Increasingly, core operations and critical infrastructure are being digitized. And for good reason. The Industrial Internet and its close relatives, IIoT and Industrie 4.0, are enabling industrial companies to realize new levels of cost savings, efficiency, and asset availability.
But with all things good comes risk.
Fast-growing connectivity has sparked a rise in the number of new cyber threats over the last few years. The 2016 Industrial Control Systems Cyber Security Emergency Response Team (ICS-CERT) report showed that critical infrastructure in the United States alone experienced a 20% spike in cyber incidents from 2014 to 2015. Another 2016 study, commissioned by Wurldtech with YouGov, found that over 50% of respondents said they expected to see more attacks on their OT systems in the next 12 months.
That’s why it’s time for you to step up and take action to ensure you’re not exposed to an attack. We know that Industrial Control Systems (ICS) are complicated and that operational downtime has serious impact, which can make it hard to find opportunities to patch vulnerable systems. That’s why we believe system operators need a structured and comprehensive security approach. Here are five steps to improve your security posture—and your digital future.
Determine your risk
The first step is to know what’s at risk. You need a comprehensive understanding of system vulnerabilities and how they affect operations, as well as of the risks that your organization faces and how likely they are to occur. Also, regulatory compliance mandates should play an important role in developing your security plan. During security assessments, it’s important to think about industry-specific security regulations in order to ensure compliance and reduce the risk of increased costs in the future.
While the same ICS security solution won’t work for everyone, there is a process for establishing, designing, and implementing an industry best-practices solution that will make sense for you. Find an expert that can develop a prioritized mitigation plan and a practical approach to address all potential risks.
Make your plan
With your security assessment in hand, make your plan. Set a security foundation with best practices, policies, and strategies—better known as an ICS security policy. Be sure to include all the necessary team members to help with planning, developing, testing, and refining the implementation. Also, make sure you’re developing policies and procedures specific to ICS, which is different from your IT security policies and procedures.
While developing your ICS security policy, be sure to avoid the following mistakes that can lead to vulnerabilities:
- Lack of specific policies for control system security
- Inadequate employee security training
- Omission of regular ICS audits
- Lack of a disaster recover plan (DRP)
Tighten security across your supply chain
An ICS policy that maps to your overall security plan should now meet your organization’s regulatory requirements. Now it’s time to extend throughout the supply chain to harden your security posture. By incorporating robustness and security certifications into your procurement process, you will be able to drive change within the supply chain. Here’s what you can do to enforce security:
- System Security: Do the manufacturers of the devices you purchase embed security into the manufacturing process? They need to. Otherwise, you risk an attack being introduced through them. Using the security policy, ensure system devices support the desired security frameworks the organization has put into place.
- Third Parties: The most fundamental element of threat is deeply human. System operators need to make sure all of their staff, contractors, and consulting organizations that have access to the infrastructure are fully aware of the ICS security policy.
- Manufacturers: Manufacturers should provide alternative mitigation suggestions for use until patches are available and can be applied. Patch performance must be at the discretion and within the control of the system operator.
- Certification: Protect your business by working with manufacturers that offer certified, globally-recognized industrial process automation, control, and safety systems.
Invest to protect
While many automation operators invest in IT infrastructure mitigation tools, they tend to forget about ICS protection. This leaves critical infrastructure at risk since traditional IT solutions don’t protect against ICS attacks. However, by utilizing devices that are specifically designed to protect the critical infrastructure, you can greatly reduce your risk to these vulnerabilities.
Sell it up
A significant issue facing operators when it comes to security is not a lack of technical knowledge, but corporate support and appropriate governance for implementation of security policies at the operational level. Be part of the solution to establish a culture that emphasizes security from the top down. Without corporate dedication to ICS security starting at the C-level, it is difficult to create and maintain long-term goals, obtain required funding, and execute best practices.
In short, weigh the consequences. The age-old adage remains: an ounce of prevention is worth a pound of cure. The risks of attacks are growing, but you should not wait to get hit. If it’s connected, it needs to be protected.