GUEST ESSAY: A call for immediate, collective action to stem attacks on industrial control systems

By Andrew Kling

As the Industrial Internet of Things continues to transform the global industrial manufacturing and critical infrastructure industries, the threat of aggressive, innovative and dangerous cyber-attacks has become increasingly concerning.

Related: The top 7 most worrisome cyber warfare attacks

Adopting modern technology has revealed a downside: its interconnectedness. The vast web of connectivity has expanded the number of potential entry points for hackers. Unfortunately, you can never trust your systems are safe from intrusion. Many of today’s progressively bold, innovative attacks are perpetrated by malicious actors, such as nation-states, who have unlimited time, resources and funding.

One year ago, cybersecurity experts discovered the world’s first known cyberattack on a safety instrumented system. This incident, most commonly referred to as Triton, remains a call to action for the global industrial process and manufacturing industry.

In the year since this attack, the industry has taken a step forward in cyber preparedness. We see plant asset owners addressing cyber risks with more vigilance, and vendors hardening their solutions with cybersecurity built directly into the product offer.

These are important and positive steps. But there is a long way to go; so, where should we focus our attention?

Resiliency needed

Building cybersecurity resilience is an ongoing pursuit, one that ensures our systems and assets operate reliably and safely—at all times—in our digital world. Fifteen years ago, the cyber threats we all face today were unimaginable.

But the business synergies and financial implications of implementing interconnected, automated industrial systems make it a no-brainer for manufacturers to pursue. However, it’s a risk/reward situation, and as an industry, we must continuously address the threat of cyber warfare in this pervasively connected world.

Many of the legacy, pre-IIoT critical infrastructure systems we installed decades ago, when cybersecurity wasn’t even a “thing,” are still in use. We must ensure they are secured and, in turn, continually updated to shut the door on future attacks.

The role of standards

There is also an urgency for suppliers, designers, engineers, industrial plant operators/owners, third-party providers, integrators, standards bodies and government agencies around the world to adopt and adhere to cybersecurity standards for process control systems. One of those is IEC 62443, a rigorous standard for industrial automation technology that safeguards operations across multiple layers. Industrial safety systems should be ISASecure EDSA certified, the industry’s leading cybersecurity certification for control systems, safety systems and system components.

In addition to standards, it’s essential to look holistically at the current threatscape. Standards often advise a methodical, hierarchal approach to security, whereby vulnerabilities are ranked in order from high to low risk. When it comes to advanced persistent threats (APT), however, the full spectrum of vulnerabilities—from low to high risk—is likely being exploited simultaneously, so addressing them one at a time, in order of severity, is insufficient and risky. In addition to taking a wider-view stance, we can build effective defenses by finding and eliminating our most severe vulnerabilities, no matter how the risk is tiered. We can also scrutinize the techniques used by the APT groups and, in turn, defend against those attack vectors.

Addressing exposures

Effective cybersecurity programs must meet the business on business terms. The approach is straightforward. It involves using the previously mentioned standards to understand just what “secure” means, to assess cyber-preparedness, to understand the risks and to build a plan that will mitigate those risks.

Kling

By understanding the cyber risks, an organization can contextualize them financially, translating them into risk reduction terms that business decision makers comprehend and will support. A risk management plan is already a fundamental tool in the business world. Industrial organizations need to use them too.

Theory vs. reality

Cybersecurity isn’t limited to a single company, industry or region. It’s an international threat to public safety that can only be addressed and resolved through collaboration that crosses borders and competitive interests.

In the face of increasingly bold, complex attacks, every government agency, vendor, end user, third-party provider and systems integrator needs to take part in open conversations and drive new approaches that allow installed and new technology, as well as the industrial workforce that relies upon them, to combat the highest level cyber-attacks.

We have the means to ward off attacks, as well as to build and advance a resilient “detect and response” cybersecurity strategy across all levels of an industrial enterprise. But it requires immediate, collective action. Let’s not wait for a catastrophe to make this happen.

About the essayist: Andrew Kling is director of cybersecurity and system architecture, Schneider Electric.

###

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone