How to Achieve Best Practice Cyber Security for Industrial Automation and Control System Environments
Implementing an effective cyber security approach for industrial automation and control systems (IACS) remains a hot topic in manufacturing industries. As manufacturing organisations grow, they are increasingly embedding IT solutions within their IACS environments in order gather more data and streamline production processes. This convergence of IT and IACS poses a challenge for security teams – IACS systems can no longer simply be air-gapped from IT systems. This greatly raises an organisation’s exposure to cyber security vulnerabilities that can take advantage of the legacy nature of IACS systems to great effect, as seen in the Merck cyber-attack in 2017.
As a result, cyber security for IACS has shot up the agenda of internal risk committees and is attracting attention from regulators and industry bodies. In this Blacksmiths Insight, we highlight the main challenges we have seen manufacturing organisation’s face in developing their cyber security practices. We also describe a target cyber security management system (CSMS) structure that incorporates industry best practice and enables organisations to refine their approach according to their compliance requirements.
Industry standards and legislation
In recent years, a variety of industry standards for IACS cyber security have been released or undergone extensive revision:
- NIST Special Publication (SP) 800-82, Guide to Industrial Control Systems (ICS) Security Rev. 2 (2015)
- ISA-62443: Security for Industrial Automation and Control Systems (2017)
- HSE OG86 Cyber Security for Industrial Automation and Control Systems (IACS) (2017)
- EU Security of Networks & Information Systems (NIS) Directive (2018)
The introduction of these standards has created a diverse compliance landscape for cyber security teams within manufacturing organisations:
- ISA-62433 and HSE OG86 standards – these mandate the creation of a cyber security management system (CSMS) that sets out the organisation’s approach to cyber security policy and risk management for IACS.
- HSE OG 86 – emphasises the importance of blending operational safety and cyber security by considering the loss of essential service (LES) and major accident (MA) events.
- EU NIS Directive – many organisations must also ensure that their IACS environment complies with this.
To meet these new standards and legislative requirements, manufacturing organisations must take a risk-based approach to cyber security.
The challenge facing manufacturing industries
The main challenge for organisations is developing an approach to cyber security that engages both central leadership and operational teams at manufacturing sites. Many systems fail by not providing a clear line of sight between the organisation’s corporate risks and the risk decisions made at the system-level.
Five factors that have a negative impact on cyber security
Based on our experience of working in IACS environments, we have encountered five specific factors that have had a negative impact on an organisation’s approach to cyber security:
- Identified cyber security risks do not align with manufacturing objectives
- Cyber security and safety teams operate in siloes
- Impact assessments for IACS do not consider cyber security risks
- Corporate information security policy is not suitable for IACS environments
- Cyber security controls are not reviewed on a regular basis.
We explore these factors in more detail below.
1. Identified cyber security risks do not align with manufacturing objectives
We often find that organisations are looking at cyber security risks that do not relate to their manufacturing objectives. For example, suppose an organisation has an objective of achieving high production targets. In that case, it should focus on security risks that may impact the availability of production systems rather than the confidentiality of the data being used. By having a clear line of sight from cyber security risks to manufacturing objectives, the security team will likely develop more buy-in and better understanding from senior leadership teams.
2. Cyber security and safety teams operate in siloes
In some organisations, we have found that there is minimal communication between cyber security and safety teams. This is a significant concern, as a strong safety and cyber security management programme is fundamental to a sustainable business model for manufacturing sites.
3. Impact assessments for IACS do not consider cyber security risks
Conducting an impact assessment for cyber security risks is an important stage of the CSMS that enables the security team to prioritise the implementation of security controls on high-impact systems, saving time, cost and resources. Nevertheless, we have found that some organisations do not consider the potential business impacts that a cyber security risk may generate from specific systems. For example, an organisation may consider a ransomware attack to be a primary cyber security risk. However, if one system has more effective security controls in place than others, such as physical segregation, it may be low-impact in relation to this risk.
4. Corporate information security policy is not suitable for IACS environments
We have seen security teams use corporate information security policy as the basis for protecting IACS. In our experience, this approach is ineffective, and it ultimately leads to the inconsistent application of security controls. For example, it is difficult to apply a vulnerability management process for IT systems to the IACS environment. Typical IACS constraints, including obsolescence and change controls, mean that not all systems can be scanned and patched at the same frequency. The CSMS must adopt a tailored approach to consider the constraints and configurations of IACS.
5. Cyber security controls are not reviewed on a regular basis
We have come across several organisations that adopt a set-and-forget approach to cyber security. Typically, we find that businesses identify and implement cyber security controls when a new IACS goes through the validation process, but the controls are not reviewed regularly. Adopting a CSMS provides the organisation with a repeatable process to continuously improve the effectiveness of cyber security controls.
A potential solution
Considering the challenges described above, Blacksmiths has developed a high-level structure for a target CSMS. The framework enables manufacturing organisations to achieve the following objectives for their manufacturing sites:
- Bring cyber security and safety teams together to define threat scenarios applicable to the site.
- Identify the most critical cyber security risks to the IACS environment
- Determine the potential business impacts of each system in the IACS environment
- Develop a risk-based approach to selecting security controls for each system
- Embed regulatory and GxP compliance requirements.
The target CSMS structure uses relevant components from the NIST SP 800-82, ISA-62443 and HSE OG86 industry standards. All components also cover the National Cyber Security Centre (NCSC) cyber security principles for the NIS Directive. The diagram and points below provide a high-level description of the CSMS.
Challenge 1: Cyber security risks do not align with manufacturing objectives.
CSMS Solution: The Scenario Catalogue defines the loss of essential service (LES) and major accident (MA) scenarios that will directly impact manufacturing objectives. The Corporate Risk Register is a key document in conducting the threat and risk assessments.
Challenge 2: Cyber security and safety teams operate in siloes.
CSMS Solution: The development of the Scenario Catalogue is a joint exercise between cyber security and safety teams. It incorporates the key findings of the Site Safety Report. The Disaster Recovery Process defines the roles and responsibilities of cyber security and safety teams.
Challenge 3: Impact assessments for IACS do not consider cyber security risks.
CSMS Solution: The CSMS includes an Impact Assessment to be undertaken for all systems. The assessment considers the potential business impacts that a cyber security risk may generate from specific systems.
Challenge 4: Corporate information security policy is not suitable for IACS environments.
CSMS Solution: The CSMS includes a set of cyber security policies specifically designed for IACS environments, including vulnerability management and incident management.
Challenge 5: Cyber security controls are not reviewed on a regular basis.
CSMS Solution: The CSMS includes a Security System Lifecycle that provides a repeatable process to review and improve security controls in place on systems.
This insight describes the foundations for manufacturing organisations to consider when developing their approach to cyber security for industrial automation and control system environments. Any approach will also need to align to internal compliance requirements and quality processes.
Blacksmiths has deep experience of creating lasting cyber security capability for manufacturing organisations that and integrates with wider internal operations. Contact us at info@blacksmithsgroup.com for more information.