March 15-16, 2016 I participated in the 2016 Food Industry Cyber Security Summit sponsored by the Food Protection and Defense Institute – a DHS Center of Excellence housed at the University of Minnesota. There were approximately 40 invited attendees from government, industry, and academia. The attendees included five Chief Information Security Officers (CISOs) from major food and agriculture companies. I gave my presentation on industrial control system (ICS) cyber security the afternoon of the first day. Prior to my afternoon presentation, the focus was on the traditional IT aspects of cyber security. My presentation stimulated detailed discussion of the use of process control in the food and agriculture industry and the need to focus more attention on this critical, but not-well-understood or addressed subject. Several items struck home with the attendees and specifically the CISOs. One was the need to address safety and the other was the culture gap between IT and control systems (Operational Technology –OT). Even though many attendees stated the food industry was far behind other industries when it came to cyber security, when it came to ICS cyber security the food industry was similar to other industries. Moreover, the conference had several firsts.
Part of my presentation dealt with the difference between IT and ICS. The NIST definition of a cyber incident is electronic communications between systems that affects Confidentiality, Integrity, and/or Availability (C, I, A). As myself and others have noted many times, for ICS, the triad order is reversed. However, the important issue is the letter “S” (for safety) is missing in the IT security triad. One of the CISOs was a mechanical engineer who started off on the plant floor. He knew the plant floor environment can be very dangerous and after hearing the presentation realized an ICS compromise on the plant floor can kill people. The “aha” moment came during a breakout session for participants to identify important issues when this CISO put the ”CIAS” on his breakout card as one of his top issues. Even more, many conference participants put “stars” by this card indicating they also thought this was a top issue.
The second “aha” moment occurred during one of the many discussions on industry needs and gaps. A second CISO without ICS experience stated there was a need for the CISO’s to better understand how to talk to the boards and senior executives (well-known). However, he went on to say the CISO’s also need to understand how to talk to OT – a first! If IT and OT (the ICS world) are going to overcome their cultural barriers, understanding how to talk to each other is a first step.
The final “aha” moment, though not a first, occurred when another CISO (again without ICS experience) told me he couldn’t get his OT people to work with him and was looking for help to make that happen. This same situation occurred two years ago with a major bank VP of security who could not get their OT staff (building controls) to even to talk to the VP.
There was another interesting point that I hope was an “aha” for the attendees. There is a tendency in all industries to think they are different and what happens in other industries doesn’t apply. March16th, ICS-CERT issued an ICS-CERT Advisory (ICSA-16-075-01)Siemens SIMATIC S7-1200 CPU Protection Mechanism Failure Originally release date: March 15, 2016. The Advisory stated: “The affected products, the Siemens SIMATIC S7-1200 CPU family, are designed for discrete and continuous control in industrial environments. According to Siemens, the Siemens SIMATIC S7-1200 CPU family is deployed across several sectors including Chemical, Critical Manufacturing, and Food and Agriculture. Siemens estimates that these products are used worldwide.” It was fascinating seeing the conference attendees’ reactions when I read the advisory.
Maybe we are finally making progress with industry – thank you food industry CISOs.