When most people think of cyber security risks, they think of credit card data being stolen by breaches of corporate networks and data centers, but there is an entire other area of computing which is vulnerable to cyber-attacks: industrial control systems (ICS) that run plant automation processes.
This need to bolster cyber security for ICS is not new—various organizations have been working on it for years. The threat of breaches to these systems gained a higher profile back in 2010 when it was found that a malicious worm called Stuxnet had been used to bring down nuclear enrichment plants in Iran. Wired magazine called Stuxnet the most menacing malware in history, and 60 Minutes has covered the threat of Stuxnet-style attacks on U.S. industrial infrastructure.
Concern over ICS-level cyber attacks on U.S. infrastructure prompted President Obama to sign an executive order in early 2013 on “improving critical infrastructure cybersecurity.” That order called for the National Institute of Standards and Technology (NIST) to develop a framework to reduce cyber risks to critical infrastructure, and the first version of the Cybersecurity Framework was released in February.
The NIST framework’s core elements span ways to identify, protect, detect, respond, and recover from cyber-attacks to industrial systems. It’s widely seen as a set of best practices and methods which can be used by owner/operators across many industries. But it’s by no means the only standard out there.
Another notable standard for ICS-level cyber security comes from the International Society for Automation (ISA) and the International Electrotechnical Commission (IEC), who have put forth the ISA/IEC 62443 series of standards covering cyber security for ICS. According to ISA, these standards are designed to mitigate the effects of cyber damage to industrial plant systems and networks, thereby preventing widespread plant shutdowns, operational and equipment failure, economic or environment disruption, and serious risks to the public.
In short, industry has guidelines that are now in place, and can be followed to help mitigate risks. Other resources also can help apprise owner/operators of risks, such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Web site under the U.S. Dept. of Homeland Security.
But how is industry really doing in taking actions which protect against ICS-level cyber threats?
One gauge of the state of ICS cyber-security readiness is an annual survey on cyber security conducted by Control Engineering magazine, whose readers are control engineers and industrial automation specialists, including programmable logic controllers (PLCs) and other types of automation.
The magazine’s latest survey results, highlighted in an April article, revealed both encouraging and somewhat troubling trends. First, the good news: nearly half the respondents rate the ICS cyber threat level in their organizations to be only “moderate,” while 29 percent rated it as “low.” Also encouraging is that one third of respondents said a risk evaluation had been performed within the past six months, and 29 percent said one had been done in the past 12 months, so the majority have recent assessments.
However, somewhat troubling was the 24 percent of respondents who said their organization has “never” performed a cyber-attack vulnerability assessment. This goes against the grain of recommendations from ICS experts, such as participants at an ARC Advisory Group’s forum who concluded, according to this alert, that “effective ICS cyber security risk management requires focused assessments.”
Cyber threats at the ICS level are always going to be with us. It’s doubtful there will be some “silver bullet” firewall technology that’s going to solve all risks in one swoop. However, on the positive side, there is progress being made on standards and guidelines such as the NIST framework.
“One thing we like about the NIST framework is that it’s not prescriptive, says Doug Clifton, global director of the critical infrastructure and security practice for Schneider Electric. “So it doesn’t tell our clients what they have to do—it makes suggestions on what they should do.”
Clifton, who is a certified information systems security professional (CISSP), and has authored a series of newsletter articles on ICS cyber security issues, sees the NIST framework as a useful guide for companies, especially those just getting going with ICS-level cyber security programs. He points to the assess/identify portion of the framework as a way to help companies figure out which aspects of their critical infrastructure should be the focus of protection measures. “The NIST framework provides guidance on building a plan and one of the first important steps is to figure out what is critical to your operations, because in cyber security, protecting everything is expensive,” says Clifton.
Schneider Electric offers many solutions at the ICS level, including “Secure Power” solutions that provide power reliability for industry and infrastructure. To find out more about Schneider Electric’s Secure Power solutions for industry, infrastructure, and marine, including the role of uninterruptible power supply (UPS), visit this Web page.