Rethinking Cyber Security for Industrial Operations

Cyber-security attacks and defenses both continue to escalate and grow in sophistication.

Aw 1570 1008 Industv
Fortunately for manufacturers, most of the attack energy to date has been directed at commercial targets and individuals. However, many of the same attacks and tools can affect businesses with critical industrial operations. Here, the situation is different.
 
Operations typically has different systems and risks, requiring a separate security community focused on these issues. This community has been working for many years, but problems persist. Furthermore, new requirements are emerging, and today’s established practices may not apply. Certainly, we must continue to invest in existing programs and initiatives, but we also need to identify persistent problems, examine new requirements and search for new ways to think about solutions.

There are many reasons to try to address cyber-security issues from a different perspective. The most compelling is that cyber-security activity is relatively mature, yet many industrial operations still live with high risk. It is time to rethink some issues to provide a context for refocusing some energy in more effective directions and to find a few new solution paths that recognize today’s trends.

Most installed control systems were not designed with security in mind, and a majority of traditional device protocols had no security provisions. Components were designed assuming either a trusted (isolated) environment or an environment in which other components implement various protections. Increasing sophistication of threats and insider threats constantly challenge these assumptions.

Craig Rieger, David Gertman, and Miles McQueen of Idaho National Laboratory proposed an interesting resilient control system (RCS) concept in an Institute of Electrical and Electronics Engineers (IEEE) paper for the Second International Conference on Human Systems Interaction, in May 2009. RCS includes the assumption of a malicious attacker, as well as other considerations not previously considered during control system design. The RCS concept provides a framework for expanding our traditional thinking about control systems and is worth exploring, at least from that perspective.

Cyber-security work has traditionally taken a design perspective in which protections are designed and implemented, people are trained and problems are handled as they occur. However, cyber security is really a very dynamic activity where speed of execution and consistency is critical to success. Furthermore, many of these activities cross organizational and system boundaries. This all suggests that cyber security is similar to other end-to-end business processes and could benefit from the same analysis, structuring and automation methods.

Reduce risk

Using a process perspective for security might have several benefits. Some security processes, such as patch management and identity management, need more integration and automation to reduce cost and risk; too much time is now spent on manual processes and chasing down information. An analysis of processes would also facilitate development of best practices and provide a framework for standardization of security information and communications. Finally, better structuring and automation of security processes will provide security metrics and visibility to help balance security spending.
 
Governments have the overall responsibility for protecting nations (and their citizens), but businesses must implement most of the cyber-security protections, wherever the attacks originate and whatever the motivation. Consequently, governments and business should approach the challenges of cyber security using a working partnership perspective.

While many in the industry continue to make valuable contributions to cyber-security progress, some problems persist, suggesting that some rethinking is appropriate. This can be accomplished in various ways, such as simply re-examining problems in today’s context, attempting to apply techniques from other disciplines, organizing differently and others. First, we need to identify a short list of persistent cyber-security problems in operations that need to be addressed. I’d love to hear from Automation World readers about their own short lists.

Robert Mick, bmick@arcweb.com, is Vice President, Enterprise Systems, at ARC Advisory Group Inc., in Dedham, Mass.

Subscribe to Automation World's RSS Feeds for Columns & Departments

More in Control