ML Journal August 2022

ML Journal August 2022

Building Cybersecurity for Industrial Control Systems

For interconnected manufacturing, industrial control systems are key to preventing unauthorized access to data   

As manufacturers and other tech companies continue to evolve amid the Fourth Industrial Revolution and prepare for the fifth, industrial control systems (ICS) remain the cornerstone of organizations’ ability to deliver on their goals of increased safety, productivity, efficiency, quality and innovation.

The use of advanced technologies has become table stakes for manufacturers, especially over the last two and a half years. But the proliferation of networked technologies also brings more risks and exposure to advanced cybersecurity threats. Corporate espionage targeting companies’ networks is also becoming a more prevalent way that bad actors can gain competitive intelligence and extort organizations. Attackers have evolved, moving away from large, multipurpose attacks on network perimeters and toward focused attacks that expose businesses to more diverse risks.

Companies across the economy are acutely aware of the risks; 72% of the 400 middle market executives who responded to a recent RSM US Middle Market Business Index survey on the topic of cybersecurity said they anticipate unauthorized users will attempt to access data or systems in 2022, “a sharp rise from 64% last year and the highest number since RSM began tracking data in 2015.”

“Industrial control systems require specific controls and procedures that are usually completely different from the IT world.”

 

As manufacturers become ever more networked, their devices become more interconnected and they require faster decision-making using real-time data, robust and consistently updated cybersecurity protocols are paramount. And rigorous cybersecurity protocols aren’t just crucial in terms of staying ahead of the competition; customers, business partners, suppliers and vendors increasingly require a higher level of security assurance amid rising concerns, and regulators are requiring more thorough security controls. Lawmakers in the United States, the European Union and Canada, for instance, have recently enacted or introduced rules that would tighten cybersecurity protocols across a wide array of sectors.

It’s clear that operational technology (OT) security is crucial to companies’ success and their ability to remain competitive and protect their intellectual property and systems. But for midsize and smaller manufacturers, it may be difficult to know how best to go about updating and enhancing cybersecurity policies and practices. And while governments and other groups develop regulations outlining key requirements of cybersecurity programs, they rarely describe how those translate to the specific ICS in scope and rarely detail how to build such ICS programs in a sustainable manner.

Below, we take a closer look at what companies need to do to enable that process. For manufacturing companies, building a sustainable cybersecurity program should start with understanding the standards the organization currently has in place, assessing where there may be gaps, and determining what changes need to be made across the four key areas of oversight, people, process and technology.

Define The Need, Select a Standard

What is a cybersecurity program for industrial control systems? Like other cybersecurity programs, it is basically a set of policies, procedures, guidelines, and standards associated and specifically developed to protect and manage your industrial control systems. Within these policies that describe the program, leadership teams define the proper security management practices and controls required. In order to do so, though, key stakeholders associated with the initiative must have clarity around the definition and scope of their ICS cybersecurity program.

Companies may consider reusing IT policies, procedures, guidelines, and standards from other elements of the business, and while some of them may be applicable to a manufacturing environment, industrial control systems require specific controls and procedures that are usually completely different from the IT world.

“Teams need to understand new threat vectors introduced by system changes and ensure they are conducting change-driven risk assessments.”

 

When it comes to implementing the security program itself, companies don’t need to start from scratch; rather, they can implement standards that other reputable organizations have already honed. The key is to select a comprehensive and relevant standard or set of standards that are usually associated with your industry and in some cases the regulations to which you may have to adhere. Certain national and international standards such as the International Society of Automation’s IEC-62443-4-2 framework in combination with U.S. Commerce Department’s National Institute of Standards and Technology’s Cybersecurity Framework Version 1.1 are excellent comprehensive examples that can guide the development of your ICS cybersecurity program. Remember that comprehensive does not mean perfect; these frameworks typically cover the things that you must or should consider specifically for ICS security programs and as part of an OT environment that usually interfaces with IT.

Identify Challenges

Industrial organizations face many tactical challenges when developing an effective cybersecurity program, including lack of clear governance, architectural limitations, control design and documentation issues, ongoing maintenance issues and a lack of monitoring and improvement initiatives.

On the governance front, for instance, organizations need to determine who is responsible for the security of cyber assets and which governance mechanisms should be in place. When it comes to ongoing maintenance throughout the asset lifecycle, teams need to understand new threat vectors introduced by system changes and ensure they are conducting change-driven risk assessments.

Generally, these challenges can be traced to one, or a combination, of the four key areas we mentioned above: oversight, people, process and technology.

“Ongoing monitoring is just as important as fixed processes, especially as cyberthreats evolve and become more sophisticated.”

 

Addressing the challenges and gaps in these four areas of the business is the crucial next step in enabling companies to develop sustainable cybersecurity practices to safeguard operations into the future. Here’s a look at some of the specific factors at play in each of these four areas:

  1. Oversight: Developing robust cybersecurity policies and practices must start at the top in any organization. But companies that have not clearly articulated the cybersecurity responsibilities of their leadership teams are setting themselves up for failure. The same occurs in the OT space. Organizations need to have clear governance and strategies in place around the security of their industrial control systems and ensure that processes incorporate board and executive oversight on everything from understanding cyberthreats to navigating cyber insurance to coordinating with law enforcement in the event of a breach.
  2. People: Fostering the right culture is central to ensuring that employees throughout the company understand and take cybersecurity protocols seriously. People within the organization should not only undergo regular security awareness training and have opportunities to hone their individual cybersecurity skills and competencies, but they should also have a thorough understanding of the company’s protocols and security organization structure at the enterprise level. Vendors also fall into the “people” category, given the cybersecurity implications of how vendors connect with and use the company’s systems.
  3. Process: There are many process components that touch cybersecurity protocols, from sourcing and vendor management processes to incident management and identity management processes. Companies need to have consistent cybersecurity considerations built into all their processes to ensure not just physical security but also business continuity in the event of breaches. However, breaches in an ICS system require a different set of skills than other types of IT incidents and this is also the case for any other OT process.
  4. Technology: Much like with processes, manufacturers need to make sure they address cybersecurity issues on a wide variety of technology fronts. This includes security monitoring, threat modelling, intrusion detection and protection, endpoint security, data loss prevention and security architecture and design. How does the organization implement technical security controls across all the different systems, components and modules? That’s a key question to address because many of these security controls cannot be implemented in ICS the same way they have been implemented in IT. This is why technical expertise in ICS cybersecurity issues is a crucial success factor.

Leadership teams should ask themselves where they see the gaps in each of these areas. For instance, does your organization have clear protocols in place for ICS incident response but lack a process for threat modelling? Ongoing monitoring is just as important as fixed processes, especially as cyberthreats evolve and become more sophisticated.

Figure 1 – Source: RSM US LLP

 The Role of Talent

A significant element of addressing the above issues and developing a sustainable cybersecurity program is hiring and retaining the right people. Companies in all sectors are battling for talent in a tight labor market, but the competition is particularly acute for tech workers, including those focused on cybersecurity.

“From a technology standpoint, more companies are moving data and applications to the cloud for access to a higher level of protection and controls, with many infrastructure costs going away,” according to RSM’s cybersecurity report. “However, as companies in all sectors are finding, the talent to manage that cloud environment is becoming more expensive and more difficult to find and retain.”

This will continue to be a pain point for manufacturers, especially as more of them shift from on-premises data facilities to using cloud applications and services.

Questions to Frame the Path Forward

Manufacturing companies that want to determine how their cybersecurity practices stack up to the evolving threat landscape should foster honest conversations among members of their leadership teams to address the following questions:

  1. How does your team assess the information security risks specific to your industrial control environment?
  2. What steps and/or systems do you currently have in place to secure your industrial and manufacturing operations?
  3. How often does your team review your business processes to identify new information security risks relevant to your manufacturing processes?
  4. How often do you perform security threat tests and report results to the management team?
  5. What is your response plan for a potential operational technology breach?

Having open-ended conversations to address these issues is one of the first steps in building more resilience against cyberattacks and future threats. Working with a third-party advisor on security testing and system assessments can also be an invaluable way to determine what changes the company needs to make to protect itself. M


About the author:

 Tauseef Ghazi is a principal at RSM US LLP.

 

View More