This article originally appeared May 9, 2019. To catch up on the latest cybersecurity collaboration, read "ISA Launches Global Cybersecurity Alliance."
Cybersecurity has become intertwined—inescapably—with so much of the technology necessary to move industry forward and help manufacturers remain competitive. The cybersecurity ecosystem has also become more intertwined. Hardly a week passes without news of a new partnership among various types of suppliers within this community.
Collaboration is essential to combat the enormous and persistent threat that nefarious cyber actors present to the industrial world. If industry is to protect its assets, people and surrounding communities, its stakeholders will need to put their heads together even more extensively than they’re already doing.
Because the bad guys are putting their heads together too. “They’re collaborating much better than we are,” says Jason Haward-Grau, chief information security officer (CISO) for safety and cybersecurity provider PAS. “There’s an unholy alliance between organized crime, governments and individual hackers. The integration challenge we have is much more difficult.”
Automation vendors are working continuously to better safeguard their products from the get-go. And news continues unabated about partnerships between those vendors and specialized cybersecurity providers like Claroty, Palo Alto Networks, PAS, and Nozomi Networks, to name just a few. But what about those automation vendors collaborating with each other?
Those big names in automation are often fiercely competitive with one another. But if industry is really going to safeguard itself from increasingly coordinated and sophisticated attacks, we might need every one of them joining hands in new and meaningful ways.
The interest is there, certainly. But so is the trepidation. Some are adamant about the need to share information more closely with one another but aren’t sure how to frame those alliances. Others don’t even feel particularly comfortable discussing the topic at all. But they all feel the pressure to do whatever they can to protect the castle.
“I want to see collaboration between vendors. Our system is connected to another vendor’s product, so each is at risk if either is attacked,” said Gary Williams, cybersecurity services offer leader for Schneider Electric. “So let’s come up with an agreed approach on R&D.”
It will be difficult, certainly, Williams concedes. “We’ve got to get rid of the competitive nature.”
Pressure from customers
There’s certainly interest throughout industry in getting more collaborative efforts together to fight off the threats, says Rob Putman, global lead on cybersecurity for ABB Industrial Automation. “There’s also pressure from senior leadership at customers,” he says. “They’re saying, ‘Can you guys please come together and at least speak to a common framework?’ From a customer and C-level perspective, I’ve heard that specific feedback.”
For critical infrastructure operators, putting pressure on vendors to work more collaboratively, Putman says, is tied to the holy trinity: availability, resilience, and safety. “On whether they perceive a threat to any of those three mandates,” he explains. “If they discover a vulnerability that we at ABB aren’t familiar with, how easy is it to fix?”
This is where trusted relationships within the vendor community can be particularly helpful. But those conversations need to proceed with caution. “The people who are really thinking about this are doing it from a place of integrity,” Putman says. “However, you have to put guard rails in place and define the relationship.”
Any communication channels related to sensitive cybersecurity information need to be clearly defined, agrees Camilo Gomez, global cybersecurity strategist for Yokogawa Electric. “It should be at the request of our end user,” he says. “The most difficult implications are for the asset owner, so the disclosure needs to be done by the customer.”
Claroty, a cybersecurity company that has forged partnerships with several automation suppliers over the past couple years, has a front-row seat for seeing the types of collaboration going on among vendors, according to Dave Weinstein, vice president of threat research for Claroty. “It’s more about the collaboration between vendors themselves and different authorities in this space—government entities that serve as central hubs of not just the analysis of threats, but coordination of vulnerability disclosure,” he says.
Automation vendors are proactively identifying vulnerabilities in the products themselves and sharing that information with government and non-government authorities. “It’s actually the most efficient model,” Weinstein contends. “If vendors got together and shared information on vulnerabilities with each other, it would probably fall into the wrong hands. And it wouldn’t get to the end user as quick as possible.”
On the IT side of the house, the Cyber Threat Alliance focuses on sharing threat information among companies and organizations in the cybersecurity field. The National Cybersecurity and Communications Integration Center (NCCIC) serves as a national hub for cyber and communications information. It integrates functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
“On the vulnerability side, the model is working pretty well. It incentivizes third-party researchers to insert themselves into this process,” Weinstein says. “The security research community is an extremely benevolent community. Most folks just like what they’re doing and have a really serious belief to secure the world’s infrastructure. It works pretty well.”
VirusTotal, which serves as a public malware repository, is a great example of how researchers can come together for the common good, Weinstein says. “Sometimes malware can inadvertently proliferate into the wrong hands. But on net, those types of communities are positive for security of the ecosystem,” he says. “There’s a constant debate in terms of how much freedom should be allowed to the research community. I come down on the side of more, not less.”
PAS’s Haward-Grau comes down on the side of exercising more caution. He’s concerned, for example, that with VirusTotal, there’s no validation and no understanding of the implication of what’s being uploaded. For ICS-CERT, he sees a need to implement a registration system that would validate the credentials of those sharing information. “Sharing is good,” he says. “But lack of control of sharing can harm far more than it can hurt.”
Previously founder and director of Carnegie Mellon’s CERT Insider Threat Center, Dawn Cappelli comes from a background of information sharing. In fact, when she joined Rockwell Automation in 2013, she told them she’d only join them if they’d let her keep collaborating across the community. When she initially formed the insider threat information sharing group at Carnegie Mellon, there were only about five people involved. “It grew to more than 300 people from 200 companies,” she says. “Some of our competitors are members. I actually really like that. I can talk to my peers about similar insider risks that we both have to worry about.”
Now, as vice president of global security and CISO at Rockwell, she would love to be doing something similar with other CISOs at competing companies. “We’re all in this together,” she says. “If a nation state attacks one of our products, it’s just by luck they picked yours instead of mine.”
Cappelli points to the model of the Information Sharing and Analysis Center (ISAC), which assists federal and local governments with information pertaining to cyber threats. There are ISACs related to several different industries, including financial services (FS-ISAC), health (H-ISAC) and real estate (RE-ISAC). There are even ISACs for specific industries, such as automotive (Auto-ISAC) and oil and gas (ONG-ISAC).
Ideally, Cappelli would like to start an industrial ISAC. “The FS-ISAC is very mature. Big financial institutions are on the phone with each other, saying, ‘I just saw malware come in from this IP address; you’d better block it,’” she describes. “It’s worked in other sectors, and I think we need to get it to work in ours as well.”
The inability to do much of the same thing within the industrial sector really hit home when the WannaCry ransomware attack struck two years ago. “Who do I call? We know something’s happening out there, but what’s really happening? And how is it happening?” Cappelli wondered. “We were just reaching out to individuals just trying to get information.”
An area where competing automation vendors collaborate extensively is within standards, Cappelli notes. “We all have people on those committees,” she says. “We’re working together to define what are the standards to better secure our products.”
The Open Process Automation Forum (OPAF) is another example of industry collaboration, points out Tom Clary, director of global business communications at Schneider Electric. He sees OPAF—through which competing automation vendors are cooperating to develop a framework for seamless interoperability among their systems—as an apt model that could be applied to cybersecurity.
“We put the requisite strictures in place to go into a room to see what the future looks like without risking intellectual property. There could be the creation of some sort of body that looked like that,” Clary says. “It’s a way for Schneider Electric to go into the room with other vendors, with major customers, integrators, third-party providers, and say, ‘Look, this is what we found.’ We put that on the table for everybody to look and discuss and learn from that.”
It would not be simple, he says. “But I don’t think it’s impossible.”
There is an effort being made through OPAF itself to work collaboratively on the security of the system architectures being developed there. “OPAF is a good element,” Gomez says. “We’re working not only on the functional architecture that’s required and desired, but also include these things we’ve learned for security practices. The new generation will come with those things covered.”
Collaboration with the end user
And then there are the manufacturers themselves—which must take a certain degree of responsibility for working together with their vendors to secure their systems.
It’s a common misconception that collaboration needs to happen only among the vendors, Gomez insists. “There needs to be collaboration from all the players,” he says. “What good would it be to enable security if it’s not enabled by the owners?”
Automation vendors have a responsibility to ensure that their products are secure, Williams says. “What we cannot foresee is how the client is going to use our system.”
Schneider Electric has been widely praised for how transparent it was in the wake of the 2017 Triton attack on its Triconex safety system at a petrochemical plant in Saudi Arabia. At its Triconex User Group meeting this past October, Schneider execs were even more forthcoming—not only about exactly what happened but also their own frustrations with the situation.
In this case, there was really no collaboration going on between system designer and customer because the Triconex system was bought by a third party, which then delivered it to the client. The client had let maintenance and simple software upgrades lapse, but Schneider Electric had no way of knowing that. So while the petrochemical facility was a user of Schneider Electric’s product, it wasn’t a client, per se, of the automation vendor.
“This particular site was not receiving advisories,” said Steve Elliott, Triconex senior marketing director at Schneider Electric. “Nobody was caring for and feeding them.”
The incident also involved the customer not following some basic cybersecurity housekeeping steps. Williams was quite frank about the need for end users to take the steps necessary to protect their equipment. “If you do it properly, we wouldn’t be having this conversation,” he said at the Triconex meeting.
Schneider Electric has been part of a large effort working with standards bodies. “We hope that the next evolution of standards will actually encompass the lessons learned that we’ve had to go through for this incident,” Williams says.
“We have to work as an industry,” Elliott says. “We have to work together. I hate to say it, but that includes government. If we don’t define it, then we have to live with whatever lunacy they come out with. We have to work together to defeat the attackers.”