Book Excerpt + Q&A with Author of Industrial Cybersecurity

Book Excerpt + Q&A with Author of Industrial Cybersecurity

This ISA author Q&A was edited by Joel Don, ISA’s community manager. The second edition of Industrial Automation and Control System Security Principles contains a significant amount of new and enhanced content, covering the latest advances in cybersecurity and critical infrastructure protection from industrial, governmental, and commercial sources. The book is authored by globally recognized security expert Ronald L. Krutz, Ph.D., P.E., CISSP, ISSEP. Free Bonus! Click this link to download a free chapter from Industrial Automation and Control System Security Principles, Second Edition. 

 

Q. Why were you compelled to publish an updated edition? What differentiates the second edition from the initial version?

A. I wanted to cover the latest thinking and approaches to industrial automation and control system (IACS) security.  This new edition addresses the most recent, formal methods and their practical applications to IACS security.  The book is able to describe the latest advances in cybersecurity and critical infrastructure protection from industrial, governmental, and commercial sources, and show how they can be practically applied to protect IACS.

industrial-automation-and-control-system-security-principles-second-edition-04

Q. Could you outline, in specifics, the new and enhanced areas of content in the second edition?

A. The second edition of my book contains a significant amount of new and enhanced content. This was needed to cover and describe all the significant technologies and methodologies that have been developed since the publication of the first edition.

There is an entirely new chapter, Chapter 9, on emerging approaches to industrial automation and control system security. The new content includes such topics as the Internet of Things (IoT), the Industrial Internet of Things (IIoT), the Open Platform Communications Unified Architecture (OPC UA) (IEC 62541), Industry 4.0, the OWASP “Internet of Things Top Ten”  security categories, Big Data Analytics, the NIST Big Data Interoperability Framework, the NIST Framework for Cyber-Physical Systems, the NIST Framework for Improving Critical Infrastructure Cybersecurity, and Software-Defined Elements.

Blog Author Q&A Bonus! Click this link to download a free chapter from the new edition of Industrial Automation and Control System Security Principles.
In addition, Chapter 6 has been significantly updated to include the new versions of NIST Special Publication (SP) 800-53 Revision 4, “Recommended Security Controls for Federal Information Systems;” NIST Special Publication 800-82, Revision 2 “Guide to Industrial Control Systems Security;” and North American Electric Reliability Corporation (NERC), Critical Infrastructure Protection (CIP) Cybersecurity Standards, Version 5.  As in the previous edition, it also includes coverage of ANSI/ISA-99.01.01-2007, “Security Technologies for Industrial Automation and Control Systems;” Department of Homeland Security; Catalog of Control Systems Security Recommendations for Standards Developers;” Advanced Metering Infrastructure (AMI) System Security Requirements; and a tabular Consolidation of Best Practices Controls for Industrial  Automation  and  Control  Systems.

Chapter 5 has been updated to include coverage of the latest attacks on critical infrastructure systems.  In addition to Stuxnet, the overview of malware includes the Shamoon Trojan Horse, Flame modular computer malware, the Norway cyberattack, and Havex.

Chapter 8 includes updated coverage of NIST SP 800-1371, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations;” in applications to Industrial Automation and Control Systems, The Smart Grid Maturity Model (SGMM); and the Introduction to NISTIR 7628, “Guidelines for Smart Grid Cybersecurity.”

I also have added a new appendix, Appendix B to the second edition.  This new appendix comprises ICS Supplemental Guidance for NIST SP 800-53 Security Controls.

The new and updated chapters also include revised end-of-chapter review questions.

Q. What areas of new and enhanced content would you particularly want to highlight and encourage readers to focus on?

I point out the following sections and topic areas as being particularly valuable and informative.

  • Industrial Internet of Things (IIoT)
  • The Open Platform Communications Unified Architecture (OPC UA) (IEC 62541)
  • Industry 4.0
  • Big Data Analytics
  • The NIST Big Data Interoperability Framework
  • NIST Framework for Cyber-Physical Systems
  • NIST Framework for Improving Critical Infrastructure Cybersecurity
  • NIST Special Publication 800-82, Revision 2 “Guide to Industrial Control Systems Security”
  • NIST Special Publication (SP) 800-53 Revision 4, “Recommended Security Controls for Federal Information Systems”
  • Coverage of latest IACS malware

Click this link to download a free chapter from the new edition of Industrial Automation and Control System Security Principles.

Meet The Author
Ronald KrutzRonald L. Krutz, Ph.D., P.E., CISSP, ISSEP, is a scientist and consultant specializing in cybersecurity services. Dr. Krutz is chief scientist for Security Risk Solutions, Inc. in Mount Pleasant, S.C. He has more than 30 years of experience in industrial automation and control systems, distributed computing systems, computer architectures, information assurance methodologies and information security training. Dr. Krutz has served as: a senior information security consultant at Lockheed Martin, BAE Systems, and REALTECH Systems Corporation; an associate director of the Carnegie Mellon Research Institute; founder and director of the CMRI Computer Engineering and Cybersecurity Centers; a faculty member of the Carnegie Mellon University Department of Electrical and Computer Engineering; and a lead instructor for (ISC)2 Inc. in its Certified Information Systems Security Professionals (CISSP) training seminars. He authored the book, Securing SCADA Systems, and three textbooks on microcomputer system design, computer interfacing and computer architecture. He holds seven patents in the area of digital systems, and has published a variety of technical papers. Dr. Krutz also is a Senior Fellow of the International Cyber Center of George Mason University and a Senior Life Member of the IEEE. He earned bachelor of science, master of science, and doctorate degrees in electrical and computer engineering, and is a registered Professional Engineer in the state of Pennsylvania.

Connect with Ronald:
LinkedIn

 

Protecting the Operational Integrity of Industrial Infrastructure

This excerpt is from the November/December 2014 issue of InTech magazine and was written by Clemens Blum, executive vice president of industry business at Schneider Electric.

New powerful and capable industrial control systems and software solutions have created more opportunities for manufacturers to pursue and achieve greater levels of efficiency, performance, and profitability. Businesses now have more data to measure and Dollarphotoclub_64117399analyze, as well as more opportunities to use that data to drive efficiency. This greater interconnectivity between systems and software has also enabled producers to be more agile, particularly in reacting to changing business variables and process conditions.

But these new offerings and capabilities have also created new business vulnerabilities. As manufacturers apply technologies, they must ensure they are not jeopardizing the operational integrity of the plant. Operational integrity is simply the unhindered ability of the system and plant to remain sound and to continue production. In other words, operational integrity means safely and securely mitigating and eliminating threats to business continuity, while meeting or exceeding production targets.

New technologies deliver vital information

Producers are correctly looking at the promise new technologies bring, namely the ability to use real-time information to better understand their resources, improve how they control costs and business variables, and increase their profitability. The need for real-time operational data to achieve this “promise” has propagated the use of commercial off-the-shelf  information technology solutions in industrial environments and shifted the industry toward “connected” network solutions. Now with the Internet of Things, Big Data, and other emerging trends, connectivity has reached a new level of focus in the discussion, as well as in investments. Because almost everything can be connected to anything from anywhere at any time—at a low cost—new opportunities for improving business processes and performance seem unlimited. For example, at its Rabigh, Saudi Arabia, refinery complex, Rabigh Refining & Petrochemical Company implemented a plant information management system, fully and tightly integrated with its control, SAP, and other production and corporate business applications, to optimize output, improve quality, and increase overall business performance. The solution covers the entire refinery and petrochemical complex comprising 23 plants.

But regardless of what that new technology and better connectivity promise for improving business performance, eliminating and responding to potential risks to operational integrity must continue to be the number one priority. Control systems, especially in the continuous process industries, are critical, not just for driving efficiency and ensuring there is no loss of production, but also for ensuring the safety of the company’s assets, people, and environment. Off-the-shelf solutions and higher, more frequent interconnectivity have increasingly exposed industrial control systems to malware and security threats that traditionally target commercial systems. For example, since the Shamoon attack, the preferred target for cybercriminals seems to be the energy sector, where incidents have increased 52 percent since 2012.

Adding layers of protection

Therefore, when deciding when and how to implement or upgrade an industrial control system, the focus cannot be entirely on how newer technology helps achieve production goals. Companies must investigate and understand what and how many layers of protection wrap the system. Those safeguards will enable everyone in a plant to fulfill their roles more effectively. People on the process-connected side of the system will be better able to do their jobs, while those in the control-room side will be able to concentrate on operation performance, without worrying about risks to the integrity of the system.

Click here to read Clemens Blum’s complete article and his industry recommendations at InTech magazine.

About the Author
Clemens-BlumClemens Blum has been Schneider Electric’s executive vice president, industry business, since 2010 and is responsible for the integration of Invensys, acquired by Schneider Electric in January 2014. At Schneider Electric, Clemens has served as general manager of the Berger Lahr Group, general manager of the SE Motion Group, and vice president, European division.

Connect with Clemens:
LinkedIn

 

Taking the lead on the development of the cybersecurity framework

Taking the lead on the development of the cybersecurity framework

This post is authored by Terrence G. Ives, president of ISA 2013.

This is an exciting − and highly significant − time for the Automation Federation and its founding organization, ISA, in helping America take steps to combat the mounting threats of cyberattack.

The development of a national cybersecurity framework for the U.S. is well underway. Last month, a draft outline of the framework was released to the public, and an initial version of the framework is due to be unveiled this October.hacker attack background

The Automation Federation and ISA are taking active advisory roles in the development of the framework. At the request of the National Institute of Standards and Technology (NIST), selected representatives of the Automation Federation and ISA have participated in a series of NIST workshops charged with laying the groundwork for the government’s cybersecurity initiative. To date, three of four scheduled workshops have been held. The final one is to be conducted 11-13 September in Dallas, Tex.

Well before the president in February of this year called for a federal proposal on cybersecurity, the Automation Federation and ISA had been consulting with White House national security staff, U.S. federal agency officials, and members of Congress on the critical need to establish national cybersecurity standards, guidelines and compliance testing.

Since standards are widely viewed as essential to any effective cybersecurity initiative, the Automation Federation and ISA are strongly advocating the inclusion of the ANSI/ISA99, Industrial Automation and Control Systems Security standards − developed by a cross-section of international cybersecurity subject-matter experts from industry, government and academia. Because they apply to all key industry sectors and critical infrastructure, these standards represent a comprehensive approach to cybersecurity.

Putting widespread cybersecurity standards in place is vital since many of America’s industrial production settings and infrastructure environments are woefully under-prepared to address cyberwarfare. If industrial control systems and critical infrastructure − such as a power plant, water treatment facility or transportation grid − are attacked, the result could be significant equipment impairment, production loss, regulatory violations, environmental damage, and public endangerment.

Senior U.S. officials have expressed their concerns in recent months about the threat of a potentially destructive cyberattack. Last summer, more than 30,000 computers at the state-owned oil company Saudi Aramco were destroyed when a virus wiped data from the hard drives. The same virus also damaged computer systems at Ras Gas, an energy company in Qatar.

The development of a national cybersecurity framework is a significant first step in addressing America’s cyber risks, and helping owners and operators of critical infrastructure identify, assess, and manage cyber threats.

As ISA president, I’m proud and honored to be associated with two organizations that are working so diligently to help safeguard our nation and citizenry. Please join me in recognizing the contributions of the many Automation Federation and ISA members and staff involved in this effort as we look forward to the completed draft of the cybersecurity framework this fall.

About the AuthorTerrence G. Ives
Terrence G. Ives is the third-generation president and owner of Ives Equipment Corporation in King of Prussia, Pennsylvania, a process control manufacturing representative and stocking distributor. Terry has been actively involved in ISA leadership for many years. He has held numerous positions at the local and Society level including Society Treasurer, Executive Board Parliamentarian, Finance Committee Chair, Investment Committee Chair, District 2 Vice President, and Philadelphia Section President and Exhibit Chairman. He received a bachelor of science degree in industrial systems engineering from Ohio University.
How to Protect Water and Wastewater Facilities from Cyberattack

How to Protect Water and Wastewater Facilities from Cyberattack

This guest post is authored by David Mattes, founder of Asguard Networks of Seattle, Wash. 

“If you aren’t scared yet, you haven’t been paying attention.”  So goes the aphorism for modern times, and it applies equally well to industrial cybersecurity.  Conclusive proof is hard to come by, but consider the supporting evidence: U.S. presidential executive orders, vulnerabilities markets for ICS, U.S. Secretary of Defense warnings of a “cyber Pearl Harbor”, extremely low patch uptake for ICS/IT automation components, vast and varied ICS CERT warnings, Internet census reports of huge populations of exposed ICS systems.  Before Stuxnet, stories like this just didn’t get any attention if they were even published.  All industries are affected.  Water and wastewater environments are no different, and in fact are particularly attractive to threat actors not only because they are the foundation of advanced societies, but because they are easy targets.

Security with Lock

Because water and wastewater environments are critical infrastructure that have stringent availability and quality requirements, operators have a duty to protect these systems from cyberattack.  When trying to balance the surety with the risk, there are many challenges that have opposing forces, and network connectivity is a classic example of trying to make progress in one domain (e.g. reduced downtime), while backsliding in another (e.g. cyber risk exposure).

Despite the cybersecurity challenges associated with increasing connectivity, industry and government organizations are making steady progress.  How do you get caught up on the progress on security standards and best practices?  How does this progress turn into actionable steps you can take at your utility to strengthen the cybersecurity and increase the robustness of your industrial systems?  These are tough questions to answer, but ultimately this is where the rubber meets the road.  This is a big responsibility.  Are you up for it?  I hope so, because we all depend on you for our high quality of life.

To stay current, you have to get involved in the discussions that are happening.  The hardest step is the first step.  Beyond this, simply keep going.  The ISA participates in the cybersecurity discussion with ISA 99, ISA Secure, and ISA 100.  The U.S. government has some great resources, including ICS-CERT, ICSJWG, NIST Special Publications (SP 800-82 focuses on ICS Security).  If you work for a water utility, DHS offers free ICS Security trainingSANS also provides training and resources (20 critical security controls).  Most large North American electric utilities are regulated by FERC, and the CIP standards published by NERC are worthwhile reading, at least from the perspective of what may eventually happen in the water industry.  Finally, there are various LinkedIn groups with active discussions about ICS security.

My cybersecurity focus is on standards and solutions for network segmentation, which seeks to minimize network connectivity to the absolute minimum.  As Ralph Langner, the researcher who cracked the Stuxnet code, discusses in his book Robust Control System Networks, automation systems are not well-suited to large, flat and open networks.  Network segmentation is about applying the principle of least privilege to network communications, and when implemented in automation networks, you can achieve environments that are more robust, resilient and secure.

The ISA TR100.15.01 document presents an architecture model that describes how to segment, secure, and manage communications over trusted and untrusted networks.  When combined with the IF-MAP and ICS Security standards from the Trusted Computing Group (TCG) and the Host Identity Protocol (HIP) from the Internet Engineering Task Force (IETF), a picture emerges of how to create scalable, manageable, industrial cybersecurity products that are a natural fit for water utilities.

What makes a good fit?  A security solution must be “secure by default,” easy to use, flexible to changing environments, self-documenting and integrate well with other defensive layers.  Most importantly, a security solution must support and enhance the availability, robustness and resiliency of the automation systems.  By supporting our water resources, you play a vital role in our great society.  As part of this responsibility, I challenge you to stay abreast of the cybersecurity issues and challenges facing your industry, and standards-based solutions that can make a real difference.  Together we can rise to the occasion.

David Mattes

About the Author
David Mattes founded Asguard Networks to create products that address the challenge of managing connectivity and information security for industrial control systems (ICS). Prior to Asguard Networks, David spent 13 years in Boeing’s R&D organization. At Boeing, David focused on ICS security issues, particularly on the challenge of segmenting connectivity for ICS devices into private networks and securely connecting them to and through Boeing’s enterprise networks. David was the co-creator and technical and implementation lead on an architecture that not only satisfied Boeing’s InfoSec governance and security requirements, but also met the needs of the end users. He received a master’s degree in electrical engineering from the University of Washington and a bachelor’s degree in electrical engineering from the University of New Mexico. Contact David at mattes@asguardnetworks.com.
ISA Develops Cybersecurity Resource Guide

ISA Develops Cybersecurity Resource Guide

To download the free resource guide, click the link at the bottom of this blog post.

Industrial control systems are often responsible for the monitoring and management of critical assets such as power generating facilities, water and wastewater treatment plants and transportation networks. Control systems in many industries have to remain operational 24/7 to meet operational and regulatory requirements. To address the increasing interest in securing private industry and public infrastructure, ISA has developed a comprehensive resource guide to its Cybersecuritycybersecurity resources. ISA offers a variety of training courses on industrial cybersecurity as well as books and reference publications.  Training classes and ISA technical resources are based on the ISA99/IEC62443 standards.  In addition, ISA is developing a certificate program in cybersecurity.

After the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce requested information from stakeholders on the Cybersecurity Framework, in early April the Automation Federation submitted comprehensive responses from both the ISA99 standards development committee and the ISA Security Compliance Institute (ISCI). A wide range of government agencies, industry groups, private industry representatives and security specialists are participating in developing the Cybersecurity Framework, called for in President Barack Obama’s Executive Order to reduce the growing threat of cyber-attacks on the nation’s critical infrastructure.

ISA Industrial Cybersecurity Technical Resources_coverTo ensure ISA members are aware of the full complement of available cybersecurity resources, ISA staff compiled the resource guide featuring short descriptions and links to course offerings, publications and services. In addition, ISA members can join the ISA Safety and Security Division to stay up-to-date on industrial cybersecurity and process safety.

The ISA99 committee continues to develop additional standards and technical reports in the ISA-62443 (IEC 62443) series, several of which will soon be circulated for review and comment.  The Automation Federation also plans to offer a free webinar on Monday, Aug. 5 to discuss its ongoing support for the NIST Cybersecurity Framework.

 To download the ISA Industrial Cybersecurity Technical Resources guide, click here.

Pin It on Pinterest