Systems Integrators have a front row seat when it comes to the topic of Industrial Cybersecurity. We are all aware that in today’s digital age, industrial automation plays a vital role in critical infrastructure including food research and production, water and wastewater utilities, oilseed and renewable refineries, manufacturing plants and more. Pressure to produce more with fewer resources drives the search for automated, connected and innovative solutions. We leverage industrial control systems (ICS) for the competitive advantage they can create. However, increased connectivity in ICS may also inadvertently leave the door open to opportunistic cyber threats. As stewards of Operational Technology (OT) systems, we play a significant role in integrating security into OT system architecture ensuring security measures are woven into solutions throughout the system lifecycle.
The Ongoing Threat to Critical Infrastructure
Industrial automation systems were historically designed for reliability and efficiency with security as a more recent requirement. System lifecycles can range from 20 to 30 years, with some exceeding 50. Many legacy systems still in operation lack modern cybersecurity measures, potentially leaving them open to cyber threats. Operational Technology (OT) shares many of the same technological platforms (such as Windows servers and workstations) found in traditional Information Technology (IT) systems. The difference is that stopping a server to patch a vulnerability or quarantining a device because it’s been compromised which is common in IT will generally disrupt an entire industrial process.
Threat actors, ranging from cybercriminals to state-sponsored hackers, exploit vulnerabilities such as outdated software, weak authentication, and unprotected remote access. Disruption to these systems can result in severe consequences including production outages, damage to equipment, financial losses, and potential threats to human and environmental safety.
Best Practices for Securing Industrial Automation Systems
As systems integrators, we have a crucial role in helping clients defend their industrial automation systems against cyber threats. Helping to implement a proactive, self-improving industrial cybersecurity strategy can significantly reduce risk and enhance system resilience.
Industrial cybersecurity is subject to a mix of general regulations and sector-specific guidelines. There isn’t comprehensive federal law but rather different agencies applying fragmented rules to various sectors. Organizations are encouraged to align their cybersecurity practices with established frameworks like the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF).
Reliance upon proven risk management-based frameworks like the NIST Cybersecurity Framework (NIST SP 800-82r3) are considered best practice.
Frameworks are grounded in the principle of Defense in Depth, which involve creating multiple layers of protection by ensuring that if one layer is breached, additional layers of protection prevent further penetration and aid in making the adversary more visible. It is not only an OT security principle, but also used in fire protection, risk management and in military strategy.
Applying a cybersecurity framework can feel overwhelming, especially for organizations with limited resources and legacy systems. However, the cost of inaction can be substantial. Our role as systems integrators is to encourage and facilitate the first steps of an organization’s journey into OT cybersecurity.
Below are six great organizational first steps, and how they relate to the 6 NIST CSF pillars:
Conduct a thorough OT asset inventory (IDENTIFY)
- An asset inventory is considered foundational and will serve as a source of truth for validation and a ‘noise’ filter when assessing vulnerabilities and potential threats
- You cannot protect what you do not know you have
- This necessary first step leads to subsequent continuous improvement discussions and prioritizing remedial efforts.
Take a Backup (RECOVER)
- System backups are the fallback point and play a vital role in ensuring business continuity
- Verify backup integrity – Don’t put full faith in backups that are online, or which have not been tested by a sandbox restore procedure.
Enforce Strong Authentication and Access Controls (PROTECT)
-
- Implement multi-factor authentication (MFA) for remote access.
- Restrict user privileges based on job roles and follow the principle of least privilege.
- Regularly review and remove unnecessary accounts and credentials.
Implement Network Segmentation (PROTECT)
-
- Use firewalls and demilitarized zones (DMZs) to separate operational technology (OT) networks from IT and external networks.
- Limit communication between critical systems to only necessary data flows.
- Secure remote access technologies, like VPNs with strong authentication and encryption help maintain segmented network integrity
Develop and Test Incident Response Plans (RESPOND)
-
- Create a comprehensive incident response plan tailored for ICS environments.
- Conduct tabletop exercises and simulations to ensure rapid response and recovery in the event of an attack. Practice makes the plan perfect.
Define cybersecurity roles and responsibilities (GOVERN)
-
- To improve security posture, a clear understanding of who is accountable is needed before protection can be effective
- Clarity leads to effective planning and resource allocation and prevents conflicts, confusion or gaps in overall efforts.
- Incident response plans and business continuity plans depend on clear roles and responsibilities to keep these efforts focused.
Reference URLs:
NIST Cybersecurity Framework 2.0: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final
NIST Special Publication (SP) 800-82r3: https://doi.org/10.6028/NIST.SP.800-82r3
Written by: Michael McCuddin Solutions Architect, ESCO Automation