On May 7, 2021, Colonial Pipeline’s 5,500-mile east coast pipeline halted its mainline production when administrators detected advanced ransomware. This attack – the most disruptive cyberattack to U.S critical infrastructure to date – should serve as a wake-up call for organizations in critical infrastructure and advanced manufacturing. For those that haven’t implemented a standards-based approach to cybersecurity risk assessment and mitigation, now is the time.
While many organizations follow best practices and a standards-based approach to securing the information technology (IT) systems within their organizations, an industrial system’s operational technology (OT) can often be overlooked, ultimately opening the door to vulnerabilities and potential attacks on infrastructure, product safety and more.
Fortunately, industry-leading industrial organizations have been working together to address this challenge. Through the formation of the ISA Global Cybersecurity Alliance under the International Society of Automation (ISA), 50 companies and organizations have come together to accelerate the expansion and use of the ISA/IEC 62443 industry standards. The series of standards was created to provide organizations with technical specifications and procedures that can be mutually understood and provide guidance on how businesses can best protect their organizations at the industrial layer.
Five trends, in particular, are complicating industrial automation cybersecurity and driving the increased need for a standards-based approach.
1 - Industrial Internet of Things
Internet of Things (IoT) and Industrial Internet of Things (IIoT) advancements are at the heart of the connected enterprise and the future of manufacturing. However, more connections lead to more security concerns, increased threat landscapes and different risk profiles. These devices are designed to connect to cyber and physical worlds, meaning security breaches won’t be contained in cyberspace but can spill over into physical damage or malfunctions.
As a real-world example, a recent attack on a water plant in the U.S. almost resulted in tampering with the level of chemicals in the water supply or the shutdown of this critical infrastructure. Cases like this indicate just how much is at stake for asset owners, device manufacturers and communities at large when it comes to developing clear security standards and implementing them internationally through standards-setting organizations.
2 - OT/IT Convergence
Server performance and cloud computing power drive today’s productivity, but threat actors can now leverage IT-based techniques to target OT networks – and historically effective IT defenses don’t always work in operational environments. Regulatory efforts tend to focus primarily on IT/IoT devices and neglect to consider challenges posed by the IIoT ecosystem. This challenge is further complicated by the fact that IIoT devices are in industrial settings, which leads to implications for the potential safety and security consequences resulting from a technical vulnerability being exploited.
3 - Legacy Systems
Difficult to update and maintain, legacy systems typically prioritize availability and integrity over security and make supply chain integrity impossible because manufacturers no longer build spare parts. The differences between IoT and IIoT devices are plainly obvious with legacy systems, further complicating cybersecurity. The unique characteristics of IIoT technologies present significant technical and economic challenges to securing the IIoT ecosystem. For instance, IIoT devices have limited computational capabilities and are not designed to support effective security measures, like advanced encryption. Another technical challenge is managing end-point security and traffic analysis for a rapidly growing number of devices.
4 - Multi-Vendor Environments
Without widespread compliance to industry-adopted standards, integration with multiple vendors introduces risks and challenges to the security of many products. Beyond these technical challenges, there is also a set of economic challenges to securing an IIoT ecosystem. The IIoT supply chain is complex, making it difficult to secure. It’s also difficult to assign liability to various stakeholders for vulnerabilities introduced at different supply chain stages. Each vendor follows its own design principles, and many vendors are not aligned with security principles outlined by the ISA/IEC 62443 series of standards.
5 - Skill Gaps
The aging population of engineers and technical specialists – especially in North America – has increased industries’ reliance on contract workers, making consistent practices increasingly difficult to maintain without standardized competency assessments. This is more challenging because there are not enough workers with cybersecurity skills and IIoT experience to meet the demand for managing IIoT systems. In addition to the growing importance of standards-based practices for systems and facilities, our current environment is also illuminating the need for further training and workforce development.
To learn more about a standards-based approach and how to get started, download the free ISA/IEC 62443 Quick Start Guide at www.isa.org/cyberguide.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.