Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past few days:
Siemens, and the eight founding Charter of Trust members, today welcomed The AES Corporation, Atos and Enel to its global cybersecurity initiative at the 2018 CERAWeek® conference in Houston, TX. With America’s energy hub as its backdrop, cybersecurity is a leading topic of conversation at the conference, as energy is the most attacked segment within U.S. critical infrastructure.
The Charter of Trust represents an unprecedented cybersecurity initiative that establishes three primary goals: to protect the data of individuals and businesses; to prevent harm to people, businesses, and infrastructure; and to establish a reliable basis where confidence in a networked, digital world can take root and grow.
The Charter outlines ten principles to ensure companies and governments are taking action to address cybersecurity at the highest levels through a dedicated cybersecurity ministry in government and a chief information security officer at companies. It calls for mandatory, independent certification for critical infrastructure where lives are at risk, including in the oil and gas, and power generation and distribution industries, and digital applications across all aspects of IoT. It also affirms that as technologies become increasingly digital and connected, security and data privacy functions should be preconfigured and that cybersecurity regulations should be incorporated into free trade treaties. The Charter’s signatories are also looking for greater efforts to encourage cybersecurity in vocational training and in international initiatives.
Our Take: We applaud Siemens for driving recognition, and hopefully a fulfilled promise of action, toward the growing cyber security threat to critical infrastructure. There has been plenty of discussion and debate on these risks for 20 years, but far too little done to proactively address them, in our opinion. Government mandate, when it does arrive, won’t solve the problem. Regulations are reactive, and represent a minimum requirement, not a best-practice. The best chance to make up for “the lost decade” comes from the industry itself “leaning forward” to adopt controls proactively. The efforts of leaders like Siemans to build an industry coalition focused on action are clearly a step in the right direction.
Automation World: Don't Overlook Mobile Device Security
But while the focus on ICS cybersecurity has centered on in-plant devices and systems, the mobile devices used to connect to these devices via the IIoT has not received nearly as much attention. Though it could be argued that securing your plant and the devices in it will address any issues created by mobile device connections, considering the constantly moving target that is effective cybersecurity, it’s clear that any thorough IIoT cybersecurity action plan should also address the mobile devices used to connect to your ICSs.
According to a recent study by Verizon, it appears that many companies don't yet have their enterprise, ICS and mobile device cybersecurity plans in synch. The study shows almost a third (32 percent) admitted to having sacrificed mobile security to improve expediency and/or business performance and more than a quarter (27 percent) said that, during the past year, their company had experienced a security incident resulting in data loss or system downtime where mobile devices played a key role. Forty percent of those who reported having an incident said that it had been major with “lasting repercussions.”
Some of the principal reasons noted in the study for the high incidence of mobile security breaches include the facts that: only 39 percent of companies change all default passwords on their mobile devices; only 38 percent use strong/two-factor authentication on their mobile devices; less than half (49 percent) have a policy regarding the use of public Wi-Fi, and even fewer (47 percent) encrypt the transmission of sensitive data across open, public networks; and only 59 percent restrict which apps employees download from the Internet to their mobile devices.
Our Take: Mobile is often one of the last threat vectors to be addressed and one of the hardest to solve. Traditional IT security practitioners have been at it for more than a decade and only 20% of them are very confident or confident that their mobile security controls are protecting against mobile cyberthreats and attacks, according to a recent SANS survey. The same is almost certainly true for ICS security teams, but the larger problem for them may not be smartphones and tablets, but rather the growing array of connected sensors on ICS networks. Operations teams will have to consult with their security counterparts to ensure that adequate security controls were designed into the sensors they deploy. Based on what we are seeing, this conversation is not happening frequently enough.