Home > Tech > Expert Contributor

Industrial Cybersecurity, The Fundamentals

By Alexandro Fernandez - Coca Cola FEMSA
Head OT Cybersecurity

STORY INLINE POST

By Alexandro Fernández | OT Cybersecurity Leader - Thu, 12/15/2022 - 12:00

share it

In my previous article, The Rise of Industrial Cybersecurity, I wrote about basic definitions, presented some ICS cyber Incidents, challenges and a call to action. In this article, I’m focusing on the fundamentals of industrial cybersecurity to make it easier to comprehend and to have the “big picture” of what is needed. There are other basic definitions and terms that must be understood in order to have a “clear picture” of what it means.

IT/OT Cybersecurity Objectives

It is important to understand the main differences of the security objectives between Information security (IS) and industrial automation control systems (IACS). Both are based on the security triad but with a different focus; Information security is focused on confidentiality, integrity and availability (the famous CIA acronym). An information security strategy is related to business systems and information, starting with confidentiality, followed by integrity and availability of those systems and information.

Fig 1

On the other hand, in an industrial automation control systems environment, the priority of these three security objectives are often different (as shown in figure 1), but it is common to find the availability as priority No. 1 because any interruption to the industrial process could cause  economic or reputational damage to the organization. In second place, the integrity of the data is also important, depending on the circumstances, and in third place we find confidentiality as the lowest priority because there’s no PII or sensitive data that can be used by an attacker to damage the organization, but again, it will depend on the industry and the company’s cybersecurity posture.

OT/ICS Cybersecurity Standards

Actually, there are several cybersecurity standards and guidelines that can be very useful for protecting Operational Technology environments. For this article, I’ll just mention three of the most important and relevant ICS cybersecurity standards, although there are many more. These are:

  • ISA/IEC 62443: According to ISA (International Society of Automation) the ISA/IEC 62443 is a series of standards that defines requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards set best practices for security and provide a way to assess the level of security performance. Their approach to the cybersecurity challenge is a holistic one, bridging the gap between operations and information technology as well as between process safety and cybersecurity.

  • NIST SP 800-82: This standard provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations, such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. There are three versions of this standard, the most recent is the SP 800-82 Rev 3 (but still considered a draft version) that provides an overview of operational technology (OT) and typical system topologies, identifies typical threats to organizational mission and business functions supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage the associated risks.

  • NIST CSF: The NIST Cybersecurity Framework (CSF) is one of the most widely adopted voluntary standards in use today. It is a voluntary guidance (except for US federal government agencies) designed to help organizations manage and reduce cyber risks. This framework helps both internal and external organizational stakeholders better communicate about risk. It focuses on integrating cybersecurity efforts as part of a company’s risk management process, and its clear categorization of activities into five functions also makes it usable for OT/IT cybersecurity practitioners.

Nowadays, we see the existence of different guidelines, best practices and industrial cybersecurity standards, which is quite positive to help companies adopt any of these frameworks to have a starting point to create or strengthen their industrial cybersecurity program and move forward gradually in the implementation of controls (organizational, technical and people) that are justified and help mitigate the identified risks.

It is also relevant to understand that each company has its own particularities, its own risks and problems, which is why we can use these guidelines, best practices and standards to design and create a " tailor-made suit" that allows organizations to solve its problems and avoid falling into a situation of implementing all recommendations and/or controls, which is neither feasible nor recommended.

All of the above is very positive; however, today there is a deficit of people who have the technical skills and experience to help organizations design, implement and operate the different controls indicated in these frameworks. The good news is that there are different frameworks for different types of industries (water treatment, energy generation and distribution, oil and gas, dams, nuclear plants, manufacturing, telecommunications and emergency services to mention the best known) that, without any hesitation, can assist companies in these sectors to be better protected, or at least, it can help them mark a starting point.

Assets

According to ISO/IEC PDTR 13335-1 an asset is defined as “anything that has value to the organization, its business operations and their continuity, including Information resources that support the organization's mission.” In this sense, assets are the cornerstone of any cybersecurity program; they are the elements that we need to value and protect from internal and external threats. 

In industrial control systems, we can find different types of assets: PLCs, HMIs, Historians, OPC Servers, engineering workstations, RTUs, among others. This and other types of assets are defined and grouped by the ANSI/ISA 62443-1-1 standard into three classifications;: physical, logical and human. The definition for each asset classification is:

  1. Physical: Includes control systems, physical network components, transmission media, rooms, buildings, material and any other physical objects that are involved with the control, monitoring or analysis of production processes or in support of the general business.

  2. Logical assets: They can include intellectual property, algorithms, proprietary practices, recipes, process-specific knowledge or other informational elements that encapsulate an organization's ability to operate or innovate. Also, it can include public reputation, buyer confidence or other measures that if damaged directly affect the business. Is important to mention that process automation assets are a special form of logical assets. They contain the automation logic employed in executing the industrial process and are considered in this type of asset classification.

  3. Human assets: This is the most important asset. It includes people and the knowledge and skills that they possess, associated with their production activities. Any accident or attack that injures a person would be considered as impacting a human asset and this is unacceptable.

The ability for organizations to properly and consistently identify and consistently manage data, personnel, devices, systems, and facilities based on their relative importance provides a foundational capability to support an organizational cybersecurity program. These assets should be identified and protected in terms of their value and importance to the organization. 

In my next article, I’ll do a “deep dive” into the importance of the asset management practice, and how this practice can (and will) assist organizations that manage operational technologies to take their first steps for protecting their automation and industrial control systems.

Photo by:   Alexandro Fernandez

You May Like

Most popular

Newsletter