6 minute read
Looking at simple strategies to achieve the most value from cyber risk assessments
LOOKING TO THE FUTURE
Alexandre Peixoto and Rick Gorskie discuss some simple strategies to achieve the most value from cyber risk assessments.
Advertisement
Most process plant automation systems are engineered over decades to ensure operations are repeatable, reliable, available and safe. More recently greater connectivity to business systems has increased exposure of control systems to the internet so organisations need to consider the implications of cybersecurity so that industrial automation and control systems remain secure and stable.
A good starting point is a risk assessment to evaluate gaps in currently implemented strategies and technologies, and to provide a roadmap for identifying, prioritising, and eliminating vulnerabilities.
Over many years of performing assessments, Emerson has identified three common missteps that operational technology (OT) teams should be aware of when performing or requesting assessments: assuming their own team already knows and understands all the risks, pursuing ‘magic pill’ solutions, and not acting due to the considerable number of issues, along with a lack of prioritisation and limited funding.
Organisations actively arming themselves against these roadblocks to success can more easily reap the benefits of a risk assessment, driving more cybersecure operations and providing the business justification most securityoriented projects lack.
Risks and solutions
Cybersecurity is an evolving arms-race that may seem overwhelming to an OT team, or even some cyber-experienced information technology (IT) teams. Learning that anti-virus software and a firewall is no longer sufficient protection can be intimidating.
A cyber risk assessment removes the need for an OT team to determine every potential cyber vulnerability in the plant. The assessment can help identify, document, prioritise, and build a roadmap around the highest threat vulnerabilities. This roadmap provides a guide for creating solutions to provide sufficient security.
Once the assessment is complete, resources created and shared by partners can expand knowledge of cybersecurity tactics and techniques directly related to the leading vulnerabilities. Automation providers – and other technology providers – will offer a variety of security manuals, secure architecture guidelines, cybersecurity webinars, and continuing education to help OT teams learn, develop, and improve the strategies used to secure critical systems.
In addition, teams must not assume their operators know all there is to know about cybersecurity. Policies and procedures should be documented, shared, and regularly updated (Fig 1). Personnel must be trained to operate under new guidelines established after an assessment. New policies will often upset tried-and-true methods to which operators have become accustomed. Instead of relying on users’ inherent cybersecurity knowledge, the cybersecurity team should teach them how to perform actions under the new guidelines.
Once new guidelines have been put in place, the cybersecurity team should regularly evaluate their implementation. The best way to create secure systems and procedures is to periodically review implementation to ensure proper and appropriate practices are in place.
Even the best all-in-one solution is not a substitute for a cyber assessment. Regardless of the assessment’s results, a holistic approach, supported by a roadmap, will always be the best path forward. Technology solutions alone will never remove the need for understanding what is important to each organisation, along with a flexible strategy reflecting operational and business needs.
Though a hot new solution may provide a quick fix to an existing or emergent vulnerability, if it interrupts one of the control system core functions, it is unlikely to deliver value over the lifecycle of the automation system, and the organisation may face more serious difficulties.
Automation vendors can provide selected cybersecurity solutions certified
to work with their systems, and these are the solutions most suited for safely eliminating vulnerabilities discovered in a cyber risk assessment. Automation vendors develop and rigorously test layered cybersecurity solutions using third-party security technologies and accompanying architectures to ascertain which work best with their products. In addition, these solutions are constantly retested and reevaluated so that the security posture is reassessed, automation vendor suppliers are also realigning their products to meet new needs.
Some third-party solutions are inherently integrated into industrial control systems so that they become part of the automation solution, allowing automation vendors to provide full support in an OT-centric context. In some cases, the third-party provider becomes a strategic partner for the control system supplier so that the updated reference architecture does not impact the core values of the automation system (Fig 2).
Automation system support teams are already well versed in the security technologies surrounding the control system. This means that OT teams can rely on the automation vendor’s single support network – one that typically offers 24x7 support to keep any downtime to a minimum.
The simplest example of inaction is a small department handling both information technology (IT) and OT with a limited budget. It is easy for such a team to become overwhelmed because there are so many vulnerabilities to be addressed – and never enough time, resources, or overall funding.
Prioritising
Even large, well-funded organisations need to start with individual solutions and build toward a comprehensive defense-in-depth strategy. A good cybersecurity risk assessment will create a prioritised roadmap to build the defense layers that will close gaps over time and at a reasonable cost.
Another important strategy is reliance on a trusted partner to perform or help with assessments. Partner organisations have strategies and tools to help make the case for cybersecurity enhancements to management, justifying the investment by examining information regarding the cost of cybersecurity breaches.
Taking concrete steps in response to a cyber risk assessment is not as daunting as it may seem. While it is true that new cybersecurity risks may appear in the future, these risks are not nearly as well known or as likely to be exploited as old risks that are covered by security patches, hotfixes, and upgrades.
An organisation is far more likely to be targeted using an old exploit that they never patched than by a new, freshly discovered vulnerability. These are the vulnerabilities most likely to be discovered with an assessment and deterred by basic defense layers.
A defense-in-depth strategy starts with a good context definition so that each protection layer can be properly designed and then prioritised against available resources. A cyber risk assessment helps build a good context definition appropriate for the organisation’s needs. Being proactive with a cyber risk assessment can also help OT ensure any security measures do not impact operations. If OT waits too long to identify and pursue solutions suited to operations, IT may step in and provide its own solutions without fully understanding the unique needs of operations. When risks are assessed and solutions are deployed appropriately, cybersecurity becomes a bridge between IT and OT that mutually benefits both groups. This is particularly valuable at a time when organisations are forced to operate leaner and remotely to ensure operations and business continuity.
Increased connectivity to business systems has raised cybersecurity protection needs for control systems. Starting with a cybersecurity assessment to identify where the organisation is in its journey prepares the team to write policies and procedures to better secure automation systems. The time invested in defining specific context will help establish defense layers to meet needs. A comprehensive cyber risk assessment will also help build the roadmap that is essential to preparing for the unexpected needs of the future, whether that is more remote operations, shared data for analytics, or the move toward a digitallytransformed organisation.
Fig 2: A comprehensive risk assessment will provide a roadmap for continual assessment and improvement.
