This article is one in the 2021 cybersecurity update multi-part series.
View the rest of the series here.
One of the best ways for process engineers and operators to cope with cybersecurity is to think about it like process safety because, if they're lacking, their potential for damage, downtime and injury is very similar.
Building on this longtime strategy, Marty Edwards, VP of Operational Technology at Tenable, adds that cybersecurity preparations should considered and developed in the same way that end users implement backup and recovery procedures to respond to incidents. Of course, these issues and efforts have become even more urgent during the COVID-19 pandemic due to its increasing network connections, vulnerabilities and ransomware attacks.
Edwards reported that a recent study by Tenable and Forrester Research found that 74% of executives are finding cyber-attacks coming in via new systems they put in due to the pandemic. "Regardless of whether they're in operations technology (OT) or information technology (IT), users need to be prepared with an immediate response when they're impacted by ransomware. These cyber-attacks are happening all the time because they're profitable for criminals, so they're not going away," says Edwards. "But COVID-19 also shifted many operations to remote operations, which makes it even more important for each company to also have a tested and exercised disaster recovery plan and backup. This means talking to operators, engineers, IT and management about what if a rack room gets destroyed? This is where all their PLCs and DCSs are wired to their server, and they can be damaged by fires, floods and other physical events. There's usually a recovery plan and backup for damage, and that's how they need to think about ransomware, too."
After addressing response, recovery and backup, Edwards reports that effective cybersecurity also demands visibility into OT and IT environments, which in turn requires a thorough asset inventory. "Both OT and IT environments may already have some existing network segmentation, but users often don't know what they have or where it is," says Edwards. "An audit can show users what their network looks like, what services it's running, and where its controllers, segments and gateways are located. Knowing this will let them identify vulnerabilities, cyber-threats and configuration changes."
Edwards explains that control and automation professionals are typically good at their traditional jobs, but are often less capable at automating cybersecurity in the same way they seek to close to their feedback loops. "For example, an engineer can easily put in a sensor to measure temperature, and add a valve to optimize a process," says Edwards. "They just need to take the extra step of using the same approach of also measuring the cybersecurity of their process, get a real-time view of their network, and put in mechanisms that will minimize their attack surface."
Beyond investing in training for people and updating policies for governance, Edwards adds that technologies like Tenable's can measure the state of cybersecurity for various applications, gauge the maturity of their network, and apply cybersecurity software for industrial controls systems (ICS) and devices. It usually monitors three areas: asset inventory such as what protocols are running on a network; evaluates network traffic and generates anomaly- and policy-based alerts and alarms; and even examines PLCs for configuration changes in their ladder logic programming. Tenable typically monitors a user's network traffic by integrating its software close to firewalls from other vendors, and running its software manually or automatically.
Despite the promise of these advances in cybersecurity, Edwards adds they must be joined by partnerships between OT and IT personnel. "Monitoring and blocking are more mature in the IT space, while OT usually knows more about what ports and firewalls need to be closed, so they need to work together," says Edwards. "Many chief information security officers (CISO) have become responsible for security of the ICSs at their companies over the past five years. However, when we talk to clients about OT-based cybersecurity solutions, those meetings are often the first time their IT and OT people have ever met. There's frequently some fear and animosity, but once they learn that they have the same objective of wanting their equipment to run reliably and safely, they begin to work out the details and build stronger relationships. Once the teams understand each other's needs, there's less fear, and they can begin to solve their common cybersecurity problems."
