When you purchase a car, the manufacturer boasts about the high safety ratings and state-of-the-art features. Most people don’t truly appreciate those safety features, however, until an accident occurs and they need them. Not only are safety measures built in, but after you purchase your car the VIN number helps dealers and manufacturers alert you of necessary maintenance, recalls and upgrades when they detect design or part issues. These protocols are critical to driver safety, and often taken for granted.
Industrial control systems (ICS) are just as critical to daily life yet cyber protections aren’t always built in, particularly when it comes to decades-old legacy systems. As a result, the need to maintain these older systems is critical. They also don’t have unique identification numbers to help manufacturers alert industrial organizations of new vulnerabilities or recommended upgrades. Without the ICS, operations in utilities and oil and gas would come to a halt, yet new research from RSA revealed energy organizations, alongside government, ranked lowest in cyber maturity, with only 18 percent of respondents classifying as developed or advantaged. Further, incident response (IR) capabilities were reported to be either "ad hoc" or "nonexistent."
With attacks increasingly targeting critical infrastructure, as demonstrated in Ukraine, organizations can’t afford to wait to get into an “accident” – or experience an attack – to realize how vulnerable they are. Fortunately, the status quo is changing.
Focus is shifting toward cyber resilience for industrial control and safety systems, SCADA, power and electrical systems. Increasing cyber readiness requires building in resilience from the ground up and transforming organizational culture to one that understands and embraces cybersecurity. While there are various tactics companies should consider, three important steps should be taken immediately.
Step 1: Conduct an asset inventory
While energy companies are moving towards taking advantage of the digital age through more connected, digitally-enabled machines, there is still a gap in having a full view of the assets themselves. Until you can perform asset management, you can’t perform risk management. Too frequently operators and managers don’t have a full inventory of assets on the plant floor. Asset management is critical to understanding what equipment and systems require certain patches and how machines and end points are communicating across the plant.
In IT environments, computers interact with the network every time someone logs in, making it easier to keep track of access and network traffic. In large industrial organizations, assets may be connected, but not actively communicating with other machines. This doesn’t mean they aren’t vulnerable. Operators must keep tabs on their equipment to recognize risks and appropriately scale resources for a response effort. This is why NIST Guidelines mandate asset inventory and management as an essential part of cyber response. The asset inventory is the first critical step to improving an organization’s security posture before proactive maintenance, patching and hardening of ICS and machine software.
Step 2: Develop and test incident response plans
The implementation of an enterprise IR plan facilitates effective action in case of a cyber incident. Enterprise knowledge around how to engage efficiently with vendors – meaning when to reach out and why – significantly improves responsiveness during an incident. It also helps reduce the duplication of work for both facility owners and vendors so each can individually determine and manage security services.
While many industrial organizations have an IR plan in place, very few run through a routine simulation exercise of this plan. Simulated exercises reveal any incorrect assumptions made during the IR process and identify missing contacts or protocols critical for success. The plan should include correct contact information, structured line of communication and organized roles and responsibilities, and also be tested repeatedly to ensure its effectiveness.
Step 3: Train and empower your people
Cyber readiness demands a focus on people. The talent gap is widening, and IR plans often require employees to take on roles outside the scope of their day-to-day job functions. Further, when employees understand the risk and how they potentially contribute to it, they in turn will help avoid vulnerabilities as a result of human error. Critical infrastructure organizations need to be aggressive in providing training programs and continuing education opportunities in order to develop the workforce they need. They also need to help non-technical staff understand how their actions impact security. Historically, IT and operational technology (OT) functions have looked at technology solutions as a silver bullet. This thinking fails to recognize the human factor in cyber resilience and security. Maintaining the best and brightest in this field means ensuring employees are cyber-aware. People will continue to serve as the best defense.
The integration of asset management, IR processes and educated people is critical to improving the cybersecurity landscape. Our day-to-day functions rely on critical infrastructure – electricity, water and gas. A major cyber attack could create significant disruption and damage. Increasing cyber readiness will help transform critical infrastructure from the weakest link to the most resilient.