It's logical to think that cyber security is just about preventing attacks. But the same measures that protect against cyber incidents deliver other benefits as well.
"Protective measures taken against cyber attacks also can increase safety, protect intellectual property, reduce down time, help users follow industry or internal policies, and comply with applicable laws," said Michael Martinez, CISA, principal in Invensys' Critical Infrastructure and Security Practice. "And, the primary way to do it is leveraging available product security features -- augmenting them with the latest cyber security knowledge and solutions -- and then regularly repeating this ongoing process."
Martinez and Tim Johnson, CISSP, also a principal in Invensys' Critical Infrastructure and Security Practice, updated attendees of the 2013 Foxboro & Triconex Global Client Conference this week in San Antonio, Texas, on the latest developments in cyber security, and how Invensys is helping its users implement best practices in this arena.
"When we talk about cyber security, we're really talking about evolving systems with different needs," said Martinez. "So, while some may need to pass information up to their enterprises, others want to know how to securely update and provide patches to their Triconex equipment, and some want to leverage existing infrastructures to protect their applications."
Besides follow-ups to security breaches cited in the media, Martinez reported that one of the latest calls for better cyber security has come from the Obama Administration's February 12, 2013, executive order assigning the National Institute of Standards and Technology (NIST) to develop a framework for improving critical-infrastructure cyber security. NIST's draft framework includes a draft compendium of informative references, which reviewed more than 320 national and international standards, guidelines, directives, best practices, models, specifications, policies and regulations.
Naturally, some common themes on cyber security best practices have emerged. "The basic cyber security process involves identifying critical assets, doing security risk assessments for them, deciding how the cyber security framework applies to them, and coming up a mitigation plan and actions to comply with it," explains Martinez.
NIST's preliminary framework has five steps: know, prevent, detect, respond and recover:
- Know means gaining the institutional understanding to identify what systems need to be protected, assessing their priority in light of the organization's mission, and managing processes to achieve cost effective risk management goals.
- Prevent consists of categories of management, technical and operational activities, which enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.
- Detect includes activities that identify, through ongoing monitoring or other means of observation, the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.
- Respond involves making specific risk-management decisions and enacting activities based on previously implemented cyber security planning, completed at the Prevent stage, relative to estimated impact.
- Recover includes categories of management, technical and operational activities that restore services, which were previously impaired through an undesirable cyber security risk event.
Fortunately, Invensys' Foxboro process automation systems and Triconex safety systems have many up-to-date cyber security capabilities to help users protect their applications and ensure compliance with regulations, according to Johnson. "There's no magic bullet because all process applications and systems are different," explained Johnson. "Different sites generate different assessments about what kind of security they need, and so they'll usually require a mix of the different cyber security solutions available," said Johnson. "One of the main concerns for our users is how to back-up safety systems, and this leads to seeking and implementing best practices for antivirus protection, software patching and intrusion detection. For example, we're concerned with protecting Triconex workstations and operating systems, which can be a gateway to a user's network and allow access to their safety system. One of the biggest attack vectors is within companies."