As sectors that rely on industrial control systems — such as utilities, power companies and manufacturing facilities — begin to tap into the digital revolution, they are getting a boost in productivity and efficiency. But the benefits come with increased cybersecurity risks, as connecting anything increases the attack surface for hackers.
In fact, according to a recent report by Kaspersky, 65 percent of companies believe that ICS security risks are more likely once they’ve adopted Internet of Things-connected devices, and a whopping 77 percent think their organization is “likely to become the target of a cybersecurity incident involving their industrial control networks.”
So, as increased automation, productivity and predictivity are pushing organizations toward connected ICS, what are the risks and the steps to protect them? To answer these questions and more, BizTech spoke with Nancy Cam-Winget, distinguished engineer of security business at Cisco. She lays out who is connecting ICS, why, and the appropriate security measures that should accompany this digital revolution.
BIZTECH: How are industrial control systems changing?
CAM-WINGET: The traditional design for ICS relied on air gapping and physical security. As ICS embraces the technology advancements in computing, networking and process automation, air gapping and physical security are no longer sufficient to address safety and security.
Especially to address security and safety, organizations need to identify not just the types of devices, but also control how those devices communicate with the other devices. For example, at a manufacturing plant, a controller dedicated to controlling a camera sensor should not be allowed to control a robot outside of the camera sensor’s purview.
Continuing with a manufacturing plant as an example, let’s assume the plant administrator wants the equipment to be running at its best at all times. In order to do so, regular maintenance is critical. Historically, the plant administrator had to either wait until something went wrong to figure out the issue, causing unplanned downtime, or schedule a plant shutdown to perform periodic maintenance checks regardless of its necessity. Today, device manufacturers can help the plant administrator by predicting maintenance needs and identifying parts that need to be tuned, thus creating less disruption and improving the plant’s efficiency and operations experience. To do this, plant administrates can grant access to the device manufacturers in order to get information about the behavior and performance of the devices within the organization’s ICS, in advance of any failure.
This might cut the costs of troubleshooting and maintenance for a manufacturing plant, but it increases risk, in turn.
BIZTECH: Which industries are most likely to consider connecting these controls?
CAM-WINGET: Most, if not all, of the industrial sector is embracing the internet, and many organizations have either already begun to deploy connected ICS systems or are planning to do so.
In particular, the utilities and mining sectors have been some of the early adopters, as their deployments span large physical regions which can sometimes be remote, affording less physical security and requiring more autonomy. Note, however, that with the improved operational efficiencies, other industrial sectors, such as manufacturing and transportation, are also improving their ICS through increased control connectivity.
BIZTECH: What are the security implications of more connected ICS likely to be?
CAM-WINGET: We are already experiencing a growing attack surface. Gartner found in a recent report that about 20 percent of identified attacks affect these industrial controls or operations controls. This is because, as more and more devices connect and as third parties — the ICS device vendors and their applications — gain access to ICS, the number of attack vectors increase.
BIZTECH: What steps can an organization take to ensure they are connecting industrial controls securely?
CAM-WINGET: A few initial steps organizations can take before connecting devices include:
- Understand the supply chain and the security posture of their assets, the third-party devices, as well as the overall ICS.
- Prioritize risk assessment for ICS to ensure configurations and capabilities of devices are in place.
- Provide the right access controls between and among the devices, the applications and potential users.
BIZTECH: What do organizations need to consider when opting to connect ICS to prevent breaches and potential disasters?
CAM-WINGET: From an operational and safety perspective, organizations need to fully understand the risks associated with and the implications of connecting these devices, as well as the third-party vendors and applications that would access the ICS.
From a maintenance perspective, there should be continuous cybersecurity monitoring to ensure that both the safety and the security posture of an organization are addressing prioritized risks and vulnerabilities.