5 minute read
More answers on what you need to know about cybersecurity
Mark T. Hoske, Mark T. Hoske, Control Engineering
Below are more answers resulting from a cybersecurity webcast on cybersecurity architectures, training, best practices, risk assessment and trends based on research.
Advertisement
Acybersecurity webcast Dec. 3, 2020, raised more questions than two expert responders had time for at the end, and their answers to those additional questions on industrial control system cybersecurity are available below. The webcast, with one PDH available, is archived for one year. Register for the webcast with the following link: “Cybersecurity: What you need to know.” Two presenters answered the additional questions below.
• Brad Bonnette, technical director, Wood
Automation and Control, Wood
• Anil Gosine, global projects, MG Strategy+
More ICS cybersecurity answers
QUESTION: What are often overlooked cybersecurity best practices that represent weak links? Do they differ widely by organization and industry or are there commonalities for all?
M
More
Bonnette: Seemingly simple things like, turning off or actively managing USB, Bluetooth and removable/portable media connections. Lack of management of unused accounts,
INSIGHTS personnel departures, (temporary) personnel, contractor or vendor access credentials. KEYWORDS: Industrial Not monitoring firewall or security monicybersecurity, toring software reports or alerts. cybersecurity risk assessment Industrial cybersecurity webcast looks at what you need to know. Gosine: Proper configuration of the systems procured and under estimating the time/effort needed to continuously maintain and address issues. You want to avoid Extra questions about similar situation like operators ignoring cybersecurity are answered. alarms and then requiring another effort for CONSIDER THIS What are you doing to reduce cybersecurity risk to alarm management years after initial ICS deployment. An article published in Control Engineering, “Key security components and an acceptable level? strategies for ICS,” is a good reference.
ONLINE
www.controleng.com/ webcasts www.controleng.com/ webcasts/past
Q: Are there special cybersecurity recommendations for supervisory control and data acquisition (SCADA) and programmable logic controller (PLC)-based systems?
Bonnette: Edge protection and defense-in-depth are still principal base models. However, if the context of SCADA includes utilization of cloud or wide-area network (WAN) that is not exclusively controlled by the owner/operator, additional measures must be considered to authenticate traffic, endpoint devices, users, and protect (encrypt) data being carried over cloud or contracted carrier networks. The external network should be treated as an untrusted edge. However, just because your company owns a specific LAN or WAN does not mean it may not need to be considered untrusted just as well, depending on technical and physical access control to the networks. External networks should always be considered untrusted and considered a potential threat vector. Reference: ISA-TR100.15.01-2012 Technical Report “Backhaul Architecture Model”
Q: Is there a need for firewalls on Apple products?
Bonnette: Yes, both to protect the device, but primarily to protect the rest of the system from the device. Apple OS are just as exploitable as Microsoft Windows (Linux as well). At a minimum, any type of networked device may be used for distributed denial of service attacks (DDoS) attacks and robot data storm attacks, or as a pivot point for data, traffic or access to gain access to an operating technology (OT) system or network. Mobile phone malware has caused OT incidents, transmitting malware to the OT system by plugging in a mobile phone (smart phone) to a USB to charge it on an OT workstation, resulting in crypto locking or virus infection of facility control system.
Gosine: Apple Wireless Direct Link protocol to create mesh networks can be exploited as noted recent security notifications.
Q: Are there particular advantages to hard wiring? Or to keeping all data in house?
Bonnette: “Hard-wiring” may be easier to protect physically with barriers and physical access controls. However, as soon as the network leaves a physically controlled boundary, any points of connection or distribution are accessible, but typically not as acces-
sible as wireless systems. There is a lot of debate of keeping data “in-house,” if you are overwhelmed with maintain the security and integrity of your data systems and data, outsourcing may actually be means of improving the security or integrity of the system, but risks in the supply chain (the service supplier’s) integrity, security practices and capability need to be assessed as if it were your own estate.
Gosine: You need to weigh the risks/benefits of losing the cloud-based data analytics capabilities that increase productivity, efficiency and increase margins when keeping data internal.
Q: We’re trying to determine what cybersecurity staff training should include for whom and when?
Gosine: Know where your organization’s understanding is at through a baseline Q&A that follows the NIST Framework Categories. There will be a need for distinct training course materials for operators, security administrators, general users. Annual workshops for operation and security administrators. Operators - training on detecting anomalies; Administrators - tools, management techniques and prioritization in risk assessment; General users - social engineering and situational awareness. Incorporating relatable security information into available corporate news feeds/webcast updates also may be beneficial.
Q: What determines how often a cybersecurity risk assessment should be done? Should miniassessments be completed in certain areas more frequently than all of operations, all of the enterprise, or all of the connected supply chain?
Bonnette: The frequency of risk assessments should be commensurate with the previously assessed risk. Systems or zones with higher potential consequence of compromise should be assessed more frequently than lower potential consequence areas. Interim risk assessments for a single zone or subset should consider conduit connections to other zones.
Gosine: Critical operational processes are getting done more frequently to show risk avoidance/mitigation to C-level (potentially every 18 months). This will be based on how fast remediation efforts are getting completed. Regulatory requirements where applicable will have minimum frequency requirements that are required.
Q: With software updates, vulnerabilities may be exposed. Is there a repository where control system software security status is available?
Gosine: Yes, see https://us-cert.cisa.gov/ics and https://www.strategicefficiency.org (membership required). ce
Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media and Technology, mhoske@cfemedia.com.
