By Dee Kimata And Jim Lemanowicz
As digitalization continues to grow in the water and wastewater industry, cybersecurity becomes an increasingly important responsibility.
The development of industrial control systems (ICS) over the past two decades has changed the face of many industries. Operational technology (OT) — largely industrial equipment — has become increasingly connected, and the integration of information technology (IT) components allows such devices to leverage software that drives data collection and analysis, resulting in enhanced performance and ultimately “smarter” machines.
With these benefits came vulnerabilities, including the possibility of malicious actors gaining access to critical assets through networks. The growing recognition of cybersecurity threats to critical infrastructure (e.g., energy, water, transportation) has brought the topic into the spotlight. Further, regulatory requirements on these industries have increased. Standards and policies have been created in an attempt to address the rapid technological changes; however, it is still challenging for companies to implement needed processes and keep personnel up to date and aligned, given the pace of change.
Meanwhile, cyberthreats continue to increase. According to IBM, the number of attacks aimed at ICS increased by 110 percent in 2016 compared to 2015.1 To add to this, leveraging third-party vendors and new cloud-based services results in additional areas of risk previously nonexistent in ICS.
Designing products secure from cyberattack became a topic of concern only about a decade ago, and the prevailing sense at that time was that isolation (“air gap”) and limited availability of technical knowledge (“security by obscurity”) protected ICS products. This false belief was quickly dismissed as wishful thinking after Stuxnet, and vendors began to respond to customers’ demands for more secure products. However, with often heterogeneous equipment and lifecycles counted in decades, it will take time for secure components to become the norm.
Meeting Cybersecurity Challenges
In an effort to address cybersecurity risks, the number of regulations and standards that have been created by governments, industry groups, and private organizations has grown considerably over the past 10 years. Organizations must go through the effort of understanding the regulations, determine which requirements are applicable, and then continuously monitor updates and changes to regulation to confirm compliance with the latest versions. Additionally, there is a very real threat that even when an organization attempts to faithfully comply, a lapse in proper execution can expose them to potential fines.
Although necessary, meeting regulatory requirements — and the endless focus on compliance, plus the reporting and documentation that this entails — can be both daunting and taxing. Nevertheless, this is necessary because, in many cases, compliance is a precursor to doing business with customers. It’s considered a way to show that the minimum cybersecurity requirements have been met.
In reality, compliance is a byproduct of security. Organizations need to look at security from a holistic standpoint, not a check-the-box or bare-minimum compliance standpoint.
Recommendations for how to approach security more comprehensively follow in the sections below.
The three foundations of cybersecurity are people, process, and technology. While many organizations’ policies focus on the latter two factors, it should be noted that people are just as critical to maintain a robust security posture.
The tremendous changes in technology are now resulting in increased demand for new skills and skill combinations; the current demand for cyber-professionals is not being met. Cost pressures and workforce reductions only compound this situation and can result in documentation slipping through the cracks and, ultimately, in a lack of compliance with regulatory requirements, as mentioned above.
Recommendations: Many companies address this shortfall by building collaborative teams drawn from both IT and OT staff within the organization. Other organizations turn to third-party providers to deliver IT/ OT expertise that is shared among multiple customers through managed services. Automation of routine security maintenance tasks and reporting can significantly reduce this burden as well.
A positive effect is that retraining programs and a greater interest in cybersecurity from a professional education perspective are becoming increasingly common.
Some of the major cybersecurity training programs and certifications are:
It is not always a given that organizations have a full inventory of or visibility into all the components across their operational enterprise, in their ICS, or those of third-party service providers. This can have a negative effect in the case of a vulnerability as an organization tries to understand the impact and react accordingly. Where a cyber-asset management system is not already in place, manual effort is required, resulting in increased costs and lengthy reaction times.
Recommendations: When installing new equipment or systems, organizations should also install programs that report their asset inventory (i.e., number of servers, human machine interfaces [HMIs], etc.) in real time. Such a system also allows users to look up multiple versions of products to determine their susceptibility to vulnerabilities.
The greatest challenge during incident response is the triage process. Asset inventory solutions take the triage process from being a manual effort to being automated, thereby shortening reaction times and reducing costs.
Lifecycle Of Products
As mentioned, ICS were not historically designed with cybersecurity as a first priority. While organizations may have more opportunity to implement cybersecurity standards in new products and systems, for older ICS it can be more difficult. This difficulty notwithstanding, organizations are still expected to address the cybersecurity needs of these previously installed systems, which are likely to have many fewer support options.
This means that remediation needs for older ICS are at times unknown to the organization and when known can be challenging and costly. In addition, many product lifecycles are counted in decades, rather than years, and it is not always straightforward to find capital to replace or upgrade products quickly.
Recommendations: Together with ICS providers, organizations should evaluate their existing operations base and prioritize remediation. A risk assessment will highlight what is worth fixing immediately. Organizations can prioritize and still greatly improve their risk posture.
Moving forward, organizations need to ensure that their programs and systems are secure by design and secure by default so that they do not have the same challenges in the next generation of products.
How To Implement Baseline Security Measures For Every ICS Organization
In addition to addressing these challenges, here are some recommendations for ways to address cybersecurity at each of the six stages of the cybersecurity lifecycle.
Ability To Identify
In 2015, approximately 30 substations in the Ukraine were shut down as cyberattackers infiltrated the SCADA networks of three power companies.
Ability To Protect
Ability To Detect
Ability To Respond
Ability To Recover
Ability To Comply
Effective Risk Management
Risk can be broken down into two categories: operational risk and cyber-risk. In operational risk, the effects tend to be tangible, including equipment failure, personnel safety, or environmental impact. In contrast, the goal for cyber-risk is to manage an organization’s exposure to vulnerabilities that may cause data loss, privacy concerns, or reduced network security. Ultimately, uptime, efficiency, revenue loss, and reputational damage are key focus areas regardless of type of risk.
The challenges outlined above, for example cyber-asset management, increasing industry standards, cost pressures, and staff reductions, make measuring cyber-risk difficult. This section will focus on best practices to achieve this goal.
Best Practices To Measure Cyber-Risk
Choose a consistent method to quantify cybersecurity risk. In theory this is simple, but in reality it is challenging. The method must be adjusted to align to a company’s unique use case.
The holistic organization (not only IT/OT/technology) should set the risk thresholds and obtain acknowledgement from the organization at large. The risk threshold must be easy to understand. For example, a threshold must explicitly define what is acceptable versus not acceptable as opposed to measuring risk on a scale of 1 to 5. It is critical to make measurement easy to comprehend for all.
Align the cyber-risk to enterprise risk. Risk has been traditionally presented to company executives and the board collectively. Boards are evaluated on measuring risk in an organization and are personally liable for decisions. A main reason cyber-risk management seems more complicated than it might be is because of the distinction in how risk rolls up to management.
Security is a continuous effort. Organizations should strive for increased cyber-risk management maturity levels each quarter, year, and period.
With the growing awareness of cybersecurity challenges, and how to surmount these as outlined above, come opportunities for organizations to be successful in a dynamic digital age.
About The Authors
Dee Kimata is the global product manager for cybersecurity and safety at ABB Energy Industries. In this role, she is responsible for driving and executing the product roadmap and go-to-market strategy aligned to cybersecurity and safety digital products. Dee has a B.S. in finance from Creighton University and is pursuing an MBA at Rice University with a concentration in entrepreneurship/ economics.
Jim Lemanowicz is the global cybersecurity manager for ABB’s power generation business. He has over 25 years of experience in the utility industry, serves on ABB’s Industrial Automation Division Cyber Security Council, and manages product security and compliance. Jim has a B.S. in electrical engineering from Cleveland State University and is a certified Global Industrial Cyber Security Professional.