Cybersecurity in Chemical Control Systems: Key Takeaways
- Cybersecurity as Daily Practice: Cybersecurity should be integrated into daily operations, like safety protocols, with defense-in-depth strategies to mitigate attacks.
- Human Error and Training: With 82% of data breaches caused by human error, proper training, awareness, and collaboration between IT and OT teams are essential for securing systems.
- Standards and Assessments: Following guidelines like ISA/IEC 62443, conducting vulnerability assessments, and considering security during system design are crucial for a robust cybersecurity framework.
Chemical Processing recently hosted a webinar that focused on the critical role of cybersecurity in chemical control systems. Cybersecurity has become essential due to increasing digitalization, globalization and regulatory requirements.
Speakers Marco Ayala, president for the Houston Members Alliance
InfraGard and Jeff Foley , cybersecurity consultant at Siemens, stressed that cybersecurity should be integrated into daily operations, much like safety practices. They introduced the concept of a cybersecurity maturity model to help organizations gradually enhance their security and emphasize the importance of defense-in-depth strategies for mitigating potential attacks. A striking statistic mentioned is that human error accounts for 82% of data breaches, underscoring the necessity of training and awareness programs.
Assessments and collaboration between IT and OT teams are vital for understanding network assets and vulnerabilities and prioritizing security measures. Standards like ISA/IEC 62443 provide guidance for implementing cybersecurity in industrial control systems, noting that manufacturers are increasingly required to comply with these standards for their products.
This presentation also pointed out that it's important to obtain third-party reviews and penetration testing to identify vulnerabilities. It’s also smart to consider cybersecurity during the design phase of new systems and upgrades.
The audience for this webinar submitted several questions and Ayala and Foley addressed as many of them as they could at the end of the presentation. They also addressed the questions we didn’t have time for (you can view the webinar here). Here is the entire Q&A.
Q1: What about asset registry and vulnerability assessments? It seems that in many cases the asset owners do not even know what or how many of their assets need to be cybersecure. It would be prudent to create first a registry/map of assets and components that have a cyber/network element/capability. Then assess the criticality of these assets/components to operations and then do a vulnerability assessment to identify the locations/components to reinforce or even replace.
This is correct. This is why we advocate following standards such as IEC 62443, because asset inventory is a key part of the series of standards, which provide guidance on how to secure Industrial Control Systems (ICS). Starting off any cybersecurity journey for both Greenfield and Brownfield networks begins in having an understanding of what is on the network, and what potential impact that could have to the solution and other assets on the network. Manufacturers provide a criticality rating for any vulnerability, but it is important to know what that means for your specific network and implementation of that asset on your network. Both Siemens and InfraGard can help with the assessments and tools necessary to help provide this asset inventory.
Q2: Is it accurate to deduce that the poll results are a point of concern? It would seem that amongst the participants, there aren't individuals with a dedicated responsibility towards cybersecurity planning and strategy? And can you share your experience/advice for mitigating such situations in organizations?
Yes and no. The poll results are a little bit concerning, but they are also typical when taken in a mixed environment of the attendees. It helps to bring awareness to everyone when the results are visible. When those polls are given, we also take into account that only a percentage of the attendants participate in the poll. Additionally, it depends upon who you ask within an organization about Cybersecurity you will get various answers. It was mentioned on the call that Cybersecurity must encompass an entire organization, and especially requires guidance and embracement from executive management.
Q3: Could you mention a few mandatory ICS Cybersecurity regulations similar to NERC-CIP? Martime? NIS-2? And how aligned are they with ISA/IEC 62443?
When approaching Cybersecurity, it is important to understand that there are things that must be done (mandates/regulations) and then how to do them, such as Frameworks and Standards. In the U.S. there are several mandatory regulations for the different Critical Infrastructure sectors. Things such as NERC CIP for the Bulk Electric Systems (Utilities), and TSA Directives for both passenger and freight rail. Implementing these requirements can be done with Risk-based Standards and Frameworks such as IEC 62443 and National Institute of Standards (NIST) Cybersecurity Framework. Risk-based frameworks are designed specifically for Operational Technology (OT) networks for industries such as manufacturing and chemical.
Q4: We talked about culture and day-to-day actions, but am I correct in thinking that a lot of a site's security is established during the design of the networks and connections?
The design of a site’s network and connections is extremely important for cybersecurity to encompass Security by Design and Security by Deployment. This helps to prevent and mitigate the potential for issues during the operational phase of the site’s day to day activities. This should also include the People and Processes aspect of a Cybersecurity program. As discussed in the first poll, if 82% of data breaches involve human error, the education and embracement of good Cybersecurity practices in an organization day-to-day action is also important. Listen to how Marco Ayala suggests addressing the topic of human error and risk in his presentation titled “Normalization of Deviance.”
Q5: Based on Marco’s definition, what is the different between architecture assessment vs. risk assessment? And which comes first? Should we start with architecture assessment and then do a detailed risk assessment looking at the different threats, vulnerabilities, etc.?
Risk assessment, if you follow ISA/IEC 62443-3-2 or the CCE process, the architecture assessment is part of those approaches and is best done once things are underway. However, your company owns the risk, so that decision is yours. That said, we highly encourage starting with a risk assessment to guide the process.
Q6: Why still until today, do we not see any ICS System that is certified as security
level 2?
Vendors face difficulties in developing SL 2-compliant products but are working diligently to meet and exceed these targets by making their systems capable but more importantly enable them to achieve the security level. This takes time and this is also why the ISA/IEC 62443-4-1, and 4-2 exist firstly to review and verify that a vendor is following a solid software and security development lifecycle, and secondly that the components they make or will make will meet the security intent of the targets. Many asset owners realize this and have taken steps to assign security level targets within their risk assessment and are allowed the use of security level vectors.
Q7: What cybersecurity risk assessment methods do you think are more applicable or usable for industrial assets?
When looking at a Cybersecurity risk assessment, it is important to look for ones that are designed for the environment that are being assessed. For Industrial Control System (ICS) networks, it is important to go with one designed for that, and not an Informational Technology (IT) network. IEC 62443 is designed for Operational Technology and takes a comprehensive approach for Plant Security, Network Security and System Integrity.
Traci Purdum | Editor-in-Chief
Traci Purdum, an award-winning business journalist with extensive experience covering manufacturing and management issues, is a graduate of the Kent State University School of Journalism and Mass Communication, Kent, Ohio, and an alumnus of the Wharton Seminar for Business Journalists, Wharton School of Business, University of Pennsylvania, Philadelphia.