By Steve Mustard, PE, CAP, GICSP
October 8, 2022
I’ve recently had a book published, titled Industrial Cybersecurity Case Studies and Best Practices. The book is my attempt to summarize all that I have seen and learned about in industrial cybersecurity in the past two decades.
I feel that we have made progress since the early 2000’s, but I still feel we have a way to go before we are fully managing our collective industrial cybersecurity risks. Some sectors are doing better than others, but every facility I’ve ever visited has multiple vulnerabilities. Even the most modern greenfield facilities include inherent vulnerabilities that could have been removed with the right processes and procedures in place.
Much of what I have seen in my travels relates to failures of people and process. The cybersecurity profession responds to the challenge by offering more technology, but technology can only do so much to cover up failures in people and process.
On a positive note, the industrial environment offers established practices and culture around safety that can be readily adapted to manage cybersecurity.
The book covers several areas including:
Measure to Manage Risk - Now that organizations have a better understanding of the difference between industrial cybersecurity and IT cybersecurity, there is an opportunity to apply existing proven industrial risk management practices. The use of statistical methods can provide a more reliable estimate of the likelihood of a cybersecurity incident. This more reliable estimate can be used to better identify the risk reduction needed to manage the risk to as low as reasonably practicable (ALARP). The use of existing tools such as bowtie diagrams can help to elevate the significance of controls needed to maintain a secure industrial facility.
Standardized designs and Vendor Certification - I believe one of the biggest opportunities to improve cybersecurity in industrial facilities is with better design practices. The Purdue hierarchy has been a mainstay of automation and control systems for 30 years and is utilized in the ISA/IEC62443 series of standards when considering cybersecurity of these systems. In recent years the applicability of the hierarchy has been called into question. In fact, the Purdue hierarchy remains as essential to automation and control systems design as the OSI seven-layer model is to network design. Certification is not the only answer to effective cybersecurity, but it does drive improvements in design and development, and it does provide an independent level of assurance.
The Pitfalls of Project Delivery - Despite the widespread awareness of the cybersecurity threat and the availability of standards, certified products, certified professionals, and collective experience, systems are still being deployed that lack the most basic security controls. In addition, the projects themselves create additional security vulnerabilities due to poor training, awareness, and oversight among personnel. In addition, a focus on efficiency and cost reduction means that many of the duties involved in managing cybersecurity are added to existing workloads, rather than to dedicated professionals with the right mix of skills and knowledge.
What We Can Learn from the Safety Culture - Visit any OT facility today and you will likely find several obvious cybersecurity policy violations or bad practices. Even in regulated industries, compliance with cybersecurity regulations is, at the time of this writing, not where it should be. NERC, for instance, continues to fine companies that fail to follow its cybersecurity regulations. Human behavior must be understood if organizations are to provide good awareness training for their employees. Additional controls can be deployed to minimize the consequences of such mistakes, but effectiveness varies.
Safeguarding Operational Support - Safety is a major concern in industrial environments, yet cybersecurity, despite being a potential initiating cause in these hazards, is not respected in the same way as safety is. Many organizations begin meetings or presentations with the refrain that safety is the number one concern. But in those same meetings, there may be comments to the effect that “We have more important priorities than cybersecurity.” Clearly, there is still much to do before cybersecurity receives the attention it requires in operational environments.
I hope that the book adds to the body of knowledge and can help others with our collective mission of improving industrial cybersecurity. You can read more about the above topics in a series of posts on the ISAGCA blog.