Securing Systems in a Digital and Connected World
Published by : Industrial Automation
Cybersecurity programs need to continually look for new potential risks and periodically review past decisions, says Mangesh Nawarange.
The global utilities and industries are increasingly relying on digital technology to meet growing demands for efficiency and cost optimisation. The onset of Covid-19 global pandemic crisis has accelerated the digital ways of doing business and became the new business continuity plan for various organisations. But along with the adoption of digital technology, come a set of challenges. The same digital innovations that ensure that the OT assets are fully optimised and managed efficiently make it more vulnerable to external attack.
Since the start of the new millennium, Industrial Control Systems (ICS) has changed the face of utilities and industries. They have been relying on the Industrial Control Systems to monitor and control the operations. Subsequently, the convergence between Operational Technology (OT) and Information Technology (IT), increasing penetration of Industrial Internet of Things (IIoT) has transformed the industrial assets, mostly working in silos, into smart and connected assets.
The connected assets and advent of the digital age enable utilities and industries to measurably enhance profitability without compromising operational safety, availability, or resilience. The myriad of advantages associated with digital growth expose a long-standing problem with operational technology; exposure to increased cyber risk. Add on to this, leveraging third-party vendors and new cloud-based services result in additional areas of risk previously non-existent in ICS. Moreover, regulatory requirements on these industries have increased and become stricter. The growing recognition of cybersecurity threats to critical infrastructure (e.g., energy, water, transportation) has brought the topic into the spotlight about a decade ago after Stuxnet, the first publicly known cyber weapon, disrupted a critical energy infrastructure.
The data shows that OT/ICS environments continue to be soft targets for cyber attackers, with security gaps in key areas such as:
a. Outdated operating systems and anti-virus updates
b. Weak passwords protection
c. Flat system architecture
d. Direct Internet connections, and
e. Remote access to systems & devices.
Cybersecurity concerns can become particularly acute when businesses attempt to integrate new and legacy systems without taking a holistic approach to cybersecurity. The industry is also facing the challenge of how to address the retrofit or upgrade for the vast legacy environments that were designed and installed before cybersecurity was a priority. Standards and policies have been created to address the rapid technological changes; however, it is still challenging for companies to implement needed processes and keep personnel up to date and aligned, given the pace of change. Meanwhile, the cyber threat landscape continues to increase. According to a study performed by IBM, the number of attacks targeting operational technology infrastructure increased by over 2,000% in 2019 compared to the previous year.
Businesses need a strong cybersecurity strategy that covers the entire cycle from prevention through to incidence response, a scalable cybersecurity program to align with organisation’s enterprise risk management principles.
Let’s looks at the ways to meet industry cyber challenges keeping our focus on people, process, and technology.
Digital transformation (Industry 4.0)
Older or legacy Industrial Control Systems (ICS) were previously believed to be isolated, ‘air gapped’, from external networks making them safe from external attacks. Most organisations have performed significant digital transformations connecting digital assets to external networks without updating the OT infrastructure they operate in creating severe cyber vulnerabilities in their OT network. Digital is flattening the traditional IT/OT hierarchy and introducing new cyber risk.
First and foremost, recommendation is to be secure by deployment to ensure new vulnerabilities or threats are not introduced with the convergence of OT and IT networks. Implementation of cybersecurity controls and operations to automatically generate the list of cyber assets, 24x7 security monitoring of networks and network access control to prevent unauthorised access to new devices or clients.
Comply with regulation to protect critical infrastructure
Number of regulations and standards like IEC 62443, NIST 800-82 and ISO 27002, etc., have been created to address cybersecurity risks. Organisations must understand and determine which regulatory requirements are applicable to them, monitor changes to regulations to confirm compliance with the latest versions. Like in case of other regulatory requirements, a lapse in proper compliance can expose the organisation to potential fines. Although necessary, meeting regulatory requirements, and the endless focus on compliance, plus the reporting and documentation that this entails, can consequently be counterproductive. Nevertheless, this is necessary because in many cases, compliance is a precursor to doing business with customers. It’s considered a way to show that the minimum cybersecurity requirements have been met.
So, organisations need to look at cybersecurity from a holistic standpoint rather than mere adherence to standards and regulation or protection against cyber-crime.
Shortage of security professionals
People are just as critical as process and technology to maintain a robust security posture. The biggest obstacle in protecting the industrial infrastructure is lack of security professionals. A shortage of skilled cyber professionals in the public and private sectors could lead to heightened cyber risk. Moreover, the shortage of security professionals to manage industrial infrastructure is increasing despite the growing need. Cost pressures and workforce reductions only compound this situation and can result in a lack of compliance with regulatory requirements, as mentioned above.
The recommendation is to address the skill shortage by building collaborative teams drawn from both IT and OT from within the organisation or hire 3rd party services to deliver IT/OT expertise. Another approach is automation of routine security maintenance tasks and reporting to significantly reduce dependence on IT/OT expertise.
Life cycle of OT/ICS products
Historically ICS systems were not designed with cybersecurity as a first priority. While organisations may have more opportunity to implement cybersecurity standards in new products and systems, for older ICS it can be more difficult. OT/ICS lifecycles are counted in decades, rather than years, and it is not always straightforward to find capital to replace or upgrade products quickly. This difficulty notwithstanding, organisations are still expected to address the cybersecurity needs of these previously installed systems which are likely to have many fewer support options. This means that remediation needs for older ICS are at times unknown to the organisation, and when known can be challenging and costly.
The recommendation is to perform cyber risk assessment of the OT/ICS network to identify the weaknesses and highlight what is worth fixing immediately. Organisations can then prioritise, assign budgets, and mitigate the identified risks to greatly impact their security risk posture. Moving forward, organisations need to ensure that their OT systems are secure by design and secure by default to avoid the same challenges in the next generation OT systems.
Defining the baseline security measures
Industries need to set up a comprehensive security program with the support of the executive team. Executive leadership determines the overall company's budget based on its level of risk tolerance; a robust cybersecurity program will require a significant investment of time and resources. The leadership can drive this and encourage that employees follow new cybersecurity procedures instead of ad-hoc uncoordinated security. Often companies fail to maintain complete, up-to-date, and documented records of their entire networked systems and assets. Even though the concept of cybersecurity audit has been around, it has stayed uncommon for ICS. External audits can be a useful tool to drive companies to do a better job maintaining an up-to-date inventory of all assets. This includes documenting configurations and identifying vulnerabilities and exposures. This information is essential to risk management.
Stay safe, stay cyber secure
We always say, security is a journey, not a destination. It has been recognised that critical infrastructure is at stake and besieged from every angle with the cyber threats. Organisations that adopt this are better equipped to achieve lasting improvement in their level of cybersecurity risk. In the last one year, it became further significant that when the office premises and factory locations primarily covered with the secured network were shut down, forcing the employees to connect from various sites, be it remote offices or homes.
This has taught us that business and technology are dynamic, and risk factors frequently change in response to internal and external events. Cybersecurity programs need to continually look for new potential risks and periodically review past decisions to determine whether further information affects their assessments and actions taken. Cybersecurity assessments help to diagnose weakness in security in a plant. Higher level of cybersecurity controls is vital for operators moving forward, not only empowering them to make better decisions about cybersecurity, lifecycle and asset management, but critically giving real-time visibility of all assets, enabling them to better defend a plant network.
With the growing awareness of cybersecurity risks and surmounting threats, as outlined above, there are opportunities for industries to be successful in a dynamic and connected age.
Mangesh is Digital Lead for Energy Industries Division, Process Automation, ABB India. In this role, he works closely with the customers in driving digital transformation in their organisation. He is also leading the Digital initiatives for Energy Management for IMEA (India, Middle East and Africa) region in ABB. Mangesh has more than 20 years of experience in Industrial Automation and Product Development. He joined ABB in 2003 and has held various positions spanning engineering, software and product development, product management and sales.
Mangesh’s focus on digitalisation is hinged transformation in IT & OT catalysed by IoT, big data and simulation models. He brings in-depth knowledge of the advancements leading to a new industrial revolution by making manufacturing smarter and solving complex problems across the entire energy value chain. Mangesh holds Bachelor’s degree in Instrumentation Engineering and Diploma in Software Application Development.