It's almost always good to practice what you preach, and in the case of cybersecurity, it's downright crucial for end users, contractors, clients, suppliers and system integrators seeking to form a united front against cyber-threats, intrusions, probes and attacks, especially during the ongoing pandemic.
"There was initial panic when COVID-19 started up in March through May, but a lot has settled down since the summer, even with more recent spikes. Many projects to implement cybersecurity were paused during the pandemic because people were just focused on how to keep their plants running," says John Cusimano, solutions VP of industrial cybersecurity, aeSolutions, a consulting, engineering and CSIA-member system integrator in Greenville, S.C. "Over the summer and now into the fall, we're seeing more stability because companies are figuring out ways to move ahead with cybersecurity. Our projects are also underway, but in a different way. For example, it's harder to bring people onsite and many sites have minimized staff to essential personnel. So they're looking at ways of remotely performing assessments, design, implementation and monitoring by working with the few left at the facility. This puts more on everybody's plates."
Cusimano reports aeSolutions is also relying more on remote staffers, and is trying to make their jobs as simple as possible by documenting instructions and procedures for tasks like data collection. "We haven't directly seen a spike in cyber-incidents due to remote workers, but there's definitely more interest from users in strengthening their remote access security," says Cusimano, who adds that aeSolutions has several recommendations for securing remote connections and user access, including:
- Point-to-point connections in facilities should use industrial firewalls, such as mGuard from Phoenix Contact or Scalance security gateways from Siemens, and then customize their rules and policies to meet the needs of each application.
- Enterprise connections for remote users should employ an on-demand tunneling protocol to communicate through the corporate infrastructure. This typically involves using a virtual private network (VPN) in combination with gateways requiring multiple authentications for access along with a privileged access management (PAM) solutions such as Wallix, Beyond Trust and NetOp.
- Data diode modules can be employed in applications where information flow is only required in one direction. These devices let data move onto a network from lower-level devices, but they don't allow communications to come back in.
Despite these and other safeguards, Cusimano reports ransomware remains the biggest cybersecurity threat, and because some users will inevitably click on and enable malware and extortion threats, their organizations must also think about backup and recovery.
"You have to assume you'll be hit at some point, so the key response is to implement a solid backup and recovery program that will get you up and running without having to pay a ransom," says Cusimano. "This means backing up servers, workstations, configuration files and other assets, and doing it securely. The good news is information technology (IT) departments have been doing this for a long time, so operations technology (OT) users and their control systems can use many of the same tools, such as Acronis and Veeam, to perform backups automatically and frequently.
Cusimano adds the next step is to apply application "safelisting" software to help prevent future ransomware attack. These packages include Carbon Black, McAfee and Symantec.
Once backup, recovery and safelisting are in place, Cusmano adds that users will likely need to go back and reexamine some of their earlier remedies, such as:
- Routinely retraining staffers in good cybersecurity awareness and hygiene practices;
- Reevaluating network segmentations to make sure they're adequate or if they need to adjust their OT and IT sub-networks, firewalls, demilitarized zones (DMZ) or antivirus software; and
- Study existing and emerging cybersecurity standards for useful methods.
"The ISA published ISA/IEC 62443-3-2 in April which standardizes how to conduct ICS cybersecurity risk assessments, which can be very useful," adds Cusimano. "However, maritime facilities such as such as tankers, platforms, drill ships and ports should also look at the U.S. Coast Guard's Navigation and Vessel Inspection Circular (NVIC) 01-20 published earlier this year. This circular provides guidance on complying with the Maritime Transport Security Act's (MTSA) cybersecurity regulations for maritime systems, which include an October 2021 compliance deadline requiring related facilities and systems to incorporate cybersecurity into their facility security assessment (FSA) and facility security plan (FSP). Water and wastewater operators can benefit from studying the U.S. Environmental Protection Agency's Water Infrastructure Act and drinking water and wastewater resilience programs, which have a variety of resources for assessing and implementing cybersecurity."