The continuing cyber security gap between IT Security, Operations and Maintenance (O&M) organizations

ICS cyber security consists of technologies and training for network security and technologies, as well as technologies and training for cyber/physical security of ICS devices. Because networks are perceived as one of the weak links, there has been a very significant amount of attention focused on network security, including both technologies and training. Unfortunately, the same cannot be said of the cyber security of the ICS Level 1 devices as there is still a significant lack of understanding from IT organizations about Level 1 devices (see http://www.controlglobal.com/blogs/unfettered/the-gap-in-ics-cyber-security-cyber-security-of-level-1-field-devices/). Yet, it is at Level 1 where plant/facility reliability and safety are most directly affected. This is the case whether the threat is considered as malicious or unintentional, and is often very difficult to distinguish between the two.

The March 2017 issue of Control Engineering had several articles that demonstrate the continuing lack of understanding of ICS cyber security. The first was Control Engineering’s 2017 Maintenance Survey. The top 5 kinds of training maintenance personnel receive (in order): safety; basic electrical skills; basic mechanical skills; motors, gearboxes, bearings; and lubrication. The words “cyber” and “security” were not mentioned even though many plant maintenance technologies may be cyber-sensitive. What makes the survey even more disconcerting were factors that led to outsourced maintenance. That is, if cyber security of plant systems are not considered in-house, what will be considered when maintenance is outsourced?  The second article was “Industrial Internet of Things makes Smart Grid Smarter” about how Duke Energy is using the Industrial Internet of Things (IIOT) to help its Smart Grid Initiative. Again, the terms “cyber” and “security” were not mentioned even though the technologies identified in the article could be vulnerable to cyber attacks.

The lack of understanding between IT versus Operations and Maintenance (O&M) organizations may be seen by the control system-unique issues that generally are not addressed in ICS cyber security assessments. That is, cyber security in Level 1 devices systems, safety systems, and ICS cyber forensics at Level 1 continue to be inadequately addressed. There are very few publications about plant safety systems that also address cyber security; conversely, there are very few cyber security publications that address real safety issues. Ironically, you can find these gaps in articles written by the same ICS vendor or end-user. The lack of ICS cyber forensics and training is evident by the vast majority of the 950+ actual ICS cyber incidents not being identified as being cyber-related.

There was also an article on “Current issues in industrial cybersecurity”. The issues discussed were mostly focused on IT networking issues such as the use of secure socket layer/transport layer (SSL/TLS) communications and Android device security.

There have been numerous surveys on ICS cyber security with results covering a multitude of topics and discussion points see – http://www.controlglobal.com/blogs/unfettered/more-misleading-ics-cyber-security-survey-results/, http://www.controlglobal.com/blogs/unfettered/industrial-control-system-ics-cyber-incidents-are-not-being-identified-or-reported-despite-survey-results-to-the-contrary/, http://www.controlglobal.com/blogs/unfettered/sans-scada-and-process-control-security-survey-the-state-of-the-industry-is-discouraging/, …The question continues to be who is being surveyed? Is it the IT organizations that the Ponemon and SANS Institutes' studies often address or is it the plant/facility O&M organizations? If it is the O&M organization, what level is the individual being surveyed? My experience in multiple industries has been there is often a lack of understanding as to what has actually been installed in the field and what remote access has been implemented. This misunderstanding is between the staff that maintain the systems in the field, corporate engineering, and security. A significant part of this information gap is the lack of configuration management that addresses as-installed as opposed to as-designed configurations and the lack of cyber security considerations in the field for remote access.

The Control Engineering 2016 Cybersecurity Study found that 28% of end-users felt their ICS cybersecurity threat level to be high or severe. If 28% feel that ICS cyber security threats are so severe, why aren’t more end-users taking ICS-unique aspects of ICS cyber security more seriously and why aren’t more ICS experts involved?

Joe Weiss