Industrial Cybersecurity is a hot topic in general, and each industrial company needs to act on securing it’s OT domain. However, many companies struggle with the concept of setting up a good Industrial CyberSecurity program, or are unaware of the process and tasks it involves. Setting up firewalls on your OT domain borders and separating the PCD networks into VLAN’s often makes those responsible think they have it covered….right?
Implementing a firewall or separating your networks is only 1 of the many steps towards a comprehensive, sustainable Industrial CyberSecurity Management System. A holistic view and mindset is needed to assess, implement, maintain and document your Cybersecurity program and it is easy to get lost in the forest with all the trees and bear’s on the road.
This article describes a few pitfalls on starting up your ICS security program, and tips how to avoid them so that you can start making your OT environment more and more secure in a systematic way.
Get your management on board
For a good ICS security program you need budget, resources and get all stakeholders on board. To accomplish this, a good business rationale is essential. You have to sell CyberSecurity to your management so the need for resources and budget is clear. What business consequences and impact are most compelling for management to commit to the program? What rationale should and can I communicate to justify the program to management?
Without sustainable management commitment also the danger of CyberSecurity fatigue lures around the corner. All stakeholders need to be aware this is not a one time off project, but a continuous improvement process.
Getting management on board on the right premise gives you a steady ground to start building your Cybersecurity process on.
Define your scope
If you do not know what you have you cannot protect it. It is therefore imperative to define the scope of the so-called System Under Consideration (SUC), meaning to identify the assets, connections, data-flows, application, software and functions of the system you want to assess and protect. Include clear boundaries of the system as it is just as important to define what is not in the scope to avoid endlessly expanding assessments.
The SUC is not engraved in stone. You could start small, or a part of the total system, and expand the SUC over the course of the security lifecycle…just as long as the current scope is clear for all stakeholders.
How to define the scope you ask? Well, this can be done in numerous ways and mostly start with already available network and system architecture diagrams. These need to be verified against the current existing system as these diagrams can be years old and may not always have been updated. An asset inventory needs to be set up, clearly listing all assets, or configurable items (CI’s), their properties, functions, connections, custodian, etc. Make sure the inventory is complete and correct. Locking your front door is useless when you forget the backdoor….pun intended.
There are a lot of tools and programs to automatically discover your assets, and update these discoveries over time.
Make sure to perform a criticality assessment on the assets within the scope, prioritizing the assets based on the impact on your business should the asset be compromised. Includes these parameters in your asset inventory.
Setting up the scope, and asset inventory, can be a lot of tedious work, but it is essential for a good, comprehensive, more valuable risk assessment and leads to a more robust defence of your system.
Do your high level risk assessment first!
Often businesses start implementing security measures before having performed a high level risk assessment of the scoped system. While it is of course better to do something than to do nothing, for a good and sustainable defence of the system it is essential to perform a high level risk assessment on the SUC. Performing a high level risk assessment tells you what your current CyberSecurity posture is at this moment, where the gaps are, and to identify the high risk assets or aspects of the system. This also includes inventory on policies, procedures and responsibilities.
Basically, a high level risk assessment tells you where you are at this moment in time, and helps to determine where you want to go and how to get there. Prioritising the gaps and vulnerabilities tells you where you can make the biggest steps forward in securing your system. It gives you focus and justify why you implement security measures, or to put it another way, why you are spending money on these countermeasures.
Securing your systems is a multidisciplinary journey and involves many aspects of the business. Thinking about identifying risks, and associated impact, not only involves technical knowledge and experience, but also financial, legal, safety, organizational and management teams and decisions to name a few. If being compromised causing a major spil of oil into the ocean does not only have financial consequences, but also legal, evironmental and reputational damage and these impacts need to be identified to come to a good risk assessment.
Include these teams in the process from the beginning, explain them the value of the process and why they are involved. This is essential for establishing a company wide mindset on securing the OT domain and systems.
Also, get external help when these resources are not available within the company. Not only does this fill in the gaps on knowledge, skills and experience where needed (or perhaps time is a factor also), a fresh and objective view on your risks and mitigations can prevent overlooking or forgetting certain aspects of the risk assessment. Hearing from a third party your system is not secure (at all), or certain vulnerabilities should have been mitigated long ago may not be what you want to hear, but it does lead to reaching your goals and in the end satisfying your management. Hiring external and objective knowledge and experience gives you insights in gaps or vulnerabilities you may have not thought about, you were unable to identify or thought to be trivial.
Hiring Subject Matter Experts (SME’s) on Industrial cyberSecurity, whether it be experts in securing DCS systems, vendor specific or Cybersecurity standards speeds up the process of securing your system and improves the implementation, robustness and quality of the CyberSecurity lifecycle.
Document, document, document
And last but not least….document! Documentation is a necessary evil and most try to avoid writing endless documentation, let alone maintaining the documentation. This is however vital to being able to measure your progress and report to management. If the results of your (high level) risk assessment are not properly documented, you cannot measure the impact of any implemented countermeasures. Documenting also saves a lot of time later on the proces as you do not have to reinvent the wheel, have discussion on who was responsible for which part of the system or tasks or generally avoid having to answer the question what we are actually talking about here…over and over again.
Remember that infrastructure drawing or network diagram which was hopelessly outdated? Remember how much time it took to verify and update the drawings so you have something to build on? Making documentation a standard task on every aspect of the CyberSecurity lifecycle saves you a lot of time, misunderstanding and is a vital aspect of measuring progress, communicate to the business and stakeholders and report to management.
Finally, make sure you use a good document management system. Identify who is responsible for the documentation, enforce versioning, and protect the information as it includes highly sensitive details about your system, the identified vulnerabilities and implemented countermeasures among other things. No need to explain this is heavenly material for anyone who wants to hurt your business, right?
Industrial CyberSecurity is not a project with a start and a clear end. Installing a firewall doesnt cut it, it leaves other doors wide open for attacks on your OT systems. It is a lifecycle of continuous improvement, measuring, monitoring, auditing and documenting. Many teams, knowledge and skills are involved in order to set up a complete, comprehensive and sustainable CyberSecurity Management system. This article describes some of the pitfalls and gives some tips on certain parts of this lifecycle. It is in no way exhaustive, but it gives some insight in the work and activities involved to get you properly started on securing your OT systems.