InTech

NOV-DEC 2018

Issue link: http://intechdigitalxp.isa.org/i/1058858

Contents of this Issue

Navigation

Page 12 of 56

no single entity can solve this global issue. Instead, end users, third-party suppliers, integrators, standards bodies, industry groups, and government agencies must work together to help the global manu- facturing industry withstand assaults on the world's most critical operations, thereby protecting the people, communi- ties, and environments we all serve. In a pervasively connected world that is aggressively closing the IT-OT divide, it is up to us, the manufacturing and ICS experts, to ensure legacy, pre-IIoT criti- cal infrastructure systems and assets are able to shut the door on future Triton-like attacks. To do that, we must encourage transparency, open communication, and ongoing collaboration—not just vendor to vendor, but across every layer of the industrial cybersecurity ecosystem. Now is the time. Our future depends on it. n ABOUT THE AUTHOR Andrew Kling (andrew.kling@schneider- electric.com) is director of cybersecurity and system architecture at Schneider Electric with more than thirty-five years of software development experience. Kling has ushered the development of the ISA Secure – Secure Development Lifecycle Assurance certification at multiple sites. He participates in developing cybersecurity standards, such as IEC 62443. View the online version at www.isa.org/intech/20181201. government disseminates this informa- tion to all relevant players in that spe- cific industry. This model encourages vendors and other industry actors to share their experiences so that others can both benefit and advise. While ISACs encompass the vertical, communities of interest (COIs) provide more horizontal guidance. COIs address communication among peers at the ven- dor and asset-owner level, not just with the government. An example of a COI is the SANS industrial control system (ICS) community, an initiative that equips se- curity professionals and control system engineers with security awareness, work- specific knowledge, and hands-on tech- nical skills for securing automation and control system technology. In COI settings like this, companies within the industry can have open dis- cussions with competitors around cy ber- security, without tipping their hands as to specific scenarios. By removing any sense of competitiveness, they instead instill a sense of community. For com- munities such as these to be most effec- tive, they must include not only vendors, but asset owners, cybersecurity research- ers, standards bodies, and even universi- ties. There must be rules of engagement for discussion, but those with a vested interest and a part to play should be en couraged to participate. Otherwise it is not a true community. From public to private and across both levels, open and honest collaboration is essential to hard- ening our defenses against cyberattacks. Where do we go from here? Ongoing malicious attacks are our new re- ality. The good news is we have the means to confront them—as well as to build and advance a resilient "detect and response" cybersecurity strategy across all levels of an industrial enterprise—but only if we take immediate, collective action. We should be encouraged by the prog- ress made over the past year, but there is always more work ahead. In fact, build- ing cybersecurity resilience is an ongoing pursuit. We all recognize that cyberat- tacks can be made against any industrial control and safety system anywhere in the world, no matter who designed, engi- neered, built, or operates it. That means cybersecurity priorities. Such funding would encourage asset owners to take initiatives that strengthen their indus- trial assets from attack and otherwise improve their cybersecurity posture. There is more than one way to keep equipment, software, and operating protocols regularly updated. While there are different schools of thought on what works best in the carrot-versus-stick de- bate, incentives can promote broader adoption of cybersecurity standards through the development of upgraded vendor solutions (instead of relying solely on regulations and harsh finan- cial penalties). When considering incentive-based programs that financially reward com- panies for regularly updating their equipment and software, staff should be trained to remain compliant with the lat- est standards and regulations. The gov- ernment helps prevent potentially cata- strophic events from occurring; the plant receives funding to encourage reinvest- ment in the latest secure technology, staff training, and funding of liability manage- ment initiatives. As with most aspects of cybersecurity prevention, a balance of regulation, standards, and incentives is often the best practice. Sharing from public to private Although communication between gov- ernmental bodies can be lacking, the framework for north-south communica- tion between the public and private sec- tors is strong. This is where ISACs have an important role. ISACs are nonprofit organizations that serve as a central re - source for gathering information on cy berthreats to critical infrastructure and providing two-way information sharing between the private and public sectors. They assist federal and local govern - ments with information pertaining to cyberthreats. More than 20 exist within the U.S., Europe, and Canada. ISACs have verticalized, industry-specific expertise in a wide range of disparate segments: automotive, financial services, oil and gas, real estate, and even retail. Each of these groups consists of in- dustry experts who anonymously share cybersecurity intelligence vertically with government agencies. From there, the COVER STORY INTECH NOVEMBER/DECEMBER 2018 13 RESOURCES "One Year After Triton" https://blog.schneider-electric.com/cyber-secu- rity/2018/08/07/one-year-after-triton-building- ongoing-industry-wide-cyber-resilience "IEC 62443 Security Assurance Levels Explained" https://blog.schneider-electric.com/cyber- security/2018/03/30/iec-62443-security- assurance-levels-explained NIST Cybersecurity Framework https://www.nist.gov/cyberframework French National Digital Security http://www.ssi.gouv.fr/en/cybersecurity-in-france/ Cybersecurity legislation http://www.ncsl.org/research/telecommunica- tions-and-information-technology/cybersecuri- ty-legislation-2018.aspx

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - NOV-DEC 2018