identify division of responsibilities and reporting structure all the way to the board of directors because cybersecurity is a corporate risk.
- Identify all affected stakeholders and their applications, including those beyond operations and the organization, such as contractors, vendors, regulators, first responders and even the public.
- Mandate effective cybersecurity requirements so this is not simply a compliance exercise.
- Determine what you really have and what you have done because the hardware, software and firmware that affect cybersecurity are often not identified in any formal system diagrams or vendor documentation. Establish a living configuration management or configuration control program that includes the ICS as well as cybersecurity-specific software, hardware and firmware.
- Learn what you really need from the ICSs in terms of functions, features and communications by obtaining input from throughout your organization because cybersecurity will affect any new systems.
- Decide what you want to do—and do it, which is not as easy as it sounds. This requires an understanding of what features are needed, what features can be cyber-vulnerable, and which of these need to have security enabled.
- Determine what risks are present and modify risk assessments that address probability and consequence. Probability should be listed as #1 (it will happen), and consequences should be based on "design basis threat," which is the worst case the facility was designed to safely handle. Because risk assessments require a cost-benefit tradeoff between performance and safety versus security, this involves assessing the risk of security and performance features.
- Develop ICS-specific policies and procedures. Recognize that complexity adds security overhead and potential performance and safety impacts. Work with IT to make sure that the ICS policies and procedures are consistent. But first, develop them for the specific equipment to be secured and how it's expected to be operated.
- Make equipment suppliers and contractors your partners in securing your systems. Require documentation of what's been provided and how it's been tested and secured.
- Consider lifecycle issues because ICSs can be cyber-vulnerable from initial design until they're retired.
- Consider system recovery issues after an incident.
Next time: Part 2 will feature more on threats, myths, personnel status, information sharing, cybersecurity risk assessments and technical recommendations.
Joe Weiss, PE, CISM, of Applied Control Solutions (www.realtimeacs.com) is author of Control's Unfettered blog (http://www.community.controlglobal.com/unfettered).