Seven Steps to a Successful, Sustainable, Industrial Security Program

Summary

Many organizations struggle to get their Industrial Security programs started or have programs that really aren’t working well. An industrial security program takes time and requires the full attention of the organization. Because Information Technology (IT) and Operational Technology (OT) teams often have different skills and different perspectives this can cause industrial security programs to fail. I believe that there are ways to address this issue and get a program back on track.

Here are seven steps that I believe every organization should take to establish an Industrial security program. I often see companies focusing on one or two of these steps, potentially overlooking others, which can negatively impact progress.

Step 1: Admit that you have a problem

Admitting that an organization has a problem is the first step to solving it. Many security programs skip this step, assuming that cyber security risks are obvious to everyone. The problem is that most people link cyber risks to high-profile public breaches of corporate systems. Business Email Compromise’s (BEC) or ransomware attacks are in the news every day, however, industrial system attacks are rarely disclosed. 

Tabletop exercises that simulate real cyber incidents have become standard practice for most IT security programs. However, these exercises typically concentrate on corporate-level events such as a breach on HR systems or a ransomware attacks. Conducting tabletop exercises that focus on industrial assets, such as a manufacturing lines, can effectively engage leadership and enhance awareness regarding the cyber risks associated with industrial assets.

To fully understand the company's risks, I recommend that organizations engage operations leaders, plant managers, and engineering teams in at lease one industrial security tabletop exercise. The exercise should focus on a critical industrial asset. Begin the discussion using an example of a significant, but plausible, cyber event affecting an industrial asset.

A typical industrial tabletop might look like this:

• An engineering integrator has connected a laptop to a critical production line, introducing malware. Even if the company believes it has controls in place to prevent this, this scenario is realistic and can happen.
• Malware then spreads to all Windows-based computers within the asset, including industrial HMIs, servers and workstations, causing them to become unrecoverable.

At this point, it's important to keep things simple. Here are some key questions that should be discussed:

• What impact would this event have on the business?
• Could the asset be restored from backups? How reliable are the backup systems? What would happen if the backups were sabotaged?
• If all Windows computers get infected, can the industrial process safely implement a shutdown?
• Could this event impact safety?

Use this tabletop to engage key leaders and gain their support for the program. Keep discussions high-level and limit tabletops to one or two hours. Ensure the conversation stays focused and table follow-up discussions for later.

Step 2: Hire a translator

Tension between OT and IT in organizations can hinder industrial security programs. This is often because each field has specialized skills and a lack of mutual understanding, leading to communication breakdowns. Many organizations have stories about how actions by one side caused issues for the other, fostering and spreading mistrust.

Engineers will usually have stories about IT disrupting systems that negatively affected production, feeling that IT did not understand the environment. Conversely, IT professionals will have examples where industrial failures occurred due to an engineers' lack of networking or server knowledge, calling in IT for last-minute fixes.

To establish a meaningful dialog between IT and OT, it is important for the industrial security program to get an OT translator. OT security programs are often led by IT security teams, but few IT professionals really understand OT. Including someone from OT can add credibility to the program and facilitate better communication.

There are a few tactics that I have seen work for organizations.

• Recruit internally: If there is a strong engineer in the organization that can be brought into the program, this may be the best choice. The OT translator doesn’t need to be a security person but should have a good foundation in IT technology and a passion for learning.
• Hire externally: Hire an engineer from outside of the organization that can bring in new ideas and the necessary skills. Look for someone with strong communications skills and experience in Industrial security. Resources with a strong mix of industrial controls, IT and Security are rare so the organization may need to make concessions. 
• Borrow: In many cases it may be helpful to use a consulting group that has experience in industrial security. This experience will help build the foundation for the program while the team develops its own internal OT / IT capabilities.

Step 3: Understand the critical business and OT processes

Once the business has demonstrated support for the effort and an OT translator is in place, the next step is to understand the organization's industrial processes. If multiple processes exist, begin with an industrial process that is perceived to have a large impact to the organization.

To gain a better understanding, it is helpful to see the process firsthand. Take a plant tour that focuses on the overall manufacturing process and the role that the control system plays in that process. It is not necessary to know every detail of the process, however the team should focus on essential components and systems. Here are some crucial questions to cover in the tour.

• What is the goal of the manufacturing process?
• How is the system controlled to prevent a safety issue?
• What are the most critical systems in the process?
• What happens if this system fails?
• Are there other critical control systems that are required for regulatory requirements?
• Who has access to these systems and how are they accessed? Do employees or third parties access this system remotely for implementation, maintenance or support? 

With this information in hand, the industrial security program can start to prioritize next steps.

Step 4: Understand your OT assets

Some IT security experts suggest "Asset Inventory" should be the first step in a program, however, I have placed this as the fourth. While inventory is important, completing the first three steps can help the team better understand the inventory and the impact systems have on the process.

Organizations sometimes purchase tools to help them identify assets and vulnerabilities before they understand the context of the process and technology supporting it. This can cause programs to focus on the wrong assets and the wrong priorities.

Open-source tools, which are often free, can be sufficient for many organizations while establishing the first high level inventory. Purchased tools, however, can significantly reduce the effort required to create an inventory. They may often do it with greater precision. These automated tools can be used after the inventory process has been completed and can help the organization monitor changes to the environment.

The OT translator may be able to help the team safely connect inventory tools to OT networks and should be able help interpret scan results. Some purchased tools are passive and can only view network traffic. These systems may be a lower risk as they are unlikely to negatively interact with production systems. Others are active and may require software on industrial system computers or may generate network traffic that could be disruptive. Whichever approach is taken, it is crucial to exercise extreme caution to ensure that any asset management tool keeps operations safe. 

The ISA/IEC 62443 series of standards is a great resource for organizations during this phase and is the de facto standard for Industrial Security. This series of standards provide guidance for how to evaluate industrial system risk. One of the key deliverables for this step will be to diagram the current system in terms of zones and conduits. The ISA/IEC 62443 series provides guidance on these concepts and helpful information for conducting the initial risk assessment.

The purpose of this step is to prioritize your efforts and identify critical assets that should be included in your program.

Step 5: Add value

Security programs usually focus on reducing risks, but it is important to show OT teams value beyond cyber risk reduction. If OT teams see additional value from the industrial security team's initiatives, then they are much more likely to fully engage. Here are a few examples of how an industrial security program can provide value to OT Teams.

• System backup and failover review: Conduct a thorough review of critical systems to ensure that system backups are being performed, and failover mechanisms are operating correctly. It is common for system integrators to implement a backup system or redundant server solutions during initial installations; however, these may not be properly maintained over time. Identifying and addressing these issues promptly can help the plant avoid costly outages
• Virtualization: System implementations have used virtualization technology like VMware frequently. There is a great deal of value to these systems, however, many integrators lack experience in deploying these environments, and OT staff usually have little experience managing them. The team should review these environments for performance, reliability, or security enhancements. Ensure compliance with industrial system manufacturer requirements before making recommendations and rigorously test any changes.
• Investment support: The inventory can highlight risky assets that the OT team has been unable to get funding for. The program team may have more experience in describing the risks of old IT systems to management.

Once the Industrial Security Program starts to add value to the OT team, greater collaboration will follow.

Step 6: Implement an OT governance program

Security frameworks are an essential foundation for any security program. Fundamentally, most IT organizations adhere to a security framework with the most common being ISO 27001 or NIST 800-53. Each of these frameworks provide a consistent approach to address security. For industrial security, the gold standard is the ISA/IEC 62443 series. The 62443 Industrial security standards can either complement an existing security framework or be implemented independently if no IT security framework is in place.

For anyone interested in learning about 62443, start with ISA-62443 Security for Industrial Automation and Control Systems Part 1-1: Terminology, Concepts and Models. This standard offers a good overview of the framework, and the ISA provides online training to help gain a deeper understanding.

Next, review Part 2-1: Security program requirements for IACS asset owners. This standard includes essential program level requirements that are essential to a program. For those familiar with the ISO 27000 series of standards, this standard is similar to ISO 27002 in that it defines specific requirements and guidance but for industrial security. Some requirements of 62443 2-1 overlap with traditional cyber security frameworks but there are many that are unique to industrial security.ISA 62243 2-1 also includes mappings to traditional frameworks such as ISO and NIST so there won’t be duplicate effort.

Step 7: Keep it real

Now that the security program is in place and the OT-IT partnership is established, it's crucial to engage all industrial employees, including operators, maintenance firms, and contractors into the program. Companies with industrial systems likely prioritize safety as a fundamental company value. Industrial security programs should include the message of security and safety to strengthen their message. Like safety, take time to talk to employees about security and the impact that it can have on them.

Security threats will continue to evolve, so employees must understand how their decisions can help maintain a safe and secure environment. To effectively engage employees, awareness training should ensure employees understand not only what steps to take but also why they are taking those steps. Real examples can help employees understand negative consequences and how their actions could avoid them. 
In Closing

The relationship between IT and OT is a critical foundation that any industrial program should nourish. When IT and OT work together and appreciate each other's strengths, they can create a solid security framework that tackles the unique challenges of industrial environments. These seven steps should be used as guidance for your programs.