Good news for ICS protection: ISA providing new ISA/IEC 62443 based industrial cybersecurity training

The great Chinese military strategist Sun Tzu in his book the “Art of War” stated that (to paraphrase) “if you know yourself and the enemy, you will prevail in every battle”. This saying is applicable to the protection of industrial control systems that comprise the technical foundation for today’s critical infrastructure. One of the long-term trends has been the convergence of Information Technology (IT) with Operation Technology (OT). IT has come to the OT world in a big way especially with the advent of the Industrial Internet of Things (IIoT). The latter refer to smaller devices that act as sensors that collect and relay data for later analysis. The usefulness of this collected and evaluated information provides some convincing arguments for the take-up of this new technology. It is supported by both industry and policy makers as a great way to “improve efficiency, reduce downtime and save money”. However, amidst all the great selling points, the new vulnerabilities and IT security concerns introduced from the increased connectivity of these devices (from the plant floor to the office) are not recognized. Too often, the engineering/OT mindset dominates leaving the threats emanating from cyberspace well known by IT security practitioners out of the calculations. Missing is a way to introduce IT security concerns and balance them with the safety, availability, and integrity interests of the OT engineer and cost saving interests of management.

Several years ago a nuclear power station was Scrammed after a Windows update was performed on a single PC. Problem was that it was connected to the critical systems of the reactor. Perhaps lack of ICS knowledge contributed to this apparent blunder in applying an IT security policy? Photo by the author.

This is why I think the new ISA/IEC 62443 based cybersecurity training in industrial cybersecurity offered by ISA is a significant step in the right direction for improving protection of critical infrastructure. So often, at conferences that discuss IT and industrial control system I hear about the need to follow ISO 27000 standard. An IT security standard is not enough to address the security issues raised by control systems. Nor is it enough in an industry brochure to emphasize the box containing the device is fully compliant with a standard for a box (2) . Don’t wish to advertise or be a cheerleader but ISA should be congratulated for this initiative on ISA/IEC 62443. It should address a serious awareness issue. Have been making a point in my presentations on making use of standards and guides that specifically address critical infrastructure protection. Usually I find the audience is hearing about ISA 99 / 62443 or NIST 800-82 rev. 2 for the first time.

However, some precautionary questions remain regarding the potential benefits to the security of our critical infrastructures from this new training. Is the material covered and information provided a good match for the challenges faced by practitioners in the control system world? Is the coverage mostly theoretical or is there significant input from the engineers working in the field who have special knowledge (can share some practical lessons-learned) of the problems encountered and on already developed (but not shared) solutions? Are appropriate updates to the course content made when the security environment changes? Do constructive criticisms and suggestions from field practitioners for improvements in the covered material get a fair hearing?

The drive to use new technology like the IIoT has strong support from industry and Government as a way to cut costs and improve efficiency. However the new security concerns are seldom mentioned. Here a IIoT sensor is attached to a motor which wirelessly sends data for analysis to another device on the network. Can be attached to legacy motors as well.

One important point to consider is the level of support from management for taking this course. Does staff get their support for attending this training? The basis for this support is an appreciation for the differences between IT and OT approaches to security and the need to build a bridge between them. If a manager with OT “blinders on” says to his interested employee, “you don’t need this”, little good will come from this initiative. On the other hand, some awareness of the IT vs OT security issues will do much to address the long-term problem of cross training IT and OT practitioners. An issued that will require more attention as IT and OT convergence continues. To paraphrase the ancient Chinese military strategist Sun Tzu, “If you know IT and Control Systems, you will always protect your critical infrastructure”.

References:

1. https://www.isa.org/news-and-press-release/isa-press-releases/2017/february/isa-breaks-new-ground-in-providing-experiential-industrial-cybersecurity-training/

2. ANSI/IEC 60529-2004 Degrees of Protection Provided by Enclosures (IP Code) http://www.nema.org/Products/Pages/Enclosures.aspx

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.