12 days of cybersecurity: aeSolutions gets physical with cybersecurity steps
Check out the 12 days of cybersecurity mini-series!
John Cusimano, vice president of industrial cybersecurity, aeSolutions, a consulting, engineering and CSIA-member system integrator in Greenville, S.C, agrees the most significant cybersecurity events recently were the Triton/Trisis safety system malware and the WannaCry and NotPetya ransomware attacks.
"These events have shaken industry even more than Stuxnet," he says. "Triton/Trisis was especially alarming because of the potential impact to health and safety. It's raising awareness of the importance of security safety systems per the IEC 61511 and 62443 standards. People who previously believed their last-line-of-defense safety systems were untouchable have now realized they're just as vulnerable."
To protect safety systems from these and other attacks and malware, Cusimano recommends users employ physical key switches to prevent changes to local devices. "I'm a big fan of key switches as a layer of protection for remote access and management of change. If remote access is required for troubleshooting, someone should still have to stand in front of a rack or cabinet to say when it's OK to allow remote access, and then turn it off later," says Cusimano. "Any process that's potentially unsafe should be monitored locally, and require someone to be there to provide ushered access."
Tuning in to OT
Even though many IT technologies, such as intrusion detection, are making big strides into OT, aeSolutions' Cusimano adds it's important people remember that OT networks have different operational requirements, and that these tools need to be “tuned” to their environment for maximum benefit. "For example, to help users get the most value from their ICS detection investments, we visit a site, make sure the system is properly installed, monitor its traffic and performance, and build dashboards and displays," explains Cusimano. "Users often recognize they're not getting the performance and value they expect, so aeSolutions can help them 'operationalize' their investment by, for example, making sure that alerts make sense to the operators."
Cusimano adds, in the swirl of rapid technological change around cybersecurity, it's also crucial to avoid installing the latest, shiny solution without addressing less exciting, underlying network and device vulnerabilities. "This is like installing a hi-tech alarm system on a house with unlocked doors and windows," he adds. "These underlying issues usually include: lack of network segmentation, weak access control, and lack of network and device hardening, such as switches that haven't disabled unused ports, installed the latest patches or are too easy to access. These tasks aren't so easy, and many users shy away, but they must be addressed."
To help users gain awareness, Cusimano reports aeSolutions recently partnered with the SANS Institute to offer a one-day class, "ICS cybersecurity for managers," which is based on application of the NIST Cybersecurity Framework and the ISA/IEC 62443 standards. It's taught by Cusimano and Paul Rostick, CISO and industrial cybersecurity advisor at aeSolutions, who present a Top 20 list of critical cybsecurity controls for ICS and teach attendees how to develop their own cybersecurity program and make it part of their organizational culture.
“Many users are working to improve their ICS/OT cybersecurity but are struggling. They need a program to institutionalize it, just like they've had for process safety,” adds Cusimano. “This course is a Reader's Digest version of what we've learned over the last decade regarding the effective management and implementation of an ICS/OT cybersecurity program. We share practical advice, best practices and interesting anecdotes about our experiences working for and with large and small companies across a wide range of industries, including oil and gas, petrochemical and other heavy industries.”