In cybersecurity, foundation comes before flash

In cybersecurity, foundation comes before flash

Rob Putman, Global Manager, Cybersecurity Services at ABB, explains why basic security controls and a well-implemented reference architecture form the foundations of an effective cybersecurity strategy in energies and process industries.

If you are in charge of cybersecurity for a production facility, ask yourself the following questions:

  1. Do you understand your exposure to cyber-risk?
  2. Have you defined your appetite for that risk?
  3. Have you modelled the financial impact of a cyberattack on your business?

Implementing a strong foundational cybersecurity programme at scale begins with these questions. Producers first need a framework to quantify and understand their appetite for risk before they can define a cybersecurity programme around it across their operation.

An obvious correlation exists around dollars spent on cybersecurity and risk managed out. Chemical companies, for example, often have valuable intellectual property associated with their production process and may want to apply additional security controls beyond the foundational level to better manage risk associated with operational data, process and intellectual property.

There is certainly risk that a producer may be running so lean that any cyberattack may result in production downtime and will have immediate and serious consequences for their operations. Again, having an informed model to quantify your exposure and appetite for risk is critical here.

In a recent attack on a Florida water plant, whereby a particular everyday software was used to infiltrate the plant controls environment, the hacker manipulated the input of treatment chemicals. This was a timely reminder of the importance of strong security controls and reference architecture.

Some companies, however, find that they can deal with a ransomware attack by temporarily switching capacity to another plant, meaning backup and recovery practices are sufficient measures that can be taken to improve resilience and avoid significant downtime.

Connected Operational Technology doesn’t have to mean more cybersecurity exposure

Industrial plants are vulnerable to a range of evolving cyberthreats: everything from non-targeted specific malware, in which data packets are addressed to IP addresses or ports often containing unsolicited network control messages, or in which attackers send instructions to smart devices that are undetectable to the human ear, to more sinister, sophisticated, advanced persistent campaigns conducted by nation states.

Take the ransomware attack on a US beverage company which caused significant delays and disruptions to parts of the business handling brewery operations, production and shipments. It is reasonable to speculate that this ‘attack’ could have been mitigated – or at least the impact reduced – with the application of basic security controls and a well-implemented reference architecture.

What are foundational security controls?

Foundational security controls can include antivirus tools, system backup, validated patch updates, configuration hardening and application whitelisting, which producers can integrate with their Operational Technology – the ‘seatbelts and airbag’ – to provide basic cybersecurity at scale.

In the future, these security technologies will likely be government-mandated components or functionalities required during the design of critical infrastructure.

The importance of strong foundational security was recently illustrated by a project involving ABB and a chemical company. The chemical company wanted to automate its cybersecurity compliance reporting and develop simple use cases to monitor the security posture of its control system environment.

Instead of going from no monitoring to a 24/7 fully monitored security operation, ABB tested the system by disabling the audit log function in the Distributed Control System (DCS), which raised an alarm. This allowed the chemical company to demonstrate that it was prepared for one of many potential actions an attacker may take during an attack life cycle.

More fundamentally, a partner of ABB explained that they weren’t able to centrally aggregate and process another vendor’s antivirus events across an array of over 130 control systems. There was no way of centrally monitoring when such events occurred, where in the DCS environment they occurred and in which specific node and host they occurred.  

Reference Architecture

Operational Technology providers can help build strong foundational security. For producers looking to implement remote access and cloud connectivity, as well as conducting threat modelling, they can do so by using ABB’s Reference Architecture, a blueprint for industrial control systems based on the IEC 62443 control system security standard.

ABB Reference Architecture covers cybersecurity setup and configuration best practices, including network segmentation, placement and configuration of hosts, and inbound/outbound data flows, to name a few.

ABB Reference Architecture is a forcing function to drive the conversation to threat modelling and risk management. Operators should view this process of properly applying, deploying, managing and configuring remote access as an opportunity to mitigate their exposure to risks and threats and become aware of other potential vulnerabilities such as legacy Windows XP hosts.

Data gathering and the use of Edge devices

In all major global industries, the COVID-19 pandemic has accelerated the digitalisation process, most notably the transition to remote working; with this comes the increasing popularity of remote connectivity.

Fundamentally, remote connectivity relies upon a VPN connection with multiple uses, among them enabling a human being to access the secure work environment, and being a conduit for inbound and outbound data flows – preparing the way for Edge analytics and business process improvements, both on-premise and in the cloud.

With regards to Edge technology, it is very important to ensure that operators have the right architecture and technology solution to secure the communication that must move inbound/outbound from the asset environment. There are also other security and regulatory implications: customer data may be restricted to one locality or region, meaning a cloud vendor may have a business requirement for colocation facilities in any given country.

The stakes are high

The Pareto principle states that around 80% of consequences come from 20% of the causes. In the context of cybersecurity, that means 80% of risk exposure comes from 20% of the attack surface.

If CISOs do the foundational things right and identify and manage basic risk at scale, you will significantly mitigate exposure to cyberattack. Then, continue to assess and enhance your security programme. Security is a process of continuous improvement, learning, adaptation and remaining agile in the face of an evolving risk landscape.

Cybersecurity does not have to involve a massive budget in order to ward off many of the risks facing manufacturers today. Know your threat landscape, understand the impact to your business from a cyber incident and structure your security budget accordingly.