How to Start a Security Program

Monday, April 23, 2018 @ 01:04 PM gHale

By Gregory Hale
Tick, tick, tick, tick, tick; there is no way to stop a second hand, which shifts to minutes and then hours and then days. Like waves crashing on the shore, time keeps moving no matter what.

Manufacturers today follow along that time continuum when it comes to security solutions. With attacks becoming more sophisticated and manufacturing enterprises becoming more connected, the more time spent waiting and watching versus jumping in and securing systems, the end solution becomes bigger and deeper.

Now is time, they say, to get activated and fire up a security plan and solution. But where should they start?

“Awareness level is at an all-time high,” said Peter Clissold, Senior Cybersecurity Consultant at Schneider Electric. “You need to break the awareness down to two different pieces. You have the organizational awareness of the management of the organization and the technical awareness which is your engineering and maintenances groups. The latter has always had an awareness of cybersecurity being a concern. Their function is to keep systems and plants running. Where the awareness has really ramped up is with middle and upper management of organizations, they now see it as an operational and business risk because of notable incidents that have occurred.”

RELATED STORIES
Schneider Electric Launches Cybersecurity Virtual Academy
3 Steps for Countering Oil & Gas Cybersecurity-related Business Continuity Threats
Reducing Vulnerability to Cyberattacks
Safety System Attack: Plan to Wake Up Industry

It only makes sense after news stories, reports, studies and white papers release talking about attacks becoming more prevalent. A perfect case in point is a Symantec report saying attacks by a group labeled Dragonfly 2.0 has been targeting energy companies since 2015. In more than 20 cases, the report said attackers gained access to the target companies’ networks. At U.S. power companies and at least one firm in Turkey their forensic analysis found hackers obtained what they call operational access. That would mean control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into U.S. homes and businesses.

With awareness hitting record levels, the idea then is to convert manufacturers’ knowledge into actionable security solutions.

Risk Assessment
“For a manager, I would start off by trying to determine where my risk is,” said Adam Gauci, Cybersecurity Program Manager, Energy Division, at Schneider Electric. “I would do a risk assessment. Once I figure out where my risks are I would look at how I can mitigate those risks and what are the different priorities that come from my risks. For that next step, I could go into making a business case. I would look at what types of investments I would have to do to improve my security level. I would have to be able to present that to my board. On top of that I would need someone that is at the board level who is representing cybersecurity having a person responsible for cyber security at the senior level.

KEY POINTS TO BEGIN CYBERSECURITY PROCESS
• Executive leadership buy in
• Risk Assessment
• Create cybersecurity culture
• Establish policies and procedures
• Continuous amount of situational awareness
• Educate about the situation
• Constantly Train workers
• Keep systems up to date
• Create patch management system
• Endpoint protection
• Segregation and isolation
• Disaster recovery plan to ensure business continuity

“From a technical standpoint, I would try to make sure the people who are working in my environment know how to behave securely. That means they are trained with security awareness in mind. They are trained in knowing how to follow processes that includes cybersecurity. If there is an engineer working in a substation he knows all the controls that will be there and they know how to react. If I have an operator sitting in a control center and somebody calls him to tell him to do something, he knows he should not be tricked or phished into doing something. They should also understand the technical standards that need to be in place in an OT system like IEC 62443,” Gauci said.

Job One
From an operational standpoint that works, but the word must come from the top that security, like safety, is a main priority.

“First and foremost, all great leaders at the top play a role in cybersecurity. Executive sponsorship is the cornerstone to help drive a cybersecurity culture,” said Joshua Carlson, Subject Matter Expert and Cybersecurity Technical Sales Leader, Americas, for Schneider Electric. “You have to have a group of people that say I am in charge and this is the baseline and this is the measurement by which we will gauge on whether we are successful or not and a supporting cast that helps to drive that in every aspect of the business whether you are talking about supply chain people, delivery people, marketing people, sales people, engineers, operators, it is driving the idea of a cybersecurity culture and getting everyone on the same page to realize ‘what is my role’ and ‘what is my being a part of the big scheme in helping the company be successful.’ Getting people to realize the world is a different place and you do play a role, that is why we have policies and procedures.”

While the first rule in cybersecurity is awareness, immediately after that it becomes “educate, educate and educate,” said Jay Abdallah, Global Director, Cybersecurity Solutions for Schneider Electric.

“Getting people to realize the world is a different place and you do play a role, that is why we have policies and procedures.”
— Joshua Carlson

“First things first, understand the landscape. Educate yourself on the landscape and how a threat vector could possibly impact you,” Abdallah said. “The Ukrainian power grid or the German steel mill. In the Ukraine, you have two attacks with the same exact attack vector one year apart that had the same amount of damage in 2015 and 2016. Why is that? That means we are not learning from our lessons.”

One more way users need to ensure a secure environment is to make sure systems are up to date.

Wannacry, Abdallah said, was a solid case in point where vulnerability exposed from the NSA leak was easily avoidable if users had patched their systems. Microsoft released a patch and two months later WannaCry hit leveraging the vulnerabilities from that patched Zero Day.

Zone Defense
One more way to boost security is segregation and isolation, using the zones and conduit model from IEC 62443.

“You need to make sure network segments are separated or isolated from one another,” Abdallah said. “For example, if you got a safety system isolated from a distributed control system and the traffic between them is monitored to the point where it is restricted, allowed from Zone A to Zone B only in this capacity, that reduces the risk significantly. At the end of the day, it all comes down to risk reduction. That is what network segmentation and isolation is all about. It is all about reducing risk.”

If the attacker does get through and creates a system upset, Abdallah said a company needs a form of disaster recovery to ensure business continuity.

“It is not enough to say I am going to build up my defenses to make sure nothing ever happens. This is all about risk reduction. If we can build up our policies, build up our education, build up our framework, build up the awareness, we have done a pretty good job. Step two is to build up technical solutions, we have segmentation and isolation, we have got an element of patch management and an element of endpoint protection. But what have we done just in case something happens and we are caught off guard? Are we able to continue our business because this is where the real money kicks in.”

Take the example of French multinational Saint-Gobain, which was attacked by the Petya virus, which held files for ransom. The company sent out a message two weeks after the attack saying they did not suffer a big impact. The impact was about one percent of revenues, Abdallah said.

Saint-Gobain, which does €40 billion a year in revenues, said the impact of the attack on first half sales should be limited to around 1 percent.

“The company did €40 billion a year. You do the math. Was that worth the investment in a solid back up system. A back up system that has been tested and proven to work that can get you back up and running. This is what we call mean time between failure and mean time to repair. These are statistics and metrics we can take into consideration when designing a backup solution when understanding how much time it is going to take to get back up and running.”

The clock is ticking.

Gregory Hale is the Editor/Founder of Industrial Safety and Security Source (ISSSource.com).



Leave a Reply

You must be logged in to post a comment.