“The way that we think about cybersecurity is really across the entire attack continuum,” began Angela Rapko, regional vice president of lifecycle services at Rockwell Automation, during an Automation Fair media briefing on the cybersecurity landscape. “You’ve got to think about it before, during and after.”
Rapko was joined by Shoshana Wodzisz, manager of product security at Rockwell Automation, and Ted Haschke, manager of business development, functional safety and cybersecurity at TÜV Rhineland, to discuss guidance on how to get started, the value of cybersecurity standards and third-party certifications, and the conditions that have recently propelled digital adoption and cybersecurity attacks.
During the past year alone, one-third of industrial control systems have experienced malicious activity, Rapko said. Industrial controls are being targeted because they control lots of assets, many of which have not been maintained over the years, she added.
The industry is also amid the convergence of information technology (IT) and operational technology (OT), and cybersecurity concerns have highlighted the continued gap between the two. For many years, the IT side has focused considerably on cybersecurity. “On the OT side, it’s a very different world,” Rapko said. “OT cybersecurity best practices are very different than IT. The tools don’t apply; the standards don’t apply.”
Standards and certifications
Fortunately, some standards do exist, which Shoshana Wodzisz spent some time taking about—the most important being the International Electrotechnical Commission (IEC) 62443 standard for operational technology in industrial and critical infrastructure. Wodzisz believes these standards are critical to the advancement of cybersecurity practices in industry because they provide a common framework.
“It is a benchmark that we all can use to compare ourselves,” Wodzisz said. “The thing I like about 62443 and any standard is that it gives us a common terminology to all work toward, so end users and vendors like Rockwell Automation, we’re all using the same words and terminology. We’re speaking the same language.”
The standard includes different parts for vendors, system integrators and asset owners or end users. It addresses what technical security controls need to be put into products or solutions, such as password management, digitally signed firmware and keeping audit logs.
The other important aspect of the standard requirements address the secure development lifecycle, or security development processes. “This describes how you develop a product, how you develop a solution, making sure that what you’re doing is built in from the ground up. You can’t add cybersecurity on at the end,” Wodzisz said.
Ted Haschke discussed the value of third-party certifications for cybersecurity, which are performed by companies like TÜV Rhineland. “Our third-party accreditation puts robustness behind a certificate that we issue,” Haschke said. Companies like Rockwell Automation are audited annually to ensure they follow the correct processes and testing procedures. TÜV Rhineland provides cybersecurity certifications on products and solutions as well.
The certifications are not easy to attain, Wodzisz said, and more and more, it is something that customers are asking about in the industry. The standards require, and the certifications verify, that companies are using industry best practice design principles, the correct security and penetration testing methodologies, and that they understand and have identified what threats exist to their products or solutions and have mitigated those vulnerabilities properly.
The standards provide some guidance, but many companies are still overwhelmed on where and how to start. Haschke identified the biggest weakness in companies’ cybersecurity efforts is how to perform a proper risk assessment and how to accurately determine what should be the applicable security level for their products or systems. Rapko echoed that the biggest challenge she sees upfront is getting an accurate asset inventory, so companies understand their risks.
Risk-informed, repeatable and adaptive strategies
To get companies started, Rapko provided a quick but detailed outline of some of the minimum steps needed to flesh out a cybersecurity program, including three strategy levels. Initially, companies should adopt a risk-informed cyber strategy, which provides the bare minimum, including having a base level understanding of a company’s risk and a minimum level of controls. “This is if you have limited capital investment, or limited ways that you can spend initially but just want to get started,” Rapko said.
The next step is a repeatable cyber strategy, which includes a more comprehensive establishment of standards and practices throughout the organization. “Most cybersecurity programs or opportunities are really driven from the top-down across an organization,” Rapko said. Company leaders want consistency across many different plants, rather than individual plant strategies. At this stage, companies need more investment to modernize and update networks and ensure that the assets with the greatest risks are mitigated.
Get the best of Automation Fair 2021
The editors of Control, Control Design and Smart Industry are reporting live from Automation Fair. When the event comes to a close, the editors will compile a report of the best, most important coverage from the event. Register now to pre-order the report and be among the first to receive it in your inbox. Pre-order your copy now.
The final stage is adaptive cyber strategy. “This is where you have not only assessed and mitigated your risk, but you have controls in place to manage and monitor cybersecurity hygiene,” Rapko said. This step also includes evaluating your workforce’s ability to handle cybersecurity operations in-house.
Emerging cybersecurity trends
The COVID-19 pandemic has also increased the need for remote access and exposed additional cybersecurity concerns. Not only are companies ramping up remote access capabilities, but many companies are also evaluating solutions to make sure the right people have access to the right infrastructure, Rapko said.
While concerns about the 62443 standard and third-party certifications first began in oil and gas industries, followed by pharmaceuticals, more and more industries are concerned about cybersecurity, Wodzisz said. “We’re starting to see it move into food and beverage,” she said.
Wodzisz also noted the convergence of safety and security. “Safety is critical, and nowadays safety and security are moving closer and closer, functional safety and product safety,” she said. “We’re seeing a convergence of those two because they’re so dependent upon each other.”
With cybersecurity risks only growing for industry, manufacturers need to understand the standards, and in turn, their own risks. With the right tools, practices and partners, companies can manage the overwhelming need for cybersecurity solutions.