Working towards developing ICS cyber defenses, as cybersecurity threats and attacks are here to stay

Prevailing complex, dynamic, and dangerous cyber threat environments have called for the CISA’s ‘Shields Up’ campaign to stay in place for the foreseeable future. With the heightened sense of alertness, public and private enterprises across the critical infrastructure sector must work on, among other factors, reinforcing their ICS cyber defenses and seize the opportunity to make fundamental improvements across their cyber ecosystem. 

“This ‘new normal’ invites us to recognize that cyber criminals and nation-state adversaries will fail if we — the government at the federal, state, and local levels, industry, academia, non-profits, and all of us as individuals — work together to secure our networks, systems, data, and way of life from cyberthreats,” Jen Easterly, director of CISA, and Chris Inglis, the National Cyber Director, wrote in a recent op-ed post.

With the complex and vulnerable network of industrial control systems (ICS) forming and running critical infrastructure, manufacturing, and related industries, it is paramount to shore up ICS cyber defenses. The move gives organizations in the critical infrastructure sector a window of opportunity to implement a risk-based approach to securing ICS hosts and networks, and protect these systems against attacks without interrupting normal operations.

With U.S. security agencies adopting the Shields Up strategy as the new normal in cyberspace, Industrial Cyber touched base with industrial cybersecurity sector experts to measure the role ICS cyber defenses will play in sustaining operational resilience across ICS and OT networks. 

“ICS assets and OT/process control networks are some of the most critical components to secure in organizations because of the potential disruption to production, and in the worst-case scenario, safety and environmental-related impacts from hacking,” Jeff Zindel, vice president and general manager of the cybersecurity business at Honeywell Connected Enterprise, told Industrial Cyber.

“ICS cyber defenses can be made more resilient by focusing on OT cybersecurity fundamentals to reduce risks,” according to Zindel. “This means having a comprehensive and enterprise-wide OT cybersecurity risk reduction program such as OT cybersecurity vulnerability assessments at least annually, secure remote access, the implementation of technology to scan removable media, and implementing 24/7 continuous monitoring and alerting to better detect and respond to threats,” he added.

As geopolitically and financially motivated cyberthreats increasingly target the energy sector’s critical infrastructure systems, cooperation and coordination between the federal government and private sector through programs like DHS’s ‘Shield’s Up’ campaign is now a core component of the industry’s collective defense strategy, Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens Energy, told Industrial Cyber. 

“Leveraging the government – and security agencies like CISA in particular – helps the energy industry prepare for new and emerging cyberthreats, improve information sharing, prioritize cyber hygiene, and bolster resilience capacity and incident response capabilities,” according to Simonovich. Collective defense programs help CISOs prepare for ever-evolving threats to the IT and OT systems that underpin the energy sector’s evolving digitally-driven business model and ensure that energy companies can coordinate security measures across their supply chain, identify anomalies more quickly, and maintain vigilance across their workforce, he added.

Ayman Al Issa, senior expert at McKinsey & Co., told Industrial Cyber that with the growth in the extent and capabilities of the well-funded state-sponsored cyber-attackers; the adaptation of digitalization, IIoT, IoT; the increase of the integration between the plant and business floors for real-time data acquisition and enable data analytics; and the need for operational and maintenance services such as remote access to the plant floor; all increase the risk of the cyber-attacks on the critical infrastructures and so the complexity of protecting the ICS. 

“Industry and cybersecurity leaders, regulators, and legislative bodies continue to work on approaches to protect the ICS, but an understanding of who owns the problem, who should be part of the solution, and do we understand each other and talk a common language,” Al Issa pointed out.

“It is still not clear to the organization to realize and understand who owns the problem and who has a major responsibility for resolving it,” according to Al Issa. “Is it the security team’s responsibility, or the plant managers, the operators, the automation vendors, the cybersecurity vendors, the system integrators, the legislators, the COOs, CEOs, or whom? Knowing who should be part of the problem is important but realizing who should be part of resolving it is more important,” he added.

He also highlighted that the majority of the crowd who talk about improving the security of ICS environments lean toward speaking about the cybersecurity technologies, processes, and people capabilities that could help improve the situation. Still, in reality, the critical problem that led to slowing down or deteriorating improving cybersecurity in the ICS environment can be briefed into a few words ‘establishing a common language.’  

“The first and most important step to enhancing ICS environment cybersecurity is to establish a common language and understanding between (1) the cybersecurity specialists and the automation control system engineers, (2) The CISOs and the plant managers, (3) the legislators and plant operators who know their plants or factories more than anyone else on the planet,” Al Issa said. He added that the guidelines, recommendations, and plans for improving ICS cyber security should pass through several filters, including, at a minimum, being precise, achievable, and prioritized. 

Assessing how equipped are critical infrastructure owners and operators and cyber defenders with the appropriate ICS cyber defenses to increase adversary time, costs, and technical barriers, Zindel saw a range of cybersecurity preparedness among critical infrastructure operators, with some more prepared than others in their security journey. “For example, organizations such as small utility companies may have lean teams with limited cybersecurity expertise and technologies. It is imperative for these organizations to understand their level of risk,” he added. 

Zindel said that a cybersecurity assessment is a great starting point to determine the vulnerabilities and risks in their OT assets and networks. “Once they are identified, these issues can be mitigated through appropriate remediation depending upon their risk appetite and security budget. Over the long term, proactive risk mitigation must be an ongoing activity,” he added.

Simonovich said that in the next several years, 2.5 billion new industrial devices would likely be connected to energy infrastructure. “A digitized energy industry is ‘the lynchpin’ to an efficient, sustainable, and renewable energy ecosystem; however, it remains at significant risk of cyberthreats. To secure the energy transition, energy companies, utilities, and critical infrastructure operators need accessible, lower-cost solutions to provide full visibility and context to their systems. These solutions are critical in helping to detect, identify, and prevent cyber threats before they execute to both keep the lights on and keep customers safe,” he added.

Unfortunately, many energy organizations are not prepared to defend themselves against the increasing threat landscape, according to Simonovich. “Securing the energy industry’s digitally connected business model is a complex task that requires resources to scale and deploy monitoring and detection technologies. While some AI-based monitoring and detection solutions are deployed by global energy companies today, they are largely inaccessible to the vast majority of industrial companies. This not only puts small and medium-sized companies at higher risk of a cyberattack but also creates weak links in the energy industry’s increasingly digitally connected and networked environment,” he added.

Cybersecurity solutions that can be implemented in the OT environment should be tested and certified by the automation vendors before using them in the ICS environment, Al Issa said. “The increased collaboration between cybersecurity vendors and automation vendors during the last ten years helped to introduce the cybersecurity solutions within the ICS environment. However, the ICS system is stable in nature and changes are less compared to IT systems,” he added. 

According to Al Issa, cybersecurity solutions need continuous updates and testing before applying the changes. “This keeps the owners thinking many times before implementing security solutions within ICS systems and hence the automation vendors have an opportunity to provide cybersecurity services to help the owners.”

“Despite that, some critical infrastructure owners are very serious to protect their control systems and they have done very good efforts like deploying firewalls between the plant and business floors, but it is easy to say that the majority of the critical infrastructures are mostly not equipped with sufficient cybersecurity controls to make them very secure from cyber threats and still the journey is so long,” Al Issa said. “Truthful collaboration and coordination are needed between all the parties that cover the ICS ecosystem to help enhance cybersecurity within ICS environments,” he added.

Looking into how initiatives such as CWE/CAPEC program and the expansion of the Joint Cyber Defense Collaborative (JCDC) work towards bolstering the ICS cyber defenses at ICS and OT networks, Zindel said that governmental coordination and knowledge-sharing alliances with the private sector, including industries such as utilities, are helping the industry understand the scope of threats, along with developing effective detection and response capabilities.

“Having a common language through CWE/CAPEC enables organizations to better identify threat patterns through defined ICS security weaknesses,” according to Honeywell’s Zindel. “Additionally, the Operational Technology Cybersecurity Coalition prepares organizations in securing critical infrastructure assets by working collaboratively with government agencies to best deploy data-sharing and response solutions,” he added.

Securing the energy transition will require the government and industry to apply the same attention historically focused on ensuring the reliable and affordable delivery of energy to the digital IoT system that now serves as the foundation of the energy sector, Simonovich said. “Collaboration, cooperation, and innovative public-private partnerships will be central to enhancing ICS and OT security across the energy sector,” he added.

Public-private partnerships focused on collective defense not only help improve information sharing, identify new and evolving threats, and best practices, but it helps build trust and drive innovation across the energy ecosystem, according to Simonovich. 

“In 2020, Siemens started a partnership with the New York Power Authority (NYPA) to deploy and scale AI-based monitoring and detection solutions among small and mid-sized utilities operating critical infrastructure in New York State,” Simonovich said. “Leveraging public-private partnerships are essential for both the government and energy companies to develop new policy frameworks, strategically innovate methods of collective defense, and scale the monitoring and detection technologies needed to protect the industry,” he added.

Al Issa said that the interest groups, forums, and initiatives to address ICS cybersecurity are as important as the ones that are focused on protecting the environment. “There are many standards, and guidelines that are focused on cybersecurity (e.g., ISA99/ IEC62443, NIST 800-82, industrial internet consortium, etc.). However, we should also focus on providing a message about protecting the ICS environment that can be understood by the plant operator, manager, COO, CEO, or factory floor worker,” he added.

While organizations should develop an ICS cybersecurity strategy, policies, guidelines, risk management, etc., there are steps that they should not wait for, Al Issa said. He drew up a list that included knowing what the organization has in the house, as having a clear list of ICS assets with a very good inventory of the systems and their versions will make it easy to know what needs to be protected. He also recommended ‘checking if the rats are already in your house,’ using threat detection solutions to help find out if there are internal threats within the ICS environment. 

Al Issa also advised knowing ‘your doors and windows and fixing the proper locks’ and being prepared for the worst. He also proposed to conduct regular risk assessments by experts who learn about the OT environment, contact automation vendors to know what security solutions they certify for ICS environments, and ‘test and test and test’ all solutions and updates before applying them to the OT environment and make sure that the automation vendors certify the solutions.

Finally, Al Issa suggested inviting the plant manager for a cup of coffee. “CISOs should visit the plants/factories and ICS locations and spend a few days in each plant to establish a collaborative relationship with plant managers and understand the environment they need to protect. They all should work together to promote cybersecurity awareness from CEO to COO to all stakeholders,” he concluded.