Why do bank robbers steal money from banks? Because that’s where the money is. In industry, the data is where the money is. And as long as that’s true, cyber criminals will keep going after that data. It’s a promising target, worth gathering their resources—well-educated people with the best tools available—to stay ahead of you and your manufacturing facility.
The hackers, once unorganized groups hitting random targets, are now organized, professional actors attacking well-chosen targets. That’s one of four major trends in industrial security, according to Oliver Narr, marketing manager for industrial security at Siemens. The other three trends relate to real vulnerabilities, the Internet of Things (IoT), and security by law.
The vulnerabilities are real, and they’re not going away. Some customers attending Narr’s breakout session at the Siemens Oil & Gas Innovations Conference this week in Houston seemed very bothered that Siemens and other automation vendors can’t just fix the problem and make their products infallibly secure. But security is a moving target and humans are, not too surprisingly, human. There will always be some way for the criminals to get in. Manufacturers need to build up their defenses, but also have a plan for detecting and mitigating the breaches.
The IoT, as Narr noted, could be better known as the IoHT—the Internet of Hacked Things. The more industry develops connected technologies, the more everyone needs to worry about security. “We’ve introduced a complete new ecosystem into our process environment,” he said. “There are a lot of new possibilities to attack our system.”
Governments have become increasingly aware of those threats as well, and are beginning to enact laws to hold critical infrastructures accountable—what Narr refers to as “security by law.” A new law in Germany includes penalties if you miss some security measures, he said, and we will likely see similar laws in France and China, with more countries following suit. “We as process experts, we have to take care about this,” he added.
Siemens advocates a Defense-in-Depth strategy—rings of defense outlined by IEC 62443 as plant security, network security and system integrity—and bases its own security concept on Defense in Depth as well. That means integrated security with know-how and copy protection, authentication and user management, firewalls and VPN, and system hardening, Narr said. It’s a holistic approach that includes Siemens’ involvement and collaboration in CERT and other security organizations and standards committees, knowledge and adaptation of IEC 62443 requirements, open communications with customers, and fundamental system hardening incorporated into product designs.
The offering also includes Siemens Plant Security Services. As part of this, Siemens recently announced the opening of its Cyber Security Operation Center (CSOC), where industrial security specialists monitor industrial facilities around the world for cyber threats. With locations in Lisbon, Portugal; Munich, Germany; and Milford, Ohio, Siemens works with its customers to keep them abreast of security breaches and coordinate countermeasures.
Throughout the Siemens conference, executives pointed to the progress that the oil and gas industry has made with regard to safety, and emphasized the need for continued diligence. But cybersecurity can have major repercussions on oil and gas safety, pointed out Vinicius Strey, ICS cybersecurity consultant for Siemens DF CS Data Services, who urged conference attendees to combine their safety and security efforts.
“Right now, safety and security are two completely different islands, each one looking at their own problems and receiving their own budgets,” Strey said. “But in the end, the damage is the same to the company. Why is there this gap between security and safety?”
It’s not easy to find people who can speak both the safety and the security languages, which has led to them going their different directions, Strey said. They are also at different maturity levels, with security looking similar to what safety was 30 years ago, he added. These factors lead to a huge gap in how companies are dealing with security and safety issues, he said. But combining efforts and measuring safety and security on the same scale can help companies make better decisions and mitigate risks.
Strey pointed specifically to incident response in explaining the importance of safety and security convergence. Such reconciliation would help companies understand the root cause of an incident faster. They could better minimize safety issues upon detecting a security incident, and could likewise detect a cybersecurity root cause of an apparent safety incident. Any incident response, therefore, should consider both safety and security aspects, he said.
To get started going after the low-hanging fruit, Strey outlined his recommendations for various industry players:
- At the corporate level, ask your corporate risk manager to send you an email with the correlations between safety and security risks.
- Plant managers should look at the security/IT disaster recovery plan and search “process safety.” Also look at the safety crisis response procedure and search “cybersecurity.”
- For security managers/engineers who look at flow diagrams showing reactor and process equipment and cannot understand the basics, they could start by learning more about the actual operational process.
- Likewise, process managers/engineers need to learn more about cybersecurity and how it affects their operations.
- Health, safety and environment (HSE) managers/engineers should start by reading the paper, “Can Cyberterrorists Actually Kill People?” from the SANS Institute.