InTech

NOV-DEC 2017

Issue link: http://intechdigitalxp.isa.org/i/910561

Contents of this Issue

Navigation

Page 57 of 61

58 INTECH NOVEMBER/DECEMBER 2017 WWW.ISA.ORG Prepare now (yes, now) for the inevitable cybersecurity incident By Marty Edwards Distributed control system vendor A equipment all goes on this network. Vendor B systems go on this other network . . . you get the picture. With the help of your vendors, map the data flows between these networks, and keep those data flows to an absolute minimum. Your network de - sign should consider what data needs to go where, so tweak the design if necessary. Bring your new networks together at a common demarcation point in the so-called "demilitarized zone." For the most critical systems, consider using fiber optics–based unidirectional gateway devices, so information can flow only one way, and intruders do not have an access path through the network connection. Most importantly, log the data that crosses these network boundaries (including refused connections) and re view the logs routinely for anomalies. With your networks separated into manageable and appropriately connected parts (what ISA/IEC 62443 calls "zones and conduits"), you can begin to implement other improvements, such as patch management. Grouping devices and systems logi- cally in this way allows you to make improvements quickly, without the added complexity and risk of affecting the operation of formerly interconnected systems that are now on their own network. At this point, I recommend against allowing re mote access into these systems. If it is important enough to fall into the "crown jewels" category, it is important enough to call someone to walk over to a dedicated terminal to make required changes at 2 a.m. Why are you making changes at 2 a.m., anyway? Over time, as your cybersecurity plan ma- tures, you can implement remote access systems with two-factor authentication. These systems are activated by authorized and trained personnel, only when needed, and all connections are monitored, recorded, and logged for forensics purposes. These initial two steps, if taken now, will signifi- cantly lower your risk from an external network cy berattack. There certainly are many more steps to take in an overall cybersecurity strategy, and other threats to address, such as insiders. By taking these steps first, you will have accomplished what many have not and begun your journey down the pathway of sound cybersecurity management. For additional resources, see www.automa- tionfederation.org/Resources/IndustrialCyberse- curityResources and www.isa.org/cybersecurity- resources. n A lmost every day we hear news of a com- pany dealing with a cybersecurity prob- lem. Ransomware. Data breach. Nation state. The loss of production systems from a single cybersecurity event can have a financial impact of hundreds of millions of dollars. Organizations that use any kind of automation system need to take proactive, defensive steps immediately to avoid significant business disruption and lost revenue. Normally, I would be preaching the gospel of the NIST Cybersecurity Framework, the foundational elements set forth in the ISA/IEC 62443 standard, and the virtues of a sound risk assessment meth - odology. These methods have significant merit and are part of a comprehensive cybersecurity strategy. They simply take time to implement—and, in fact, many companies are just beginning their cyber- se curity journey and do not know where to start. Search no more. Start here. Almost every risk assessment has a common theme— organizations do not understand what systems are important and do not properly segment the networks of these mission-critical operational technology (OT) systems from other enterprise systems, such as corpo - rate information technology (IT) systems. I urge com- panies to find out: What are your most important business, and therefore system, functions? Where are these so-called "crown jewels"? Once you have identified that system or systems (it should be a small number), you need to protect them—and fast. Step one: Disaster recovery Make sure you have implemented a disaster recov- ery plan and be sure there are recent and functional backups of the entire system, including operating sys - tems, application software, engineering, and con- figuration files. All backups should be kept "off the network." Recent ransomware attacks have spread automatically across networks, and organizations have discovered interconnections the hard way once their only backups were encrypted. Until you have a systematic process in place to perform and test these backups, do not pass go, do not collect $200. Step two: Network segmentation Network segmentation might not be as easy as it sounds and will require some network reengineer- ing, but I did it over 15 years ago by grouping equip- ment logically by plant area, function, and vendor. final say | Views from Automation Leaders ABOUT THE AUTHOR Marty Edwards (med- wards@isa.org), manag- ing director of the Au- tomation Federation, is a globally recognized in- dustrial control systems cybersecurity expert and speaker. Edwards has more than 25 years of industry experience and was the longest-serv ing director of the U.S. Department of Home- land Security's Industrial Control Systems Cyber Emergency Response Team.

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - NOV-DEC 2017