"What is it? How much do I need? And can I have it?" Answering these three seemingly innocuous questions was the central aim of Eric Cornelius' presentation on the topic of cybersecurity to Invensys Operations Management's Triconex Users Group meeting last week in Galveston, Texas.
In his role as deputy director of the U.S. Dept. of Homeland Security's ICS-CERT, or Industrial Control Systems Cyber Emergency Response Team, Cornelius has investigated a broad range of industrial cyber attacks—some real and some imagined. He offered a few key takeaways for improving cybersecurity at attendees' facilities. First, however, he stressed just how inadequately protected—perhaps ultimately unprotectable—most companies' networks remain.
"Security is nothing more than a warm fuzzy feeling that the measures you've taken are sufficient to protect you against a perceived threat," argued Cornelius, adding that any warm and fuzzy feeling you have is likely misplaced. Anyone who targets you is likely to succeed; the tools are just too readily available and the potential vulnerabilities too numerous. "It's better to assume you'll be compromised and focus on detection," Cornelius said.
Invest in People
That doesn't mean it's not important to deploy properly configured firewalls, network architectures and defense-in-depth strategies. Beyond that, you probably already have most of the technology you need, Cornelius said. "Spend what money you have for cybersecurity on people," Cornelius urged. The right kind of people can help you create more secure company policies—such as outlawing thumb drives (the "devil's tool")—and can set up the monitoring systems that, more important than preventing intrusions, can detect when they have taken place. Further, Cornelius posited that 15% of a company's IT budget should be spent on security. "Don't wait to find out first hand that cyber attacks really can have kinetic [real-world] effects."
And just what should one look for in hiring that first cyber-Ninja? First, off they shouldn't have a ton of certifications after their name, which likely is just a smokescreen for irrelevant time spent in classrooms, according to Cornelius. Instead, your cyber-Ninja's first recommendation should be to "save absolutely everything." Memory is incredibly cheap nowadays, and when you're looking for the source of an intrusion, detailed records can make all the difference.
"You'll also want increased granularity in DNS queries," Cornelius recommended. "You'll want to know what node beaconed out to a known bad site. Anomalies are very easy to detect in the industrial control system world; how many of your RTUs should be talking to China or Russia?" Cornelius also recommends that you have ability to search through every file on every node on the network, including the ability to do MD5 checks (integrity validation) if you become compromised.
We're Here to Help
More information on industrial cybersecurity, including guidelines and recommendations such as these are available at the ICS-CERT portal, accessible through the URL ics-cert.org. Cornelius urged all attendees to visit the website, take advantage of the tools, and sign-up to receive cyber-related alerts and advisories. He especially recommended the Cyber Security Evaluation Tool (CSET) for comparing one's plant network architecture vs. accepted industry standards.
Finally, Cornelius urged attendees to contact the ICS-CERT if they have any questions regarding cybersecurity in their plants; an offer he extended to representatives of all U.S. companies. "After all," Cornelius said, "your tax dollars already are paying for it."