How do you improve the openness and efficiency of process controls, but still keep them secure and safe? Satisfying these twin—and initially contradictory—challenges fueled by the digital computing revolution was the main question tackled by the usual host of end users, presenters, panelists, analysts and other industry experts at ARC Advisory Group's 21st annual Industry Forum on Feb. 5-9 in Orlando, Fla. Close to 800 attendees participated in keynotes and 42 conference sessions.
"Digital used to mean replacing analog PID controllers and thumbwheels, but now it mainly means that everything is connected, and those connections need to be secure," said Marty Edwards, director of the Industrial Control Systems-Cyber Emergency Response Team at the U.S. Dept. of Homeland Security (DHS), during his opening keynote address at ARC Industry Forum (Figure 1). "We used to think that an air gap was enough, but it's not because separated and isolated systems are often neglected. Ten years ago we'd have preached against using IT-based security in control systems because it might break them. Today, there are a lot more ICS security solutions available that are better hardened and let users build in security from the ground up."
Despite these advances, Edwards added that many basic cybersecurity chores still need to be done by many users, and this due diligence is required to build and maintain more sophisticated defenses. "We still talk daily about security hygiene, perimeter security, segregating business and manufacturing networking, software patching, and training to log and document who is using what equipment and when," he explained. "Our adversaries are well-informed and well-funded, and they can find ways to penetrate even hardened systems, so I'm also telling cyber-informed engineers to find their one or two most critical functions, such as exothermic and highly reactive applications that need proper shutdowns, and take them offline.
"We used to have red buttons for emergency shutdowns, and they've become computerized and digitized, which isn't always good. We need to do cybersecurity risk assessments, figure out what needs the most protection, carefully engineer critical functions, take them offline, establish specialty circuits for them, and build that red button."
In the second keynote address at ARC Industry Forum, Don Bartusiak, chief process control engineer, ExxonMobil Research and Engineering Co. (EMRE), detailed efforts by ExxonMobil, Lockheed Martin and the Open Process Automation (OPA) forum to develop and advocate for an open, secure, interoperable process control system (Figure 2).
Meanwhile, Jeff Gray, program lead, ICS Joint Working Group (ICSJWG) at ICS-CERT, reported that cyber threats, intrusions and attacks have been increasing and evolving from 39 mostly inadvertent incidents in 2010—when Stuxnet emerged as the first ICS-specific malware—to 295 incidents in 2015, which included multiple, sophisticated, ICS-focused campaigns fueled by vast commercial research into ICS discovery, vulnerabilities and exploits.
"We originally saw abysmal, flat networks, so the situation is better now, but we're still seeing 25- to 30-year-old process systems that must be available," says Gray. "We also still see supply chain problems, so users need to hold contractors and suppliers to the same security standards they use, or they'll still be vulnerable. It's also important to know that you can be researched and targeted through LinkedIn and conferences like this by false companies and individuals set up to gain your confidence. Malware is a business and an economy, and there are many people working on both sides."
Gray adds the top six cybersecurity areas of weakness identified by ICS-CERT in 2015 include:
• Boundary protection—Inability to detect unauthorized activity in critical systems, and increased risk due to weak boundaries between ICS and enterprise networks;
• Least functionality—Areas that allow vectors for malicious access, and could enable rogue internal access;
• Authentication management—Unsecured passwords that can be easily compromised;
• Identification and authentication—Lack of accountability for users if an account is compromised, and increased difficulty in securing accounts when staff leaves an organization, especially those with administrator access;
• Least privilege—Too many users with elevated access and credentials beyond what's needed to do their jobs; and
• Allocation of resources—Understaffing that impedes cybersecurity monitoring and response.
To help process users confront cyber threats, Gray recommends they employ ICS-CERT's Cybersecurity Evaluation Tool (CSET) for onsite field assessments, network design architecture reviews, and network traffic analysis and verification.
In his session, Sid Snitkin, VP and GM of enterprise advisory services at ARC, explained that, "Industrial cybersecurity is similar to IT security, but there are distinct differences, involving a unique set of endpoint devices, network protocols, people, goals and system management constraints, and this is because industrial processes can't tolerate interruptions."
To help users protect their processes from intrusions and attacks—such as spear phishing that gets victims to open email containing malware—Snitkin says ARC advises users to follow its Industrial Cybersecurity Maturity Model, which progresses from reducing the likelihood of intrusions and attacks to reducing their impact, and advises that, "Security investments should have specific objectives, and lower-level goals should be achieved before advancing to higher-level goals." These levels include:
• Secure with physical security, asset inventory, device hardening and patch management;
• Defend with unidirectional gateways, demilitarized zones (DMZ), firewalls, anti-malware and access control;
• Contain with zone firewalls, ICS device firewalls and whitelisting;
• Manage with security information and event management (SIEM) software, and incident management solutions; and
• Anticipate with anomaly and breach detection solutions, and threat intelligence tools.
"Many users and organizations discover they've bought too much cybersecurity technology, and find they've got a lot more than they have the resources to manage," explains Snitkin, who also recommends:
• Use tools like ARC Cybersecueity Maturity Model to understand your risks and relate investments to specific cybersecurity and operational benefits;
• Triage resources to make sure basic protection are done right before worrying about more sophisticated security solutions;
• Assess real needs and augment with training, hiring and third-party cybersecurity services;
• Make certain that internal resources will support routine security needs; and
• Use external resources to perform periodic cybersecurity audits, handle incident response, and manage more sophisticated cybersecurity technologies.