- Cybersecurity attacks against manufacturers and other industrial sites are growing every year.
- When developing a cybersecurity plan, is best to look at it through the lens of business risk reduction and enabling innovation.
- Industrial PCs need to be put on the front line of cybersecurity efforts and constantly monitored and patched to prevent attacks from happening.
It is no secret our world is more connected than ever. According to Statista, it is estimated there are 36 billion connected devices today. That amount will double by 2025. Where perception differs is whether we are becoming more or less secure. On the one hand, technologies and professional services available to improve security are growing. For example, Markets and Markets estimates that the global cybersecurity market size will grow from $153 billion to $249 billion by 2023.
On the other hand, attacks on organizations are more commonplace than ever, demonstrated by businesses increasingly purchasing cybersecurity insurance to hedge their bets. More shockingly, lists of thousands of victim companies are published online by intelligence companies, which show who has had information released on the dark web. Determining whether overall cybersecurity is getting better or worse is a complicated topic.
Industrial control systems are not keeping up
That question is less complicated when discussing the industrial control system (ICS) environment. It is a landscape held together by legacy hardware and software. Capital and operational costs for the environment is high, so equipment is often run until it fails. Industrial devices are communications are inherently insecure and unencrypted. Availability is prioritized over confidentiality and security, providing few or no opportunities for patching during downtime. In many ways, the industrial information technology (IT) infrastructure, which the control systems run on, are exact opposites of their enterprise infrastructure counterparts. The cumulative result is demonstrated in Claroty’s Biannual ICS Risk & Vulnerability Report, providing data showing vulnerabilities affecting the commercial facilities sector has increased by 140% compared to 2018.
Putting these trends together, not only is connectivity and the cybersecurity threats organizations face increasing, ICS security postures are not keeping up.
The best lens to view ICS cybersecurity
The ICS cybersecurity problem is incredibly technical, the title of this article is technical and the word “cybersecurity” sounds technical. However, when considering the problem, it is best to look at it through the lens of business risk reduction and enabling innovation. Let those two objectives guide how decisions are made and allow the technical security controls and practices to fall in place behind them.
ICS cybersecurity: Business risk
From a business risk perspective, ICS cybersecurity approaches will parallel an organization’s existing EH&S programs, in the sense that everybody plays a role in the cumulative security plan. It requires a mix of people, processes and technology to be effective and is a continuously improving cycle rather than a linear destination. The ultimate goal is quantifying the amount of risk tolerable to the business and then reduce it.
To provide a comprehensive framework for applying cybersecurity best practices within the ICS environment, the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) have published a series of standards. The series is made up of 14 standards and technical reports, which address responsibilities that owners, vendors and service providers can follow. Of particular importance for system owners looking to initiate a cybersecurity program for understanding and addressing overall cybersecurity risks is the 62443-2-1 standard titled “Establishing an Industrial Automation and Control Systems Security Program.”
ICS cybersecurity: Enabling innovation
The second – sometimes forgotten – lens to view security decisions through is by enabling innovation. The increase in connectivity has provided an opportunity for analytics, cloud and edge computing architectures and more to be leveraged, which can make the business more efficient and agile.
However, security concerns can prevent the adoption of those technologies, and improving security can remove those barriers. Rather than viewing security improvements and being restrictive, identify which security improvements enable the implementation of connected technologies, and weigh that into the decision of security controls to implement during the overall risk management cycle.
It is imperative to think about cybersecurity holistically across the enterprise from a business risk and innovation perspective. In many cases, an organization’s steps will be to understand the systems in their environment, preparing for incidents and reducing the likelihood and consequences of an incident. This is where IPS and server lifecycles and patching plays a major role.
The importance of IPC and server patching
Patching as a whole is a small piece of the overall challenge, but it is an incredibly important piece for industrial PCs and servers. In fact, the ISA/IEC-62443 series of standards is made up of 14 standards and technical reports, one of which (Technical Report 2-3) was published specifically to address patch management within the ICS environment.
The ICS environment is made up of many layers of industrial equipment, including Level 2 supervisory control devices and application, Level 1 basic control devices, MES/MOM systems, network infrastructure and more. It can be argued that if only one type of device could be patched, the wisest choice would be Microsoft Windows operating systems (OS), which are a common platform for lateral movement by attackers. They are often connected to a large quantity of devices and have the opportunity to be patched without directly impacting the industrial application running on it.
Largest quantity of industrial vulnerabilities
In fact, Level 2 supervisory control devices and applications had the largest quantity of vulnerabilities disclosed in the second half of 2020. So, considering the large amount of business risk reduction that can be achieved by patching Microsoft Windows OS, it is worth prioritizing the effort within the overall cybersecurity management cycle.
From an innovation perspective, managing the overall computing ecosystem can be simplified via consolidation onto virtualized and redundant environments or taking advantage of edge computing to eliminate Microsoft Windows OS equipment on the shop floor. That simplification also makes consistent application of access controls, user controls, resource availability and more. This makes IPC and server upgrades an opportunity for innovation advancement and risk reduction.
Due to the nature of ICS environments, there will be cases where upgrading the IPC is not practical. In those situations, there are security improvements which can be implemented. Hardening the device via shutting down unused services, ports and interfaces can reduce the devices’ attack surface. The IPC also can be set up within the organization’s domain, enforcing policy and making it possible for the industrial application to authenticate against the IT-managed AD. Finally, the device can be virtually or physically segmented away from other critical assets, reducing the opportunity for the IPC to be used within an attackers kill chain.
Leverage existing frameworks for industrial PC security
Given the escalation of attacks and the increasing vulnerability of the ICS environment, we are behind schedule with securing the environment. When doing so, it is helpful to leverage the framework provided by the ISA and IEC have published and use business risk reduction and innovation enablement as the decision criteria for implementing security controls.
Data demonstrates that Microsoft Windows IPCs and servers are the most vulnerable, and the most targeted asset. This means managing the lifecycle, patching, and system backups is worth doing. While it is difficult, the choice between investing $1 million per year to do so, or paying $40 million in bitcoin to a cyber gang to decrypt your devices shouldn’t be a choice at all.
Jeff Winter, senior director of strategy and marketing, Grantek. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, email@example.com.
Keywords: cybersecurity, industrial PCs, industrial control system (ICS)
What else can companies do to improve their overall cybersecurity footprint?