Back to the Future Cyber Security

Similar documents
SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Total Cost of Ownership: Benefits of the OpenText Cloud

The Value Of NEONet Cybersecurity. Why You Need To Protect Your The Value Of NEOnet Cybersecurity. Private Student Data In Ohio

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Sage Data Security Services Directory

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Total Cost of Ownership: Benefits of ECM in the OpenText Cloud

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Information Infrastructure and Security. The value of smart manufacturing begins with a secure and reliable infrastructure

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Keys to a more secure data environment

NEN The Education Network

Protecting productivity with Industrial Security Services

YOUR WEAKEST IT SECURITY LINK?

Disaster Recovery and Business Continuity Planning (Mile2)

STRATEGIC PLAN

Integrated Access Management Solutions. Access Televentures

Next Generation Backup: Better ways to deal with rapid data growth and aging tape infrastructures

Cyber Resilience. Think18. Felicity March IBM Corporation

Cisco Secure Ops Solution

Best Practices in ICS Security for System Operators

ABB Process Automation, September 2014

Cyber Security Strategy

Continuous protection to reduce risk and maintain production availability

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

A company built on security

G7 Bar Associations and Councils

Accelerate Your Enterprise Private Cloud Initiative

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Building cyber resilience into our railway s DNA. Matthew Simpson. Technical Director, Cyber Security

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Disaster Management and Security Solutions to Usher in the IoT Era

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Training and Certifying Security Testers Beyond Penetration Testing

Information Security Controls Policy

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

TEL2813/IS2621 Security Management

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

The UNISDR Private Sector Alliance for Disaster Resilient Societies

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

Lifecycle Performance Care Services. Bulletin 43D02A00-04EN

Governance Ideas Exchange

Canada Life Cyber Security Statement 2018

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

Designated Cyber Security Protection Solution for Medical Devices

One Hospital s Cybersecurity Journey

Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas

Cyber Security Congress 2017

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Addressing Cyber Threats in Power Generation and Distribution

to Enhance Your Cyber Security Needs

Cyber Resilience - Protecting your Business 1

An ICS Whitepaper Choosing the Right Security Assessment

Featured Articles II Security Platforms Hitachi s Security Solution Platforms for Social Infrastructure

Cyber Security and Cyber Fraud

The University of Queensland

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Continuous Monitoring and Incident Response

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

External Supplier Control Obligations. Cyber Security

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Department of Management Services REQUEST FOR INFORMATION

Making the most of DCIM. Get to know your data center inside out

AUTHORITY FOR ELECTRICITY REGULATION

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

M a d. Take control of your digital security. Advisory & Audit Security Testing Certification Services Training & Awareness

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Les joies et les peines de la transformation numérique

Business continuity management and cyber resiliency

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Gujarat Forensic Sciences University

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Innovation policy for Industry 4.0

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Build Your Zero Trust Security Strategy With Microsegmentation

THE POWER OF TECH-SAVVY BOARDS:

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Itu regional workshop

Internet of Things Toolkit for Small and Medium Businesses

Carbon Black PCI Compliance Mapping Checklist

SOLUTION BRIEF Virtual CISO

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

Information Technology Procedure IT 3.4 IT Configuration Management

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Securing Industrial Control Systems

Information Technology General Control Review

The NIS Directive and Cybersecurity in

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Implementation Strategy for Cybersecurity Workshop ITU 2016

Transcription:

Back to the Future Cyber Security A manifesto for Cyber Security and the Industrial Legacy

Introduction Industrial facilities and infrastructure form the core of our economy and society. These advanced facilities require significant investments which need many years to generate return on investment and are build to last for decades. Automation of these facilities and their equipment are part of the modernization since Industry 3.0 and continue to advance with Industry 4.0. Behind this automation are Industrial Control Assets, mostly deeply integrated into the equipment they control. Industrial Control Assets include Programmable Logic Controllers (PLC), micro controllers, industrial modular computer systems (IPC), robot control units, SCADA systems, and various other devices which combine software and hardware to control and automate processes. Cyber Threats are increasingly causing significant damages to companies and organization around the globe. With the increasing connectivity in industrial facilities and infrastructure, the Industrial Control Assets become more exposed to Cyber Threats than ever before, and Cyber Threats continue to become more advanced at a continuously increasing pace. The main focus on Cyber Security is on IT Infrastructure. It is however crucial that Cyber Security for the Industrial Control Assets becomes a top priority for companies and organizations to avoid damages to industrial facilities and infrastructure. This is a 10 points strategy to implement Cyber Security and Cyber Resilience for Industrial Control Assets in industrial facilities and infrastructure.

Own and manage Cyber Security for Industrial Control Assets (ICA) at the highest level of the organization. Embrace the principals of the Charter of Trust and implement a matching policy. Create and maintain an ICA inventory, including all devices which connect to a network, are connected to a device which connects to a network, or could be connected to a network. Implement and test a full ICA backup, recovery and Disaster Response Plan. Create appropriate depreciation plans and maintenance budgets for all ICA based on the life cycles of these systems.

Allocate sufficient budgets (CAPEX and OPEX) to implement ICA Cyber Security measures as top priority. Schedule (semi-) annual penetration testing of all ICA and ensure implementation of its findings. Implement a semi-annual ICA Cyber Security education plan. Develop Cyber Security standards and procurement requirements for all ICA purchases, projects and maintenance. Ensure Continuous Improvement by focusing on the weakest link in ICA Cyber Security and resolving the issues.

Own and manage Cyber Security for Industrial Control Assets (ICA) at the highest level of the organization. Industrial Control Assets are deeply integrated into the equipment and infrastructure controlled by these devices, and in most cases are understandably seen as part of the equipment and infrastructure. With the growing connectivity and digitization of our society, infrastructure and industrial facilities, most of these Industrial Control Assets have gradually been integrated into networked infrastructures to collect data, monitor processes or automate controls. The wind sensors at the airport which are connected to the network and provide important but harmless information, can easily become an critical pawn to attack the airport infrastructure when under the control of hackers. The PLC that controls a melting furnace and can be administered through the network connection can cause serious risks for the operators and damage to the furnace when the wrong instructions are pushed from the network. To recognize the true risk of cyber exposure of the Industrial Control Assets, it is important to change the mindset that Industrial Control Assets are part of the equipment they control. Cyber Security and Cyber Resilience for Industrial Control Assets need to be anchored with the Boards and Executive Leadership of all companies and organizations that own or manage equipment and infrastructure to ensure continuous priority on implementation of adequate protection.

Embrace the principals of the Charter of Trust and implement a matching policy. The Charter of Trust, an initiative of Siemens AG, was introduced during the 2018 Munich Security Conference and offers baseline standards for Cyber Security. The Charter of Trust recognizes that the digitalization of our society, factories and infrastructure must evolve hand in hand with Cyber Security. The Charter of Trust offer 10 pragmatic strategic principals and commitments to achieve Cyber Security in the digital and highly connected world. Each company and organization will benefit from embracing these principles and implementing a matching Cyber Security policy. For example, the Charter of Trust requires that companies must offer updates, upgrades, and patches throughout a reasonable lifecycle for their products, systems, and services via a secure update mechanism. A matching policy would require the selection of suppliers which fulfill this requirement. As the network of partners committing to the Charter of Trust continues to grow, companies and organizations can improve their Cyber Resilience by selecting vendors and service providers which either signed the Charter of Trust as partner, or commit to the principles of the Charter of Trust. Resource: https://www.siemens.com/press/pool/de/feature/2018/co rporate/2018-02-cybersecurity/charter-of-trust-e.pdf

Create and maintain an ICA inventory, including all devices which connect to a network, are connected to a device which connects to a network, or could be connected to a network. Cyber Security and Cyber Resilience start with a full understanding of the assets which could pose a risk through cyber exposure, followed by regular assessment of their Cyber Exposure and level of Cyber Resilience. In most cases, the Industrial Control Assets are not fully included into the Network Device Inventory and Cyber Security evaluation beyond an initial registration of the assigned IP addresses of the first nodes connected to the network infrastructure. Various Industrial Control Assets provide connectivity options and protocols which go far beyond the IT view of networked connectivity and Cyber Exposure. It is crucial to create and maintain complete Industrial Control Assets inventory by the subject matter experts from the perspective of the available connectivity. This inventory should include all active and inactive connection options, including those physical connections which are used to update programs and settings of the devices. Special attention needs to be paid to those devices which have physical connections without the option to monitor modifications of programs and settings. Regular evaluation of the potential Cyber Exposure and Cyber Threats based on the Industrial Control Asset inventory should lead to setting of priorities to increase Cyber Resilience and Cyber Security.

Implement and test a full ICA backup, recovery and Disaster Response Plan. Industrial Control Assets typically consist of hardware, operating system or firmware, software or programs, and settings or recipes. Each of these components contribute to the capabilities to control or monitor the equipment. On the other hand, without either of these components, the Industrial Control Assets cease to be able to perform their functions. Hardware components can be kept in stock or purchased on demand, provided that they are available when required. Even when kept in stock, it is important to monitor future availability to avoid issues once the stocked components are depleted. Unique or shared sets of operating systems, firmwares, software, programs, settings and recipes can by kept on backup infrastructure in the same way this is commonly done with IT Infrastructure. Special attention needs to be paid to programs and settings which are installed through physical connections which have no exposure to the IT Infrastructure. It is crucial to have a detailed Disaster Response Plan available which documents the procedures to restore Industrial Control Assets after breakdown or malicious activities to ensure a rapid return to normal operations. This Disaster Recovery Plan must include not only the technical details, like storage location of the recovery files, but also Safety Instructions for the personnel responsible for the recovery operations.

Create appropriate depreciation plans and maintenance budgets for all ICA based on the life cycles of these systems. Most Industrial Control Assets are managed as component of the equipment or infrastructure they are integrated with. This leads commonly to depreciation planning and maintenance budgeting of the Industrial Control Assets based on the expected life cycle of the equipment and infrastructure. The equipment and infrastructure can have life cycles which expand into decades. The life cycles of the Industrial Control Assets on the other hand are significantly shorter, especially from a Cyber Security perspective. Although most Industrial Control Assets are just as reliable as the equipment and infrastructure they control, they still need regular updates, upgrades and patches to keep up with the high pace and advancement of Cyber Threat developments. Vendors and suppliers of Industrial Control Assets set end of support timelines for their products and it is crucial to plan the depreciation and replacement of Industrial Control Assets against these timelines as ultimate maximum lifecycle, even if the devices themselves would still function flawlessly. As soon as updates, upgrades and patches are no longer available there is no opportunity to respond adequately to Cyber Threats and the risk of malicious attacks increases significantly.

Allocate sufficient budgets (CAPEX and OPEX) to implement ICA Cyber Security measures as top priority. Industrial Control Assets require appropriate maintenance and Cyber Security activities, which should include at least updating, training, penetration testing and evaluation, and timely replacement of devices which have reached end of life or end of support. In addition these activities could include specialized Cyber Security consultancy services. To avoid restrains in fulfilling these requirements to implement and maintain Cyber Security and Cyber Resilience for the Industrial Control Assets, it is important that these activities are budgeted separately in capital expenditure and operating expenses, or at least separated from the equipment and infrastructure maintenance budgets. When Cyber Security budgets are available for the IT infrastructure, the budgets for Industrial Asset Controls Cyber Security can be brought under the same responsibility to ensure a company or organization wide implementation of appropriate Cyber Security and Cyber Resilience. Special attention needs to be paid when budgeting initial corrective actions in those cases where Industrial Control Assets have exceeded the regular lifecycle. Additional costs can occur when for example existing programs are not compatible with newer versions of equipment, or when additional components need to be replaced for the same reason.

Schedule (semi-) annual penetration testing of all ICA and ensure implementation of its findings. With established awareness of Cyber Threats for Industrial Control Assets and the implementation of Cyber Security and Cyber Resilience to protect equipment and infrastructure, the risk of a false sense of safety can easily be established. New and more advanced Cyber Threats arise with increasing pace, and a sense of being fully protected will lead to lack of attention and priority on continuously increasing Cyber Resilience and Cyber Security. As demonstrated in IT, regular professional penetration testing and evaluation of response and recovery plans, are important measures to determine the effectiveness of the current Cyber Security measures and required corrective actions to further increase Cyber Resilience. The most effective method of objectively establishing the real effectiveness of defenses, response and recovery plans is the RED TEAM method. In those cases where regular professional Information Technology infrastructure penetration testing and evaluations are already established, it is recommended to add Industrial Control Asset experts to the team and scope to ensure that adequate expertise about the specific connectivity and protocols is available. Vulnerability findings of such penetration testing and evaluations should be scheduled to be resolved with the highest possible priority. Resource: https://amzn.to/2nedax2

Implement a semi-annual ICA Cyber Security education plan. The majority of cyber crime is enabled by users of systems and applications. Unawareness and lack of understanding of one s own responsibility are the main contributors to malicious access by criminal hackers. A false understanding that the IT Department is solely responsible for Cyber Security combined with lack of understanding of the risks are the common denominator among user of digitized services and systems, including Industrial Control Assets. Without recurring Cyber Security Education, the users will continue to be the weakest link in all Cyber Security and Cyber Resilience efforts. This applies in the same extend to Industrial Control Assets as it does to Information Technology Infrastructure, especially in the process of digitalization where these segments increasingly become interconnected. Educated personnel will not only understand the do s and don ts, they will also be able to identify unwanted and potentially harmful activities by others. Especially the ability to identify unwanted activities has proven positive impact on Cyber Resilience. Since Cyber Threats continue to develop and become more advanced at a staggering high pace, it is important to regularly repeat Cyber Security Education. This Education should reflect on new developments as well as on implemented methods and standards since the last training sessions.

Develop Cyber Security standards and procurement requirements for all ICA purchases, projects and maintenance. The entire Supply Chain of Industrial Control Assets needs to accept the responsibility of ensuring that the minimum requirements of Cyber Security are fulfilled with each purchase, approved project and maintenance activities. This must include green field activities, repairs of existing Industrial Control Assets and retrofitting Cyber Security to the installed base. Purchase Departments validate offers and order based on the available standards and requirements in collaboration with the responsible departments. In the same manner as for example environmental requirements are documented and validated, it is essential that Cyber Security requirements and standards for Industrial Control Assets are documented and validated from offer to order. In the field of Cyber Security, there is no moment in time where standards and requirements will not require to be reviewed and updated according to the last developments of Cyber Threats. It is recommended that requirements and standards for Industrial Control Assets are reviewed at least once per year. In this context it is recommended to adopt the principals of the Charter of Trust into the requirements and standards for procurement of Industrial Control assets and all related services.

Ensure Continuous Improvement by focusing on the weakest link in ICA Cyber Security and resolving the issues. The majority of the Cyber Threats are executed around the basics of the digital infrastructure and focus on the weakest link to gain access before aiming at the high prize targets. By infecting the weakest link with malicious software or unauthorized access, the criminal hackers penetrate the lines of defense and work their way up to the real target. The Industrial Control Assets have multiple weaknesses in most manufacturing and infrastructure settings. First weakness most Industrial Control Assets have in common is single line of defense of the network connection which is solely controlled by a firewall for external access to the production network, and therefore becomes a single point of failure once an Industrial Control Asset gets infected or exposed. Another highly common weakness is the lack of active monitoring of modifications and access to Industrial Control Assets, especially the physical connections which allow modifications of settings and programs without network connection. Even though the less critical weakest links might appear to be of lowest priority, they are most likely the most vulnerable to malicious activities. Cyber Resilience can only be achieved by continuously improving the weakest links in the chain of Cyber Security.

Contributions and resources: Ludmila Morozova-Buss is an advocate of Systems Thinking and recognized as top influencer for Cyber Security. Ludmila presented the Charter of Trust and its impact on the industry during the 5th Edition of Free and Safe in Cyberspace. Ludmila has a strong background in finance, communication and educational marketing, and advices global enterprises in these fields. https://linkedin.com/in/ludmilamorozova The Charter of Trust, an initiative of Siemens AG, was launched during the 2018 Munich Security Conference and offers baseline standards for Cyber Security. Siemens AG and the eight founding partners have been joined by several global vendors and the network continues to grow. https://www.siemens.com/press/pool/de/feature/2018/c orporate/2018-02-cybersecurity/charter-of-trust-e.pdf Micah Zenko, author or RED TEAM How to succeed by thinking like the enemy. Micah is a writer, researcher, red team consultant, and Whitehead Senior Fellow at Chatham House. In his book RED TEAM, Micah shows the importance of this very special kind of critical thinking, and the challenges companies and organizations have faced during implementation and execution of Red Team testing. https://amzn.to/2nedax2

Back to the Future Cyber Security A manifesto for Cyber Security and the Industrial Legacy By https://johannesdrooghaag.com/ https://twitter.com/drjdrooghaag https://linkedin.com/in/johannesdrooghaag info@johannesdrooghaag.com About the author:, promoted in Applied Information Technology, Operations Management and Manufacturing, has a strong background in Industrial Automation, Process Improvement and Cyber Security. Besides various publications on these topics and contributions to the state funded technical research project Revista, Dr. ir Johannes Drooghaag has a long track record of successful implementations, coaching and consulting in Manufacturing, Industrial Automation, Operations Management and Cyber Security.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback