Cybersecurity for industrial control systems requires a holistic approach to evaluating all possible risks, and then implementing tools and systems so those risks can be mitigated. If there happens to be a breach, the inherent security capabilities of your mission-critical systems, plant operations data, and proper network configuration will reduce the risk of costly shutdowns and proprietary data leaks.
The concept of cybersecurity is not to fix something that is broken. For example, consider your company’s health, safety, and environmental (HSE) program. The existence of this program is to monitor and decrease the risk of injury and environmental accidents. It is an ongoing evolution of practices that keep employees healthy and the local ecology safe from human interference.
This view of a company’s HSE program should be a reference point in implementing an industrial cybersecurity program. While you may choose to implement certain solutions and policies, the cybersecurity program is an ongoing journey to reduce the risk of attack from a cyber-threat to exploit system vulnerabilities. The program should evolve and mature over time to reduce the amount of risk leveraged against your site.
The idea of vendor agnostic solutions within industrial control systems (ICS) is not a new concept. In recent decades, solutions such as historians and advanced process control from various vendors have been integrated in distributed control systems (DCS) from a variety of manufacturers. This agnostic approach to solution integration was born of a wider concept of modularity, or the idea of using smaller pieces to scale up or down, in a system or process.
It is no secret that the industrial automation sector is years behind in cybersecurity adoption compared to enterprise networks. This is mainly due to the nature of ICS networks operating with requirements for high availability and safety factors that reduce the downtime for maintenance. This, coupled with recent high profile cyberattacks on OT networks, has put many asset operators in a position to act quickly.
To make up for lost time in the market, there has been a small boom of new companies and expansions of existing ones to meet the demand for reducing the risk of cyberattacks on OT networks. This increased demand has come alongside the demand for modularity within process automation as well as vendor agnostic industry initiatives such as the Open Process Automation Forum’s (OPAF) Open Process Automation Standards (O-PAS). (More about OPAF and how the organization is working toward improved interoperability standards among automation vendors can be found at https://www.opengroup.org/forum/open-process-automation-forum.)
Vendor agnostic solutions, along with the ability for modular scalability, can optimize engineering and labor by decreasing the time required for network integration. This article covers three core cybersecurity solutions that are both modular and vendor agnostic.
1. Risk assessment
This approach is considered vendor agnostic because most of the information gathered to compose a cyber risk assessment can be done from a span port on a switch and through client interviews. Risk assessments come in two flavors – qualitative and quantitative.
- Qualitative risk assessments provide a technical profile concerning software revisions and operating system patches. Critical vulnerabilities and exposures (CVE) can be identified and scored. Remediation recommendations are also provided to reduce this profile to a certain degree.
- Quantitative risk assessments measure the amount of capital that is exposed to loss if the OT network were to suffer a cyberattack. An example of a quantitative risk assessment report would likely contain the technical information that is gathered from a qualitative assessment in conjunction with production rates, calculated lost production time, regulatory fines, and contractual obligations. This data is then combined to produce a dollar amount that could be lost in the event of a cyberattack. In some cases, a return on investment (ROI) plan can show which cybersecurity solutions could be implemented to reduce the cyber risk profile.
2. Antivirus
Legacy companies such as McAfee and Symantec have long been household names for antivirus protection for computers at home and at work. Since very few (if any) automation vendors will provide their own antivirus (AV) protection, an agnostic solution is a “must have.” One of the good things that came from automation vendors switching away from proprietary hardware and operating systems is that AV can be used within an OT environment. From a modular standpoint, AV solutions can also be scaled as the network grows or changes.
3. Security Operations Center (SOC)
The SOC service provides 24/7 cybersecurity monitoring and support. This can consist of the identification of malware or an alert of a cyberattack taking place. One of the main advantages that makes the SOC service vendor agnostic is that it largely relies on existing infrastructure. The required hardware and software are usually minimal and can be incorporated into almost any DCS. SOC services provide the asset operator with a way to increase the workforce without the need to add to the internal headcount, which can provide relief for a company that cannot find appropriate personnel or that is still building an internal SOC operation.
There are many more vendor agnostic OT cybersecurity solutions and services available on the market. Risk assessment, antivirus, and SOC were chosen for the way they can easily be integrated and for the value they add to a system. The following is a brief rundown of other common services to consider:
- Whitelisting: This type of software is the inverse of antivirus software. Whitelisting will only allow pre-approved applications to run on your computer.
- Backup and recovery system (BRS): A BRS maintains an image of the machines that comprise your OT network. Keep in mind that only the machines you designate will be backed up.
- Endpoint protection: Every machine on the network is considered an endpoint. Endpoint protection refers to anti-virus and application whitelisting. It is important to have both solutions for true endpoint protection.
- System hardening: This is by far one of the most misused phrases. This is a procedure by which an engineer will optimize the inherent security features of an operating system that runs a computer or a server. These security features include features to disable autorun or USB port capability and more. It can be accomplished centrally or on a machine-by-machine basis.
Please keep in mind that cybersecurity is an ongoing process aimed at minimizing risk, rather than a temporary solution to be abandoned once a project is completed.