With the newest rounds of cyber attacks making it clearer and clearer that industrial control systems (ICSs) and critical infrastructure are not just a side dish on the menu but indeed a main course, it might be natural to assume that the best course of action is to disconnect altogether. But digitalization offers too much promise—and is too central to a competitive stance in the marketplace—to consider ditching for even a moment.
If manufacturers are going to willingly embrace an increasingly digital future, there needs to be a substantial foundation of trust.
“At the core of digitalization is indiscriminate trust. But the latest wave of cyber attacks has eroded that trust,” said Leo Simonovich, vice president for global cybersecurity at Siemens. “This is especially true in infrastructure, where the benefits and risks are so great.”
Several experts gathered this week in Chicago to discuss the best way to gain the level of trust needed and to get a better understanding about how industry should be approaching cybersecurity. Digitalization and cybersecurity are two sides of the same coin, the panel of experts argued during Siemens Innovation Day, held at the Digital Manufacturing and Design Innovation Institute (DMDII).
Siemens’ goal is to bring the two sides of that coin together, noted Roland Busch, chief technology officer at Siemens and a member of its managing board. “We must not allow that any attacks or weaknesses in cybersecurity are slowing down the process of getting digitalization into the market,” he said.
Plenty of pressure is on the automation suppliers to make their products secure by design, but there was a certain level of admonishment directed toward customers as well. Though 2017 could be considered the year of mega attacks, most of those attacks could have been prevented, Simonovich noted as moderator of the panel.
Amit Yoran, chairman and CEO of Tenable, agreed. “If you look at pretty much all of the high-profile attacks,” he said, “so many of them were very preventable.”
Yoran, who was founding director of the US-CERT program in the U.S. Department of Homeland Security, referenced Equifax CEO Richard Smith, who stepped down following the backlash over the massive breach of his company’s data. Yoran scoffed at Smith’s contention of how difficult it is to defend against nation-state organizations. “Many organizations are not doing the basics very well,” Yoran said. “There’s a tremendous difference between the ability to succeed and the high probability of failure.”
During continued discussion after the panel presentation, Yoran was very clear: “The people who are getting compromised are the people who are negligent.”
About those people
In fact, much of the vulnerability comes from the human side of the equation rather than the cybersecurity tools themselves.
Good cybersecurity requires a wholesale change in attitude, Busch indicated. “First and foremost, we have to have the right spirit,” he said. “We have to start with the people and processes because the mindset makes a difference.”
But even with the right attitude, there is a basic shortage of some 3.5 million cyber professionals, according to Cybersecurity Ventures. The problem is likely even more acute on the operations (OT) side, Simonovich added.
This issue is “incredibly critical,” said Sid Snitkin, vice president and general manager of enterprise services for ARC Advisory Group. Industry has moved beyond the cybersecurity awareness problem that it used to have, and most companies have invested in protective technologies. “But they can’t maintain it because they don’t have the people, and the people they have don’t have the knowledge,” Snitkin said. “It gives them a false sense of security. They think, ‘I’ve bought all this technology, so I must be secure.’ But they’re not.”
Though suppliers are building secure systems, that’s just one step along the way, Snitkin noted. “That’s where these small companies in particular are hurting,” he added. “There’s no way those small companies can get the expertise to maintain these things.”
To be as secure as big companies, the small guys need to accept a different strategy in which they rely more heavily on outside services, he argued. “Vulnerability could be completely outside the scope of what these companies are doing,” added Sami Nassar, vice president of cybersecurity at NXP Semiconductors.
“Small companies don’t have a chance at all to get the internal competence to a level they need,” Bosch said, adding that the same is true to some extent for larger organizations.
Part of the effort to improve security comes through collaboration—among vendors, customers and more. It requires an ecosystem rather than a one-vendor solution, commented Nassar. “A multitude of companies need to work together for something built for reliability,” he said, noting that that was a key reason that NXP signed on as a founding member of the Charter of Trust, a collaborative cybersecurity effort initiated by Siemens. “It’s an aggregation of capability for a platform. We will be able to collaborate around verticals and can set at least a minimum level of security.”
Security built in
Rather than model industrial networks on the Internet, it’s important to look into what went wrong with the Internet, Nassar said. “There are more and more hacks going into it every day,” he said. “It was not meant for cybersecurity. The architecture itself was not built with cybersecurity in mind.”
Nassar contrasted that with the cell phone infrastructure, where security was built in. “They thought about how to secure the platform before they built it,” he said.
In the same way, industrial networks need to be secured from the start. “At the get go, it’s much more cost-effective, much more efficient,” Nassar said. “One common denominator of the high-security network is they start the security from the lowest level possible. Security is built from the bottom up, not added on the top.”
This basic blueprint of trust is what is needed. “Vulnerability comes typically from the higher levels,” Nassar said. “If you don’t have a good anchor at the bottom, it will be very expensive to secure later on.”
“People need to think about cybersecurity as a core feature rather than just something you have to have,” Busch emphasized. “The whole thing starts with a proper, trusted system.”
Security by design or security by default are good starting places to build the trust with customers, but it’s not enough, Yoran contends. “The unfortunate reality is that nothing works. You can’t have cybersecurity period without a strong root of trust. But even these hardware roots of trust have challenges sometimes,” he said. “If you have secure componentry, that’s a good start. The challenge is when you’re connecting them in ways that weren’t expected; adding software that wasn’t expected. It starts behaving in ways they weren’t designed for.”
The reality is that the probability of your organization being attacked is pretty close to 100 percent, and there’s a high probability that there’s already some form of adversary in the system. So how should industry be building resiliency?
“You can’t protect everything equally. We know that’s a failed strategy,” Yoran said. “I believe the key here is all about risk management and prioritization. What is the core business? What are the mission-critical applications? How do we provide the appropriate level of determinism?”
Resiliency has more to do with being able to live through an attack, Snitkin argued. “Most of the cybersecurity technologies are defensive technologies. They’re reducing the likelihood that an attacker is going to get in,” he said. “That’s important. But what’s more important is how you’re going to react to an attacker.”
Two sides of a coin
Circling back to the idea of cybersecurity and digitalization as two sides of the same coin, panelists emphasized the good that can come from a reasonable level of care taken on security. “Security is the enabler for the Industrial Internet of Things,” Snitkin said. “Don’t ignore the problem. You have that risk, but accept it and move on.”
“Security is just something that needs to be thought through,” Nassar said. “It’s not something to be scared of.”
There’s no escaping the need for connected assets. “Digitalization is a requirement,” Yoran said. “If you want to be in business next year, you have to go through digitalization. But you have to recognize that that doesn’t come risk-free. You have to keep systems at a level of hygiene and preparedness that we haven’t done in the past because we were in a disconnected world. That has to be the mindset.”