It is no secret that the proliferation of connected devices and sensors has introduced new and growing security challenges across every industry and enterprise. The question is no longer whether or not a device or sensor is digitally connected. Today’s focus must be on who has access to the operational data generated and how to ensure that the device or sensor is secure. This is an imperative for the converged systems forming the foundation of our critical infrastructure.
This week, I had the privilege of speaking at SecurityWeek’s ICS Cyber Security Conference in Atlanta, GA. The conference served as a gathering of those on the IIoT front lines – the operators and information technology partners dealing with the cyber threats to industrial control systems (ICS), including such elements as SCADA systems, plant control systems, and programmable logic controllers (PLCs). Coincidentally, this week’s National Cyber Security Awareness Month activities are focused on the importance of securing critical infrastructure, and my fellow conference attendees represented many of the industries which underpin this infrastructure – defense, power generation, transmission and distribution, water utilities, chemicals, oil and gas, pipelines, data centers, medical devices, and more.
The increase in the number of connected sensors and devices creates an attack surface of unprecedented depth and breadth. When you consider that IIoT is composed of the digital sensors, controllers, machines, software and mobile devices that now drive ICS and the infrastructure that forms the very basis for society, the challenge to secure these connections is growing at an exponential rate.
Yet, there is an additional reality to this security challenge. The essential need to address the third party ecosystem that is an integral part of the lifecycle of the digital industrial environment. This ecosystem includes manufacturers, distributors and service providers of the components that comprise ICS and IIoT, including the information and communications technology (ICT) with which ICS/IIoT has converged.
Enter the crucial need for securing this third party ecosystem to deliver critical infrastructure assurance.
Securing the Third Party Ecosystem
Control systems, devices and sensors are inherently variable, with customization for specialized data feeds and operations. For example, the energy sector will have control systems with unique operating tolerances and peak demand metrics – factors which may be unremarkable in a connected health care delivery environment. Moreover, the management and controls of these diverse systems, sensors and devices will also vary.
According to a recent article in EE Times, Why is the IIoT so vulnerable to cyberattacks?, one key element that is driving this “perfect storm” of security threats is the “patchwork of OT and control systems from multiple vendors running proprietary and non-updatable software, including human-machine-interface (HMI) computers with access to remote terminal units (RTUs), SCADAmaster (supervisory control computers), and programmable logic controllers (PLCs).” How do you manage security in such an environment of seemingly infinite configurations?
When addressing the third party ecosystem of ICS and IIoT device and sensor vendors, I propose five key steps to address security:
Step 1: Know who makes up this ecosystem, what they are providing, and how they might impact your ICS or IIoT security.
Step 2: Understand what your ecosystem members are doing to build security into the solutions that comprise your operating systems.
Step 3: Deploy an architecture to control which devices communicate with what other devices – leverage the principles of segmentation and least privilege access.
Step 4: Assess whether the third parties in your ecosystem are operating within your security tolerance levels.
Step 5: Be aware of and provide input to the policies, standards and guidance impacting ICS, the IIoT and its third party ecosystem (e.g., ANSI/ISA-62443-4-1-2018, “Security for industrial automation and control systems Part 4-1: Product security development life-cycle requirements;” US NISTIR Draft 8228,”Considerations for Managing IoT Cybersecurity and Privacy Risks;” NERC CIP 013-1, “To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems”).
There are new efforts underway to tackle security across the public and private sectors. For example, The United States Department of Homeland Security is in the final stages of launching its ICT Supply Chain Task Force. This recognition of the impact of the third party ecosystem and the need for security through the lifecycle of the digital devices supporting, delivering and operating in our critical infrastructure gives me hope. Hope that through public/private partnership across a diverse array of industries — including critical infrastructure — we will work in unison to address the security challenge of an ever-expanding threat landscape accompanied by an increasing third party ecosystem. It will be a major undertaking, but it is a welcome move in the right direction.
Now more than ever, the need to know who and what comprises your third party ecosystem is imperative. Comprehensive security across this ecosystem is paramount. This is especially important for ICS operators in critical infrastructure, as well as users and manufacturers of IIoT connected devices in all industries. The good news is the public and private sectors are working together to directly confront this challenge. Get involved, stay aware and collaborate both within your own industries and across other industries to ensure our collective success.
Additional reading on securing critical infrastructure, ICS and the IIoT: