CYBERSECURITY
LOOKING TO THE FUTURE Alexandre Peixoto and Rick Gorskie discuss some simple strategies to achieve the most value from cyber risk assessments.
M
ost process plant automation systems are engineered over decades to ensure operations are repeatable, reliable, available and safe. More recently greater connectivity to business systems has increased exposure of control systems to the internet so organisations need to consider the implications of cybersecurity so that industrial automation and control systems remain secure and stable. A good starting point is a risk assessment to evaluate gaps in currently implemented strategies and technologies, and to provide a roadmap for identifying, prioritising, and eliminating vulnerabilities. Over many years of performing assessments, Emerson has identified three common missteps that operational technology (OT) teams should be aware of when performing or requesting assessments: assuming their own team already knows and understands all the risks, pursuing ‘magic pill’ solutions, and not acting due to the considerable number of issues, along with a lack of prioritisation and limited funding. Organisations actively arming themselves against these roadblocks to success can more easily reap the benefits of a risk assessment, driving more cybersecure operations and providing the business justification most securityoriented projects lack.
identify, document, prioritise, and build a roadmap around the highest threat vulnerabilities. This roadmap provides a guide for creating solutions to provide sufficient security. Once the assessment is complete, resources created and shared by partners can expand knowledge of cybersecurity tactics and techniques directly related to the leading vulnerabilities. Automation providers – and other technology providers – will offer a variety of security manuals, secure architecture guidelines, cybersecurity webinars, and continuing education to help OT teams learn, develop, and improve the strategies used to secure critical systems. In addition, teams must not assume their operators know all there is to know about cybersecurity. Policies and procedures should be documented, shared, and regularly updated (Fig 1). Personnel must be trained to operate under new guidelines established after an assessment. New policies will often upset tried-and-true methods to which operators have become accustomed. Instead of relying on users’ inherent cybersecurity knowledge, the cybersecurity team should teach them
how to perform actions under the new guidelines. Once new guidelines have been put in place, the cybersecurity team should regularly evaluate their implementation. The best way to create secure systems and procedures is to periodically review implementation to ensure proper and appropriate practices are in place. Even the best all-in-one solution is not a substitute for a cyber assessment. Regardless of the assessment’s results, a holistic approach, supported by a roadmap, will always be the best path forward. Technology solutions alone will never remove the need for understanding what is important to each organisation, along with a flexible strategy reflecting operational and business needs. Though a hot new solution may provide a quick fix to an existing or emergent vulnerability, if it interrupts one of the control system core functions, it is unlikely to deliver value over the lifecycle of the automation system, and the organisation may face more serious difficulties. Automation vendors can provide selected cybersecurity solutions certified
Risks and solutions Cybersecurity is an evolving arms-race that may seem overwhelming to an OT team, or even some cyber-experienced information technology (IT) teams. Learning that anti-virus software and a firewall is no longer sufficient protection can be intimidating. A cyber risk assessment removes the need for an OT team to determine every potential cyber vulnerability in the plant. The assessment can help
14
September 2020
Fig 1: Cybersecurity is an ongoing process, with constant updates required based on new solutions and improvements.
www.controlengeurope.com
Control Engineering Europe
