What Automation Users Need to Do RIGHT NOW: Preparing for the Inevitable Cybersecurity Incident

This article was written by Marty Edwards, managing director of the Automation Federation.

With the ever-increasing drumbeat of cyber-attack pounding louder and louder in the background, organizations utilizing automation systems of any kind need to take proactive, defensive steps immediately to avoid significant business disruption and lost revenue.

Normally, I would be preaching the gospel of the NIST Cybersecurity Framework, the foundational elements set forth in the ISA/IEC 62443 standard, and the virtues of a sound risk assessment methodology. Although these methods have significant merit and need to be part of a comprehensive cybersecurity strategy, they simply take time to implement – in fact, many companies just beginning their cybersecurity journey don’t know where to start.

Search no more. Start here.

With advanced intrusion campaigns such as “CRASH OVERRIDE” in the Ukraine, rising numbers of attacks against critical infrastructure companies in the United States, and ransomware now becoming a household word globally, organizations must take priority action immediately to prepare for the inevitable. You will be attacked or infected… it is only a matter of time – and only by acting now can you minimize the resulting damage and reduce the spread of infection.

Almost every risk assessment or forensics review of an incident that I have ever seen in my career points to a common theme – lack of understanding of what systems are important, and proper network segmentation of these mission critical Operational Technology (OT) systems from other enterprise systems such as corporate Information Technology (IT) systems.

I urge companies to find out:

  • What are your most important business, and therefore, system functions?
  • Where are these so called “Crown Jewels”?

Once you have identified that system or systems (it should be a small number), you need to protect them – and fast.

Step One: Disaster Recovery

For these critical systems, make absolutely sure that you have implemented a disaster recovery plan, including critical hardware spares. Most importantly, be sure that you have recent, relevant, functional backups of the entire system, including operating systems (OS), application software, engineering and configuration files, etc. All backups should be kept “off the network,” meaning don’t just copy them up to a file server and forget about them. Recent ransomware attacks have spread automatically across networks and many organizations have found out about those interconnections the hard way once their only backups got encrypted and held for ransom, too. Until you have a systematic process in place to perform and test these backups, by performing a full restore once in a while from offline media, and ensuring their functionality – do not pass go, do not collect $200.

Step Two: Network Segmentation

Now, this might not be as easy as it sounds, and will require some – perhaps extensive – re-engineering of your networks, but I did it over 15 years ago in the pulp and paper industry simply by grouping equipment in logical groups by plant area, function and vendor. DCS Vendor A equipment all goes on this network. Paper machine automation systems all go on this other network. PLC maintenance and configuration equipment all goes on yet another network… you get the picture.

With the help of your vendors, map out the required data flows between or out of these networks, and keep those data flows to an absolute minimum. In fact, your network design should consider what data needs to go where, so tweak the design if necessary. Bring your new networks together at a common demarcation point using firewalls (the so called “De-Militarized Zone – or DMZ.”) For the most critical of systems, consider using fiber optics and physics based unidirectional gateway devices to ensure that information can only flow one way, and would be intruders are guaranteed not to have an access path through the network connection. Most importantly, log the data that crosses these network boundaries (including refused connections) and review the logs routinely for anomalies.

With your networks appropriately separated into manageable and appropriately connected parts (what ISA/IEC 62443 calls “Zones and Conduits,”) you can begin to systematically implement other cybersecurity improvements, such as vulnerability and patch management. Having like devices and systems grouped logically in this way will allow you to make changes more quickly, without the added complexity and risk of affecting the operation of other formerly connected systems that are now on their own network.

At this point, I recommend against allowing any kind of remote access into these networks or systems. If it is important enough to fall into the “Crown Jewels” category, it is important enough to call someone to walk over to a dedicated terminal to make required changes at 2 a.m. Why are you making changes at 2 a.m., anyway? Over time, as your cybersecurity plan matures, you can implement remote access systems utilizing two-factor authentication. These systems are activated by authorized and trained personnel, only when needed, and all connections are monitored, recorded, and logged for forensics purposes.

The Bottom Line

These initial two steps, if taken now, will significantly lower your risk from an external network based cyber-attack.

Yes, there are many more steps to take in an overall cybersecurity strategy, and other threats to address, such as insiders. However, by taking these steps first, you will have accomplished what many have not and begun your journey down the pathway of sound cybersecurity management.

For additional resources, see the cybersecurity resources page on the Automation Federation website at

http://www.automationfederation.org/Resources/IndustrialCybersecurityResources. For additional information, training, and resources around ISA/IEC 62443, visit www.isa.org/cybersecurityresources.

About the Author
Marty Edwards is managing director of the Automation Federation. Marty previously served as director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an operational division of the National Cybersecurity and Communications Integration Center (NCCIC) in the Department of Homeland Security (DHS). He holds a diploma of technology in process control and industrial automation (magna cum laude) from the British Columbia Institute of Technology (BCIT), and in 2015 received its Distinguished Alumni Award. In 2016, Marty was recognized by FCW in its “Federal 100 awards” as being one of the top IT professionals in the federal government.

Connect with Marty:
48x48-linkedinEmail

 

Print Friendly, PDF & Email

, , , , , ,

Industrial Cybersecurity Updates

Join our mailing list to receive the latest cybersecurity news and updates from ISA and the Automation Federation.

You have Successfully Subscribed!