The continuing cyber security gap between IT Security, Operations and Maintenance (O&M) organizations

ICS cyber security consists of technologies and training for network security and technologies, as well as technologies and training for cyber/physical security of ICS devices. Because networks are perceived as one of the weak links, there has been a very significant amount of attention focused on network security, including both technologies and training. Unfortunately, the same cannot be said of the cyber security of the ICS Level 1 devices as there is still a significant lack of understanding from IT organizations about Level 1 devices (see http://www.controlglobal.com/blogs/unfettered/the-gap-in-ics-cyber-security-cyber-security-of-level-1-field-devices/). Yet, it is at Level 1 where plant/facility reliability and safety are most directly affected. This is the case whether the threat is considered as malicious or unintentional, and is often very difficult to distinguish between the two.

The March 2017 issue of Control Engineering had several articles that demonstrate the continuing lack of understanding of ICS cyber security. The first was Control Engineering’s 2017 Maintenance Survey. The top 5 kinds of training maintenance personnel receive (in order): safety; basic electrical skills; basic mechanical skills; motors, gearboxes, bearings; and lubrication. The words “cyber” and “security” were not mentioned even though many plant maintenance technologies may be cyber-sensitive. What makes the survey even more disconcerting were factors that led to outsourced maintenance. That is, if cyber security of plant systems are not considered in-house, what will be considered when maintenance is outsourced?  The second article was “Industrial Internet of Things makes Smart Grid Smarter” about how Duke Energy is using the Industrial Internet of Things (IIOT) to help its Smart Grid Initiative. Again, the terms “cyber” and “security” were not mentioned even though the technologies identified in the article could be vulnerable to cyber attacks.

The lack of understanding between IT versus Operations and Maintenance (O&M) organizations may be seen by the control system-unique issues that generally are not addressed in ICS cyber security assessments. That is, cyber security in Level 1 devices systems, safety systems, and ICS cyber forensics at Level 1 continue to be inadequately addressed. There are very few publications about plant safety systems that also address cyber security; conversely, there are very few cyber security publications that address real safety issues. Ironically, you can find these gaps in articles written by the same ICS vendor or end-user. The lack of ICS cyber forensics and training is evident by the vast majority of the 950+ actual ICS cyber incidents not being identified as being cyber-related.

There was also an article on “Current issues in industrial cybersecurity”. The issues discussed were mostly focused on IT networking issues such as the use of secure socket layer/transport layer (SSL/TLS) communications and Android device security.

There have been numerous surveys on ICS cyber security with results covering a multitude of topics and discussion points see – http://www.controlglobal.com/blogs/unfettered/more-misleading-ics-cyber-security-survey-results/, http://www.controlglobal.com/blogs/unfettered/industrial-control-system-ics-cyber-incidents-are-not-being-identified-or-reported-despite-survey-results-to-the-contrary/, http://www.controlglobal.com/blogs/unfettered/sans-scada-and-process-control-security-survey-the-state-of-the-industry-is-discouraging/, …The question continues to be who is being surveyed? Is it the IT organizations that the Ponemon and SANS Institutes' studies often address or is it the plant/facility O&M organizations? If it is the O&M organization, what level is the individual being surveyed? My experience in multiple industries has been there is often a lack of understanding as to what has actually been installed in the field and what remote access has been implemented. This misunderstanding is between the staff that maintain the systems in the field, corporate engineering, and security. A significant part of this information gap is the lack of configuration management that addresses as-installed as opposed to as-designed configurations and the lack of cyber security considerations in the field for remote access.

The Control Engineering 2016 Cybersecurity Study found that 28% of end-users felt their ICS cybersecurity threat level to be high or severe. If 28% feel that ICS cyber security threats are so severe, why aren’t more end-users taking ICS-unique aspects of ICS cyber security more seriously and why aren’t more ICS experts involved?

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • You mentioned a lot of great points, let me focus on two statements you made: "The top 5 kinds of training maintenance personnel receive (in order): safety; basic electrical skills; basic mechanical skills; motors, gearboxes, bearings; and lubrication. The words “cyber” and “security” were not mentioned even though many plant maintenance technologies may be cyber-sensitive." and "The lack of understanding between IT versus Operations and Maintenance (O&M) organizations may be seen by the control system-unique issues that generally are not addressed in ICS cyber security assessments." I think ICS cyber security is a separate discipline not so easily added to the existing tasks of O&M or the ICS admin. It is a task in a fast moving world that requires a wide range of skills and a steap learning curve, this is not the typical O&M culture driven by today's issues rather than by next week's threat. A cost oriented industry operating in a highly competitive world. The list of training from the the survey would not be so different from a list from the mid 80s or 90s. If you add as a consideration that most plants have a very small team of people responsible for ICS (often 1 or 2 guys) then it is up to the personal effort of one or two employees how well cyber security is addressed. Does this mean we have to rely on IT to fill the gap? I don't think so, IT has certainly some experience that is essential but they miss the ICS skills which are at minimum just as essential as understanding the various technical security functions available for protecting an ICS. I believe that the present focus on network security is not enough to protect ICS. To give an example: I have seen many systems where classic OPC connections were protected by OPC firewalls, however the OPC server side controlled read / write authorizations server wide so allowing a write to a specific tagname.parameter would authorize a write to any tagname.parameter. This is not exactly good security, though at network level all seems to be fine. This type of knowledge is not known by IT people, even if they have taken the effort to follow the SANS training. For being a good industrial cyber security engineer you need to understand the target in all its dimensions: process engineering; process automation systems; IT infrastructure; and cyber security technology and operations. For protecting against cyber crime with its primarily generic attacks, protecting the IT infrastructure (computer operating system, network equipment) might be enough, but protecting the industry against targeted attacks requires a much wider skill set. This skill set is only available in less than a handful of specialist teams, teams with a mix of people bringing together all this knowledge. This is also the main reason why so many cyber security assessments are incomplete, most focus on the IT infrastructure of the process automation systems thereby ignoring the automation functionality. If a bank would use the same approach they would be bankrupt in a short time. For the industry that needs to consider targeted attacks most of these assessments are insufficient.

    Reply

  • [url="http://www.google.com"]example [/url] example [url=http://www.google.com]Example [/url]

    Reply

RSS feed for comments on this page | RSS feed for all comments