Approaching the Risks and Benefits of an Evolving Security Landscape |

Approaching the Risks and Benefits of an Evolving Security Landscape

June 062012
Approaching the Risks and Benefits of an Evolving Security Landscape
June 2012
By Rick Kaun, Honeywell Process Solutions
By understanding the evolution of today’s IT and control systems and proactively implementing a program to reduce vulnerabilities, plants can better position themselves to protect their assets, increase uptime and secure their critical infrastructure.
Control systems running on top of typical business IT platforms are an integral part of the industrial infrastructure today—not just in North America, but around the world. While they share many IT similarities with corporate business systems, control systems are technically, administratively, and functionally more complex and unique. Control networks today have all the risk of modern IT technologies without the ability to apply or manage security controls available to corporate IT departments.
Vulnerabilities, particularly cyber security, affect the safe, functional performance of both control systems and business IT systems. Since mainstream IT is knowledgeable and experienced with the threats and management of the security environment, there is an opportunity to learn from the experiences of business IT and shorten the time span for control systems to acquire the same level of security awareness.
Today, however, there is a difference in security maturity between corporate and control system networks. One of the main reasons for this gap is the difference in focus between business IT and control systems. Control systems have traditionally focused on equipment efficiency and reliability. Simply put, availability is king. Cyber security, on the other hand, was left to the business IT organizations and their mandate to protect confidentiality. However, as more and more complex computer systems are introduced to the plant floor, this situation is changing. The convergence of IT and control systems means security success will come only from gleaning expertise of both business IT and process automation.
As the evolution continues, not only should short-term technical solutions be examined, but a proper appreciation and understanding of the entire industrial IT lifecycle is required to ensure known and unknown vulnerabilities are kept at bay and facilities can maintain maximum uptime and safety.
Understanding the Risks, While Accepting the Benefits
The control systems environment is evolving with both subtle and dramatic transformations. Security of control systems was taken for granted for many years when proprietary hardware and software were the norm. However, the landscape has changed, and the security-by-obscurity concept once enjoyed in production environments has been traded for advancements in technology available in a more open environment.
Ongoing advances in hardware and software, for instance, are opening up more ways to advantageously use automation technology, but meeting today’s exacting automation challenges means being knowledgeable about what is possible. Change can be good, and the ability to evolve with it and extract the most value is the measure of creativity and dedication—and perhaps in the application of a logical approach to this evolution. However, success in this endeavor is usually only brought about by a deep understanding of both process automation environments and IT technology. This means recognizing the benefits and risks of elements like tighter business and process linkages, open systems, government regulations and increased uptime.
Increasing Business and Process Ties While Protecting Accessibility
To achieve a sustainable competitive advantage, manufacturing and process businesses must be able to adapt quickly to change. Reduced time for decision and action is critical for improving quality and productivity. This makes the timely collection, manipulation and distribution of reliable information a significant issue.
In today’s business environment, electronic data needs to be presented as information to operations, engineering and management in the context most meaningful to them. Historical, process and business data is collected from disparate sources and stored securely. The business requirement is to transform that data into meaningful information, providing important support at every level to improve efficiency and profitability. As a result, most organizations are faced with requirements to increase accessibility to the system. And, while this tighter linkage between business and process information is necessary, it opens the door to intrusions— whether unintentional or targeted.
Safely Deploying the Best Tools in Open Systems
In step with the proliferation of open systems, the complexity of plant networks and the need to support legacy systems, more tools have become available to address requirements and risks, along with the attendant standards and best practices that follow. Understanding which tools best fit an environment can be a rigorous task requiring broad experience and vendor neutrality. And since safe, reliable, expected operation of a facility is paramount, an approach that is deep in process safety and coupled with technological capabilities is the most effective option.
Understanding Regulations and Standards
To help navigate the application of security controls a host of standards and guidelines (in some cases regulations) have begun to emerge. However, in spite of the abundance of options there still remains a fair amount of uncertainty about interpreting or applying regulatory and best practice controls. Partnering with organizations that not only drive the development of the standards but help to build those regulations into next generation offerings is the fastest and most effective way to build a robust, compliant and manageable program.
Challenges with Increased Uptime, Availability & Reliability
And now, along with increased complexity, open systems and regulatory pressures, we also see an increased demand for greater uptime, availability and reliability. While plants strive to meet these expectations, many organizations find themselves without the required people assets to manage a security program that meets the high standards required by industrial information technology. The lack of IT expertise in the plant is problematic, with a priority placed on availability over confidentiality. Implementing technology coupled with a sustainable management program is the next step.
A Proactive Approach to Securing Your Critical Infrastructure
Understanding the benefits and risks that come with an evolving IT and process control landscape is a very important start, but taking a proactive approach to ensuring the safety and reliability of a system is necessary to increase protection against vulnerabilities. While implementing a program can be a daunting task, plants can break the process into four logical phases to create a logical, repeatable, and organized approach to the industrial IT lifecycle. This approach consists of four phases: Assess, Remediate, Manage, and Assure. This lifecycle between the 4 phases is a constant program over time – not a one-time project.
The Assess Phase
The Assess phase is very important in the industrial IT lifecycle. During this phase, the status quo is measured in order to uncover overallshortcomings and vulnerabilities compared against the desired result. Of the four phases, this one is perhaps the most important and enlightening; therefore requiring expert certified security professionals that are able to balance unique process control environment requirements against regulatory requirements.
Assessments should follow with actionable recommendations that will improve reliability and improve system management. The recommendations should be prioritized to aid in logically addressing the identified vulnerabilities. In addition, budgetary guidelines will help in assisting with the size and scope of the effort required in the Remediate phase.
The types of assessment are varied, depending upon the immediate and long-term needs of the installation. For some installations, regulatory assessments are at the forefront. If there are immediate concerns regarding network vulnerabilities, a network assessment would be the ideal starting point.
Some assessment categories include:
  • Vulnerability assessments
  • Regulatory assessments,
    • NERC CIP, CFATS, etc.
  • Network assessments
  • Risk and readiness
  • General gap analysis and project planning
The Remediate Phase
While the Assess phase may be the most enlightening, the Remediate phase may be the most intense and diverse, since it addresses risk management from the perspectives of technology, process and people.
Technology embraces the selection of server and software, deployment and configuration. It is the foundation or enabler of a security program. System hardening and virtualization requirements and implementation considerations are included in this area. Then, there is the wide selection of commercial-off-the-shelf (COTS) products, and the determination of which one is the best fit for a given area. Included in the COTS product selection are tools that perform functions, such as:
  • Anti-virus
  • Patch management
  • Whitelisting
  • Intrusion Detection System (IDS)/Intrusion Prevention System (IPS)
  • Vulnerability
  • Network monitoring
  • Log Analysis
Process is important in the overall view of remediation, particularly as it applies to security. It is the development and adaptation of proper processes and policies that applies the technology toward a more secure environment. Process includes procedural development, such as:
  • Patch management
  • Secure remote access
  • Anti-virus
  • Backup and restoration
  • Change management
  • Perimeter security
From a people perspective, each individual who affects the security of the process control environment must be made aware of the risks and considerations that apply to security. For this purpose, a security awareness program is very important. It is not unusual to find individuals and groups who are unfamiliar with the security exposure potential and require additional training. Within each organization, it is best to develop and document policies and governances that apply to this key area. Plus, as organizations change through addition or attrition and through movements to other positions, security awareness is an ongoing process.
In general, the people perspective includes:
  • Security awareness program
  • Security training
  • Policy and governance development
  • Design and implementation resources
In summary, a successful Remediate phase results in a custom-designed industrial IT program that may include:
  • Multi-layered secure defense in depth network design
  • System hardening
  • Testing and redundancy solutions
  • Compliance and governance development
  • Security awareness program
The Manage Phase
The Manage phase refers to the management of the customer’s industrial IT investment, including network security, with support and training. Specifics may include:
  • Ongoing management of systems and technology, including workflow implementation, anti-virus and patch management services, and perimeter management.
  • Support services, including regular tuning of security tools, system health and performance monitoring, and ad-hoc support contracts.
The Assure Phase
The Assure phase addresses methods to assure the industrial IT solutions are functioning as designed. Program monitoring may include:
  • Change management
  • Verification of patch installation and anti-virus updates
  • Using a compliance dashboard
  • Monthly reporting
  • System health and performance reporting
  • Recurring annual NERC CIP Cyber Security Vulnerability Assessments (CSVA)
Moving Ahead in the New Landscape
Implementing a strong but manageable approach to securing a plant’s assets is becoming a greater priority for facilities as the industrial IT landscape continues to evolve. Improved tools and access, for instance, help to increase uptime and make better use of a plant’s data. However, that evolution does not come without risks.
Understanding the landscape of today’s control systems environment and its convergence with IT is important to benefitting from its evolution while maintaining awareness of the risks that come with open systems, tighter business and process linkages and the ability to improve uptime. This understanding allows for a more holistic approach to securing a plant’s critical infrastructure and will position plants and personnel to continue to enjoy the benefits of a new era of industrial IT.
Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now