InTech

SEP-OCT 2017

Issue link: http://intechdigitalxp.isa.org/i/882230

Contents of this Issue

Navigation

Page 33 of 57

34 INTECH SEPTEMBER/OCTOBER 2017 WWW.ISA.ORG SPECIAL SECTION: CYBERSECURITY pendent layers of security controls throughout the ICS, with the dual goals of preventing security breaches and buying time to defend against attacks. "Recommended Practice: Improving Industrial Control System Cyberse - curity with Defense-in-Depth Strate- gies," published by ICS-CERT, details defense in depth for control systems. Foster IT/OT partnerships Most CISOs charged with protecting the ICS come from an IT background, which means they have limited experi- ence with the complex world of OT and the critical role OT systems play in pro- cess safety and productivity. OT profes- sionals, on the other hand, have pri- marily focused on process safety and optimization, and have little exposure to the security controls and the rapidly evolving threat landscape that IT secu- rity teams battle daily. Based on these different areas of understanding, it is critical that OT experts within the company, such as automation leaders, and IT security ex- perts, such as CISOs, reach out to one another and create the active partner- ships needed to protect the organiza- tion's mission-critical ICS core. Role of government Protecting the nation's critical infra- structure begins with securing the ICSs that automate production and ensure the safety of power and process facili- ties. OT professionals have the lead in this task. However, the federal govern- ment also plays a role in securing ICSs. Additional government-imposed reg- ulations are rarely welcomed by the industrial sector. Nonetheless, indus - try leaders typically employ the best practices outlined in regulations long before they become the law. It is com - panies that fail to follow basic recom- mended best practices that drive the need to establish regulations. For OT professionals responsible for ICS cybersecurity, now is the time to learn from past regulatory activ - ity. Take action. Do not wait for ICS cybersecurity regulations to be im - posed. Review existing ICS cyberse- curity industry best practices from ISA, the International Electrotechnical Commission, the National Institute of Standards and Technology, and SANS. View them as generally accepted se - curity practices. Strive to implement and abide by the recommendations applicable to your systems. Do not minimize and avoid them. If we work together to improve ICS cybersecu - rity in our industry, it is less likely that the government will have to impose burdensome regulations—or when it does, the impact will be nominal. Domestic and foreign policy Securing ICSs is fundamental to pro- tecting the nation's critical infrastruc- ture. In recognition of this, the executive branch continues to make securing crit- ical infrastructure a high priority. The presidential executive order issued on 11 May 2017, "Strengthening the Cyber- security of Federal Networks and Criti- cal Infrastructure," addressed the right areas of concern—updated federal sys- tems, critical infrastructure, deterrence, workforce education, and more. However, the federal government needs to do more to clearly define foreign and domestic policies and strengthen the consequences of attacks on critical infrastructure. A cyberattack by a nation state on the ICSs in a refin- ery that damages property or injures people is no different from dropping a bomb on that refinery. So long as at- tribution is clear, consequences must include the option of a proportional ki- netic response. An orchestrated cyber- attack on multiple volatile industrial facilities can have the same results as tactical weapons of mass destruction. We need to treat it as such. Operational safety and profitability At a high level, the efforts that go into securing an ICS directly contribute to improved process safety and operational profitability. Such efforts include obtain- ing visibility into process control assets and managing configuration changes. Securing the ICS within the enter- prise is not trivial. It requires commit- ment, vision, and perseverance. It is a cross-functional initiative that spans company culture, technology, policy, and governance. It takes an entire en- terprise to protect the ICS, but only one bad actor to breach it. The enterprise must be successful at protecting the ICS 100 percent of the time, whereas an attacker has to be successful only once. OT organizations must reach deep within and address cybersecurity the same way they have dealt with safety over the past 25 years. They must also team up with IT and leverage cyberse- curity best practices developed over the past two decades. Successful companies recognize that, like safety, mitigating the risks of cyber - security begins with leadership at the highest levels. This includes the board of directors, the chief executive officer, and the executive team. It requires clar - ity of vision, strong organizational and financial commitment, and a compa - nywide culture that supports ICS cyber- security excellence. n ABOUT THE AUTHOR Eddie Habibi (eddie@pas.com) is the founder and CEO of PAS Global. He is a pioneer and a thought leader in the fields of ICS cybersecurity, industrial IoT, data an- alytics, and operations management and the coauthor of two popular best practices books on industrial operator effectiveness: Alarm Management: A Comprehensive Guide and The High Performance HMI Handbook. Habibi has an engineering de- gree from the University of Houston and an MBA from the University of St. Thomas. View the online version at www.isa.org/intech/20171006. Securing ICSs is fundamental to protecting the nation's critical infrastructure. RESOURCE ANSI/ISA-62443-2-1 (99.02.01)-2009: Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program www.isa.org/ansi/isa-62443-2-1

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - SEP-OCT 2017