In a gathering of cybersecurity minds at Schneider Electric Innovation Days 2019, an expert panel provided strategies that users can employ to make their applications more secure. Participants included (l. to r.) consultant Eric Cosman of OIT Concepts, Andre Ristaino, managing director of the ISA Security Compliance Institute, and Gary Williams, senior director of cybersecurity services at Schneider Electric. Not pictured is Ajay Mishra, R&D director for Triconex, Schneider Electric.
At a time when threats of cyber intrusions and attacks can seem only slightly scarier than all the tasks required to protect against them, an expert panel convened to provide many cybersecurity best practices at this week’s Schneider Electric Innovation Days in Austin, Texas.
The panel also reported on recent news about the ISA/IEC 62443 cybersecurity standard developed by the ISA99 committee, and the ISA Global Cybersecurity Alliance that was launched in August, and is now bringing together communities of users and suppliers to collaborate on security issues, responses, awareness, education and training.
The panel consisted of Ajay Mishra, R&D director for Triconex, Schneider Electric; Eric Cosman, principal consultant, OIT Concepts, co-chair, ISA99 cybersecurity committee, and ISA president-elect; Andre Ristaino, managing director of the ISA Security Compliance Institute (ISASecure); and Gary Williams, senior director of cybersecurity services, Schneider Electric.
Protect products and processes
"Product development for vendors must now include addressing cybersecurity at the design stage, meeting security standards, doing cybersecurity testing before products are released, notifying users about vulnerabilities, and patching/updating as needed. It's a continuous process," said Mishra. "This means there are a lot of advantages to working with suppliers that know those standards, as well as monitoring and exchanging cybersecurity information with others."
Ristaino reported that increasing efforts to bake cybersecurity into process control and automation products have been formalized by the Security Development Lifecycle Assurance (SDLA) program, which is an ISASecure initiative that certifies that products comply with IEC 62443-4-1 and its eight practice areas. "SDLA deals with how to maintain cybersecurity for products during their lifecycles because what's needed to protect them is constantly changing," explained Ristaino. "62443-4-1 is what needs to be done, and SDLA is how."
Cosman added that ISA99 has released a steady stream of updates and revisions since it was first launched in 2002, and has a couple more sections due out soon, as well as some second editions of earlier releases. "We think we've addressed most of what needs to be done to achieve cybersecurity in process control applications, but now we need to do more work on guidelines about how to do it," said Cosman. "It's hard to tell exactly who has adopted what levels of cybersecurity, but we can say anecdotally that many large process companies have implemented it because so many of their people were involved in developing the standards. All the major suppliers were involved, and our hats are off to them."
Cosman added that adoption of IEC 62443 is growing, especially in Europe, and that some insurance companies are using it to encourage their clients to improve their cybersecurity practices, while governments in the U.K. and France are using it as a foundation for their cybersecurity efforts. "Insurers are telling some clients they must comply with IEC 62443 or pay more," said Cosman. "If they get 10 questions wrong in an insurer's cybersecurity survey, then they could end up paying double.
Recruiting, educating users
As much as suppliers and standards can positively improve protections, the panel cautioned that users must also get involved and train their people in good cybersecurity hygiene and responses. "If there's an incident, it's the asset owner that will be named and held accountable," said Cosman.
To get involved in proactive cybersecurity, Ristaino added that users can join the GCA at its website, learn about its best practices and certification programs, and participate in its four working groups.
"Suppliers can provide more secure products, but users have to be the ones to enable them, and that means having awareness and training programs for their staff," said Ristaino. "Users also have to decide which consequence-driven, cyber-informed applications are most important for them. They can begin by identifying critical assets, using analog means to protect them, and then taking other prioritized steps."
Williams added, "You have to educate your people because they're the ones who will see a device misbehave, check if it's possibly due to a cyber-related problem, and isolate and mitigate as needed. People are your most valuable asset in achieving cybersecurity, even though they start out as the biggest risk."
Just as process safety is based on enlightened self-interest, Cosman reported that cybersecurity can make the same appeal. "It's harder case for cybersecurity to make because many users still see cybersecurity as an impediment that slows operations and production," he said. "So we have to find more and better ways to demonstrate the value that cybersecurity can provide based on the consequences that incidents can cause. I never got a call from the FBI about a cybersecurity incident, but I was on a team after such a call, and it meant a year of work for 30 people.
"We should design-in security in the same way that safety is added from the beginning. I especially like the new hybrid process hazard analysis efforts that involve all job functions, as well as the NIST cybersecurity framework core that shows all the aspects of the framework as they apply to different functional areas."