‘The strategy for industrial cyber security road maps are based on national regulations’
Published on : Monday 30-11--0001
Karthik Damodaran, Cybersecurity and Information Security Compliance & Risk Analyst
The flipside of connectivity is the vulnerabilities that come along. How serious is the threat?
The threats are very dangerous in the IIoT space because of critical vulnerabilities, usually zero-day threats, exploited in the ICS network environment that involves a lot of heavy machinery and equipment such as industrial robots, conveyor systems, furnaces, nuclear centrifuges, etc. In the information security world, we protect data by evaluating and enforcing Confidentiality, Integrity and Availability of data whereas the threat landscape of the industrial world is different where we protect data by measuring the Security, Privacy and Safety of the interconnected mechanical ICS components. Cyber attacks such as data breach, DDoS, malware, etc., will not only result in the loss of confidential and proprietary information, breach of trust and brand damage, but might result in a catastrophe as it greatly involves loss of our workers’ lives and safety.
How can organisations address the issues of cyber attacks and IT Security in the age of connected plants?
This is a common question but not addressed well by most industries. Cybersecurity in connected plants should emphasize more on workers’ safety and infrastructure protection than the loss of valuable data. It is mandatory to follow appropriate industrial regulatory standards for industries operating plants. The strategy for industrial cybersecurity road maps are based on national regulations such as NIST, NERC CIP, IEC 62443 and ISO 15408 frameworks and can slightly vary among different industrial plants such as Manufacturing, Oil & Energy, Automotive, Utility industries and more.
Example: For connected nuclear plants and reactor facilities in Canada we follow the Canadian Nuclear Safety Commission (CNSC) which is the nuclear regulatory authority with sole responsibility for the oversight of cybersecurity in the Canadian nuclear industry.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal with such threats?
Targeted malware using spear phishing campaigns is one of the major threats in the IIoT world. In the IoT space any device that is controlled by network communication which is open to the Internet is vulnerable to an external cyber attack. IIoT devices are in no way exempt from this. There are no ‘Air Gaps’ between the open Internet and IIoT devices. The short period of time it takes to plug in a laptop connected to Internet to a flow computer or SIS (Safety Instrumented System) workstation to download a software upgrade is all it takes to upload malicious malware such as Trisis/Triton, BlackEnergy, Stuxnet, etc.
A leading cybersecurity player recently demonstrated internal vulnerabilities like USB devices. Are employees adequately trained?
USBs are conventional but an increasingly growing threat for industrial automation companies where there are deficiencies in adequate security and safety control standards. It’s highly difficult to restrict USB access in an ICS environment as computer systems and workstations are connected to specialised hardware via USB ports. It is very important for organisations to follow a good Cyber Hygiene to detect, block and manage unauthorised USB devices proactively. If you find a toothbrush in your parking lot would you put in your mouth? The same applies here for unknown USB flash drives and devices. Provide effective security awareness training and make it an everyday curriculum rather than just a one time workshop session. Employees must understand the threats their organisation face to implement a good Cyber Hygiene program.
Do companies compromise security by their unwillingness to spend, attributing it to risk appetite?
I would have said yes to this question 5 or 7 years ago but now due to evolving cyber attacks in the IIoT space global industries are making huge investments in their cybersecurity programs. In fact a good Cyber and Infrastructure Security, Privacy and Safety program gives the best return on investment. With GDPR in effect since May 28, 2018 companies are liable for heavy fines when they don’t report to law enforcement and legal authorities if they are breached and can be fined up to 5% of their total revenue.
Is there an ideal solution that reaches a fine balance?
There is no one size fits all here. Industries must make sure their foundations are built well before implementing the cybersecurity operations and security tools. It is highly recommended and mandatory to follow established cyber security standards such as NIST, NERC CIP, IEC 62443, ISO 15408 and IASME Governance for SMBs. It is very important to have cyber threat intelligence functionalities built into the cybersecurity strategy program to constantly detect and monitor active threats such as APTs in the connected plant environments.
Karthik Damodaran is a Cybersecurity and Information Security Compliance & Risk analyst with experience around IT Security Governance, policies, procedures and standards. From his prior external client services work experience at Deloitte he had gained sound knowledge of security controls namely ISO 270001, NERC CIP, IEC 62443, NIST SP 800-53 & CSF, COBIT, ISACA, PCI DSS & CP frameworks, GDPR and CCPA regulations. He has performed multiple engagements around Threat Risk Assessments for provincial governments, regional municipalities, regional petroleum boards, oil and energy giants and electric utility companies in Canada. He has conducted logical and physical security audits for data centres and third-party banking & credit unions in Atlantic Canada.