Here’s how to get everyone’s attention at a cybersecurity discussion: Say that some people think a cyber Pearl Harbor has already occurred, but that you think the real cyber Pearl Harbor is still to come because the cybersecurity breaches that have occurred to date have not involved the loss of life and impacted the economy as much as a full-on cyber Pearl Harbor will.
That’s how retired USAF Brigadier General Rudolf Peksens kicked off the first cybersecurity panel discussion at the 2013 ISA Automation Week. He then went on to say that if you are involved in automation, you are already involved in cyber conflict. “The bits and bytes in our systems have been weaponized,” he said, “and your systems are being penetrated at will.”
As someone responsible for automation use and application, if those two observations don't get your attention, I’m not sure what will.
The purpose of the panel discussion Peksens chaired at the event focused on how the government and private industry have been working and continue to work together to address critical infrastructure cybersecurity issues. If you're thinking you’re probably not a part of the country’s critical infrastructure, think again. Here’s the official list: chemical manufacturers, commercial facilities, communications, critical manufacturing, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors/materials/waste, transportation systems, and water/wastewater systems. Chances are, if you’re reading this, you are in or closely connected to one of these identified sectors.
Other members of the panel included: Samara Moore, director of Cybersecurity Critical Infrastructure Protection in the White House National Security Council staff; Eric Cosman, operations IT consulting engineer at Dow Chemical; Lee Lane, business director at Rockwell Automation; and retired USAF Lt. General Bob Elder. Elder was on the panel due to his position as research professor at George Mason University conducting research in the areas of integrated command and control, operational resiliency in degraded environments, strategic deterrence, and the use of modeling to support national security decision-making. Peksens, who led the panel, now works at iiGrowth helping companies adapt to cyber challenges. He previously worked in the defense industry for 15 years where he was most recently the director of strategic pursuits in the Raytheon Company's Network Centric Systems.
Less than a year following the release of the Obama Administration’s executive order 13636 to improve critical infrastructure cybersecurity and Presidential Policy Directive 21 aimed at critical infrastructure security and resilience, a great deal of groundwork in getting government and private industry to collaborate around cybersecurity has been laid. Much of that groundwork, according to Moore, has been focused on improving “the timeliness and quality of the information we share internally with other government agencies and with industry.”
This focus on information sharing is aimed at helping all players understand where security gaps exist and how to address them, Moore says. It is also aimed at sharing tips on how to best monitor for unexpected activities and have a plan in place for what to do when/if something occurs.
Eric Cosman of Dow Chemical explained that, through his work as vice president of standards and practices at ISA, he is an advocate for “the needs and constraints of industrial automation” and is focused on providing practical direction for industrial control system security to foster a collaborative response to create a comprehensive approach to industrial cybersecurity.
“The need for IT (information technology) and OT (operations technology) cooperation is most evident around cybersecurity,” Cosman said. By focusing on this interaction of groups, Cosman said he hopes to draw attention to the fact that human behavior is as critical to effective cybersecurity as systems are. “Cybersecurity is not all about technology,” he added.
Elder added to Cosman’s human factor comments in his discussion of a cyber ecosystem, which involves developing a “dynamic defense process that detects behaviors and indicates problems. Situational awareness for operators is critical to the success of the cyber ecosystem.”
As an example of the need for greater situational awareness, Elder cited the mass damage done as result of Hurricane Katrina in 2005. It wasn’t the hurricane that caused all the damage, he said, it was that some floodgates weren’t operating properly and key people weren’t aware of it. As a result, the floodwaters overcame the levies and submerged low-lying areas of New Orleans.
To help address end user knowledge gaps around industrial cybersecurity issues, Cosman noted that ISA has several efforts underway in addition to ISA 99 to certify cybersecurity capabilities of staff. He added that the Automation Federation also has a Security Compliance Institute that is “developing materials to assess compliance of technologies and, ultimately, systems and programs along the lines of IEC 62443 series.
There is also a good deal of private company cybersecurity certification in process,” Cosman says. As a result of the numerous ongoing efforts, he expects there will be some shakeout in widely accepted certifications as they develop.
In the near term, Moore added that input is still being sought from industry for NIST’s Cybersecurity Framework, developed to support the Administration’s executive order 13636. View information about the latest version of the draft and comment on it via [email protected].
