Effective cybersecurity protection is like many human endeavors that are more about journey than endpoint. It needs effort and persistence as well as a different attitude and mindset, mainly because the threat landscape is always shifting and changing.
"What do marriage, children, the taxman and cybersecurity all have in common?" asked Gary Williams, senior director of technology and cybersecurity at Schneider Electric in his keynote address to the CONNECT 2016 conference this week in New Orleans. "You'll never satisfy their demands, which evolve dynamically, and never end."
Because cybersecurity isn't a project that can be completed, Williams has two primary strategies for handling it—his 10-step AGGRESSIVE cybersecurity methodology, supplemented by a zones and conduits program. "Cybersecurity is everyone's responsibility, and so we all have to be as aggressive as the hackers, or we'll lose productivity," said Williams.
10 AGGRESSIVE protections
The 10 steps in Williams' cybersecurity recommendations are:
- Adopt a standard to give participants a common vocabulary about cybersecurity between departments, companies and even nations. Schneider Electric and others have adopted the IEC 62443 standard. "This overcomes the first cybersecurity hurdle because many players say parts of their organization's cybersecurity efforts don't apply to them, and so they stop, and their programs fail," said Williams.
- Gather controls means collecting and accounting for all the components of your controls and workload.
- Gap analyses involve checking for vulnerabilities in existing equipment, systems and software, especially undocumented ports and network connections. "You have to find all the dirty laundry," added Williams.
- Risk and threat assessment—and prioritization—goes beyond mitigating critical threats, and includes reviewing the security status of all critical priorities every quarter. "There are now 700,000 new malwares out there everyday, and most are delivered in PDF documents," stated Williams.
- Execute mitigation begins with putting cybersecurity protections in place, but Williams adds that senior managers must be notified of how cybersecurity programs are progressing. "You have to record findings because at some point you're going to have to go and ask for more funding," explained Williams.
- Survey the complete system involves collecting configuration files on firewalls and switches. This information will be essential when a process control system or network goes down due to an intrusion or attack.
- Store configuration files securely onsite and offsite, and then practice recovery as often as possible.
- Inform all stakeholders, especially management. "Again, you have to tell them what you've learned about cybersecurity threats to your production processes and organization, so they will see the value in protection and mitigation," said Williams. "You must also show how threats evolve, and more support will be granted."
- Verify on a regular basis because threats and their vectors change regularly. "Get regular ‘cold-eyes’ reviews of your cybersecurity efforts. Another party can see more and prove to be more aware of what needs to be done," added Williams.
- Educate everyone because people are the first line of defense in isolating process applications, controls and networks, and then identifying probes, intrusions and attacks. "After that, you call the experts to mitigate the security problem," he added.
Zones and conduits
Beyond his 10 strategies for cybersecurity, Williams also advocates the well-known zones and conduits model for secure industrial operations and networking. This model has been part of the ISA99 standard, which was recently renamed to join with IEC 62443.
"The zones and conduits approach begins by segregating your controls and communications networks into functional zones, and creating demilitarized zones (DMZs) between them," explained Williams. "You pull like devices into common zones, and then you can concentrate on protecting the conduit between them."
Though there are often sub-zones within larger zones, the five main layers separated by managed Ethernet switches serving as firewalls include Layer 1 for field instrumentation; Layer 2 for basic process control; Layer 3 for site manufacturing operations; Layer 4 for site business planning; and Layer 5 for the enterprise. Safety-critical devices and systems are typically located in another separate zone.
"Breaking down networks and their traffic is difficult, but users that do it are grateful because they say they learned things about their applications and networks that they never knew before," added Williams. "For example, we had one user who couldn't find the source of 2.4-GB wireless activity in its offshore platforms, and finally found it was due to HP printers that came with Bluetooth switched on by default.
"You have to be aware of your components and their effects. It's a sleepless task, but it can also boost your career,” Williams said. “So, identify all your network assets, protect your conduits, and mitigate threats with help from the experts because the standards can't keep up with all the changes."