Is securing a plant simply becoming too complex?

This audio was created using Microsoft Azure Speech Services

Being one of the most established control system companies has its advantages when watching the cybersecurity landscape evolve. Our technology has powered and protected some of the biggest and most complex control systems in the world. What we see is an ever-changing cybersecurity domain. To grapple with this, we all face dense terminology, sophisticated and often well-funded attackers, and complicated defensive technologies. Is securing a plant simply becoming too complex?

Deciphering the lingo

Here is an example of typical formal language used to describe a vulnerability:
The CVSS vector string is (AV:L/AC:L/Au:S/C:P/I:P/A:N). It is described as – Remote File Inclusion allows an attacker to craft a specific URL referencing a web server, which, when launched, will result in the browser redirecting to a remote file via a Javascript loaded with the web page.

Trying to make heads or tails out of this kind of impenetrable language native to cyber-technology, and specifically cybersecurity circles, can be tough for the non-cybersecurity professional. It often leaves many people and organizations with limited understanding of the risks present in their systems. Yet, a thorough comprehension is exactly what is required in order to maintain system safety. These messages are directed to Industrial Automation Control Systems (IACS), as well as cybersecurity, professionals. Even though this particular example was chosen for its use of technical language, this type of message is quite common. Nearly 42% of all new vulnerability disclosures are rated as highly severe, a three year high [1]. Can we really afford to not be more plainspoken in our descriptions given that so many reports require the immediate attention of plant and cybersecurity staff?

Know your enemy

The same technology that provides unprecedented global connections and productivity also provides hackers with unprecedented opportunities for attack. Attackers of critical infrastructure may receive direction and support from rogue governments, from cyber-thugs ransoming access to your system, or just be self-motivated lone wolves out to wreak havoc. Whether their mission is to steal data, financial gain, disrupt operations, or destroy infrastructure, these attackers pursue their objectives by leveraging a wide range of nefarious tools and tactics that are increasingly easy to use. The barrier of sophisticated technology that used to limit who could become an attacker is crumbling. The result is an overall rise in the number of attacks [2].

Staying safe means constantly upping your game

At Schneider Electric, we rely on two fundamental approaches to mitigate security threats against our offers: 1) Development of security practices with formal testing and product validation – following world-class secure development processes, we ensure that strict development and testing disciplines are rigorously followed so that security, from concept to delivery, has meaning. 2) Defensive layers and air gaps – layers of defenses in the form of firewalls, network segregation, and virtual machines with limited visibility/access to the rest of the network. Tools and additional defensive mechanisms include intrusion prevention systems, anti-virus, security policy managers, etc.

This layered approach is a common defensive strategy in most cybersecure installations. It is also an approach that is reaching a saturation point. With every new avenue of attack, new countermeasures in the form of tools and mechanisms also appear. The sheer number of tools available today boggles the mind.

What can be done?

The bottom line is that attackers are growing in number and sophistication, defensive strategies to cover more and newer attack paths are becoming increasingly complicated, and the language used to discuss this critical topic is usually too technical for everyone but the most specialized experts, in effect creating one more barrier to comprehensively securing your plant.

So, what can be done to bridge this gap between what is truly a very technical field and those tasked with securing your plants? The good news is that critical infrastructure industries are getting the attention they deserve. As my blogging colleagues point out, the formula can be quite simple. In The Seven Pillars of Cyber Defense and Cyber Security: The Cornerstone of IIoT Adoption, some straightforward truths are laid out for an effective cybersecurity program. Leaders must balance two contradictory philosophical approaches when devising a security strategy. They must simultaneously “See the whole,” acknowledging that the entire network of systems that make up a plant is greater than the sum of its constituent parts, while also understanding that each individual element, each component, each system is fundamental to building a holistic defensive strategy.

By putting together a team that understands the “Why” goal of cybersecurity, i.e. risk management for the entire plant, and the “What” elements at risk, i.e. your plant’s assets, you will be well on your way to devising a plan for the “How.” When deciding how to secure your plant, choose a partner, internally like IT, or externally like Schneider Electric’s cyber-services teams, to guide you through the language and ever changing landscape. The antidote to the complexity lies in building the right team to tackle this problem. Leverage the expertise around you and don’t hesitate to bring in additional help where skill or experience gaps exist.

The cybersecurity landscape shows no sign of getting any easier to navigate. Following this guidance will help you manage the inevitable complexities on your path to securing your plant.

[1] Microsoft, 2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

[2] Intel Security, McAfee Labs Threats Report, June 2016, Threat Statistics

 

Tags: , , , , , , ,