Even as awareness of the cyber vulnerability of industrial control systems has risen over the past several years, a cadre of dedicated process automation and IT professionals has banded together to formalize an increasingly mature set of standards and work processes that industry can now begin to use to bolster its defenses.
"Cyber security is largely an art right now," said Johan Nye, senior engineering advisor for ExxonMobil Research & Engineering, and chair of the ISA Security Compliance Institute, in his keynote address to the Honeywell Users Group (HUG) gathering of users from Europe, the Middle East and Africa (EMEA), November 4-7, in Nice, France. "There simply aren't enough cyber security gurus to secure the systems that need to be secured. We need to turn this art into an engineering discipline."
Nye, whose time working with distributed control systems dates back to the earliest days of the Honeywell TDC 2000, said he began to realize the need for protection when open systems technology first began to pervade the industrial control systems space in the late 1990s. Recognizing the growing sophistication of cyber attacks today, asset owners, suppliers and integrators share responsibility for cyber security at all lifecycle stages of industrial automation, Nye said.
"It's difficult to secure a system that has inherent vulnerabilities," Nye said, first singling out vendors' responsibility to make products and systems that are secure by design and secure in their default settings. In project work, in turn, systems must be secure in integration and secure in deployment, Nye continued. And once up and running, they need to be secure in operations and secure in maintenance.
Three Useful Methodologies
There now exist three evolving methodologies for guiding industry in this effort, said Nye, the cyber security framework released for comment by U.S. National Institute of Standards and Technology (NIST) in October, the ISA 99/IEC 62443 international standards, and the ISASecure conformance scheme.
The NIST methodology is a voluntary framework intended to improve critical infrastructure cyber security in the U.S. "It's relatively simple, which is helpful in talking to management," Nye said. "Management understands the language of risk, but not cyber security," Nye said. The NIST framework also offers a balanced view of the various activities needed to ensure security on an ongoing basis. "Protection is the first step, but you need detection as well," Nye explained.
The NIST framework asks other important questions of its readers, such as: "What will you do if something does happen? And if something does happen, can you disconnect your IT networks from your operations networks? And do you need permission to do so? If so, you'll likely be too late to prevent a spreading infection." Also raised is the issue of recovery. "Do you maintain offsite backups? And how far back?" Nye asked. Often, once it's discovered, "malware may have been there for months."
The NIST framework references the second useful methodology Nye discussed, the ISA 99/IEC 62433 standards work co-issued by the International Society for Automation (ISA) and the International Electrotechnical Commission (IEC). "These documents were created to provide everyone with a common terminology and common concepts, including people, process and technology aspects of cyber security," Nye said. The committee has a large and diverse volunteer membership from around the world, and the standards they've released include 14 documents split into sections targeted at different stakeholders--from product suppliers to asset owners. Among the important concepts introduced include are security zones, maturity and security levels and lifecycle practices.
The third and final methodology discussed by Nye was the ISA Security Compliance Institute (ISCI), the purpose of which is to help verify that products meet a given cyber security standard. "ISASecure is an internationally accredited conformance scheme, designed to make sure the certification process is open, fair, credible and robust, yielding global consistency and scalability," Nye said. Available now, the Embedded Device Security Assurance (EDSA) certifies device robustness against know attacks and known vulnerabilities. Due for release by year end 2013, the Systems Security Assurance (SSA) is the systems level counterpart to the EDSA. And, currently under development, the Security Development Lifecycle Assurance (SDLA) will certify that a supplier's development work processes are in line with best practices.
In the end, these multiple layers of best practices and certifications are intended to inject cyber security into all aspects and phases of an industrial control system's lifecycle. "In cyber security you don't want an M&M," Nye concluded. "You want something that's hard all the way through."