Cybersecurity threats and breaches continue to make headline news with impact across all industries and sectors. The consequences of successful cybersecurity attacks, such as production disruption, product quality, impact to the environment, and even the loss of human life, all mean cybersecurity is a critical area of concern that may impact risk within the operational environments of industrial sectors. Organizations are starting to understand that security should not be a standalone exercise, but should be part of the broader cyber risk program. In addition, new use cases driven by digital transformation will mean a co-existence of modern and legacy technologies and architectures. As a result, companies now understand they need to take the journey from simple security control measures to a cross-functional cybersecurity lifecycle approach that encompasses standardized risk analysis through to continuous automated assessment. No single group can deliver this on their own; however, technology can provide the needed visibility and reporting to allow all stakeholders to speak the same language when it comes to cyber risk and provide the most comprehensive mitigation techniques based on informed decisions.
Industrial control systems and supporting infrastructure are the enabling technology used across multiple sectors including manufacturing, oil and gas, chemicals, water and wastewater, mining, food and beverage, pulp and paper, metals, and buildings. They have been, and will continue to be, an essential requirement in delivering products and services for everyday needs. However, they are facing a number of challenges as industrial sectors go through a period of change.
The transformative potential of technology in production environments is widely recognized, although the extent of the possible transformation and what can ultimately be achieved remains unknown. Industry-wide trends toward increased automation promise greater speed and quality, reduced employee safety exposure, and the enablement of new business models for competitive advantage.
Through technology adoption, industrial organizations are seeking to drive operational improvements into their production systems and assets through convergence and digital transformation, leveraging the new paradigms of the Industrial Internet of Things (IIoT), Industry 4.0, and unprecedented access to asset data. However, these initiatives require secure connectivity in Operational Technology (OT) environments via standardized networking technologies to allow companies and their key partners access to a rich stream of new data and real-time visibility across the organization.
New data and visibility provide the foundation for initiatives that unlock new business value and transformational use cases. With a constant flow of data, organizations can develop more efficient ways to connect globally with suppliers, employees, and partners and to more effectively meet the needs of their customers. This is the key to enabling use cases such as predictive maintenance, real-time quality detection, asset tracking, achieving compliance and regulatory goals, providing safety enhancements, and introducing new services and competitive differentiation.
However, digital transformation is not a simple process, and organizations are faced with workforce, data, standardization, and of course security challenges. For operational environments, every new connection point and source of data is an opportunity—but also a risk. Risk is the critical consideration to an organization, as security controls are implemented to minimize risk exposure and protect against cybersecurity risk-related threats.
Cybersecurity and Cyber Risk
Unfortunately, there is confusion between cybersecurity and cyber risk management, with the terms often used interchangeably. Although they are closely related, they are two very distinct disciplines, and security is often considered without properly taking risk into account.
Cyber risk is commonly defined as the exposure to harm or loss resulting from breaches of, or attacks on, information systems. In the operational environment, a better definition is the potential of loss or harm related to technical infrastructure or the use of technology within the plant or the broader organization.
Cybersecurity is a control capability to protect against cyber risk. It refers to the technologies, processes, and practices designed to protect networks, devices, applications, and data from attack, damage, or unauthorized access. This would include infrastructure, application, endpoint, user, and data security amongst other things.
The traditional approach for many industrial organizations and Industrial Control System (ICS) providers is to focus on cybersecurity controls to protect assets. However, as shown in Figure 1, this limits an organization’s ability to mitigate its risk exposure. By adopting a cyber risk management lifecycle approach from risk analysis to automated continuous cyber risk monitoring, the ability to understand, counteract, and minimize impact to the business caused by cyber threats is greatly increased.
To improve cyber risk maturity, management needs to develop a governance structure that allows it to think about risk proactively (it’s not just about today’s threats, but also those that will inevitably occur) and align its risk profile and exposures more closely with its strategy. Its governance leadership group should clarify the company’s risk appetite, define its risk scope, determine how to measure risk, and identify which technologies could best help the company manage its risks. Aligning risk to strategy by identifying strategic risks and embedding risk management principles into planning cycles enables the company to identify and document 80% of the risks that have an impact on performance.
The payback on this effort is multifaceted. Carefully surveying risk gives the company the confidence to openly communicate its risk strategy to external stakeholders without worrying that the transparency would impact investor confidence. Most importantly, the alignment of risk awareness and management practices from strategy to business operations enables the company to monitor risk developments more effectively. Those responsible for cyber risk and the security controls to mitigate it could keep the organization within acceptable tolerance ranges, meeting compliance, performance, and regulatory goals.
The aim of a cyber risk lifecycle management process is to create a security strategy roadmap to achieve an end goal best practice implementation architecture and associated set of procedures. This will include the cyber and physical security strategy and controls and will move an organization from the current to the desired state through a mixture of management, operational, and technology projects. Fundamentally this will align the cybersecurity strategy and investment with business objectives and priorities by quantifying the financial impact of cybersecurity risks.
The result should be to securely integrate IT and OT domains and minimize risk, establish a baseline for security operations and compliance, and justify investments in security solutions to business leaders by rationalizing the implementation of specific security controls that mitigate the business’ largest identified assets, their security threats and potential risk impacts.
For the organization, an effective end-to-end cybersecurity approach delivers many advantages, including increased business agility and risk awareness, lower cost of operations, and reduced downtime. These translate into tangible economic benefits. However, to secure, harden, and defend an operational environment in the world of digital transformation, it is essential to truly understand the IIoT and digital technologies that enable it and understand the legacy environments in which digital must co-exist. In the era of digital transformation, things become ever more connected, therefore determining the best protection methodology for the type of systems, data, and communication pathways that compose the operational environment is a challenge. Assets are to be protected, but their information is needed to manage and improve operations; therefore, it must be accessible while being acknowledged as a possible attack vector that must also be protected. It is a balancing act that occurs throughout the entire operational environment, from field devices to operations and control rooms, through to corporate and the outside world. This introduces the junction where the IT and OT worlds become conjoined and must fight together, acknowledging the unique demands of each sphere of influence.
However, it is not just about technology. Cyber risk calls for extensive, collaborative governance across an organization. Traditionally, many industrial companies distinguish between IT and OT and between internal and external security. In today’s digital environment, these divisions are becoming blurred and even obsolete. Understanding how IT and OT come together to effectively and securely address new use cases, or deliver new ones in a better way, and determining how best to secure them to mitigate risk exposure in a repeatable way is an incredibly valuable process. While it may be difficult to protect a company against the most advanced attacks, and no system will be 100% secure and at the same time usable, a systematic approach to address the cyber risk lifecycle is the best way to mitigate the majority of everyday attacks.
This paper will highlight the changing security landscape with a focus on the operational environments of manufacturing, production, and process industries. The most common security threat considerations and mitigation techniques that are highlighted throughout security standards and best practice guidelines should be seen as a baseline. Moving towards a continuous automated assessment of cyber risk measured against a best-practice industry blueprint will allow customers to understand and prepare for the evolving security and risk requirements in their organization.
The continuous evolution of technology directly affects the manufacturing and process industries. Most of the global technology trends are producing significant changes in the way industry faces current and future challenges. As such, standards, architectures, and security controls need to evolve in parallel.
Most industrial environments are changing due to digital transformation and the benefits it brings. A 2017 World Economic Forum report highlighted areas such as operations optimization and predictive maintenance, digital asset lifecycle management, remote operations, the connected worker, automation, advanced robotics, and artificial intelligence as factors driving change. These areas and associated benefits require new technologies to be realized, all of which need to be considered from a security perspective.
These new requirements mean that the flow of data within an organization is also changing. Most industrial customers seek to use new data to drive fast resolution of issues with assets, ensure worker safety, meet industry, environmental, and their own internal compliance and regulatory goals, and provide competitive differentiation through new business or operating models. To achieve this, organizations need technologies that can interoperate between the edge, operational domains, and the enterprise, and often in the cloud. They also need to understand that a process and culture change will be required inside the organization.
As a result, we are seeing more converged standards based on the easier sharing of data, with data flows following edge-to-enterprise or edge-to-cloud paths rather than just the traditional path (Figure 3). These newer approaches focus on open architectures for peer-to-peer, scalable systems that support edge analytics, direct cloud-to-enterprise or cloud communications, and local monitoring, decision-making, and control, in addition to continuing to support the centralized models of today.
Today, these digital use cases are typically used for monitoring applications and not controlling applications. Often these monitoring applications are deployed on separate networks outside of operations; however, we have seen projects where organizations are already experimenting with using this data to provide real-time control and actuation at the edge, or automated feedback loops into operational applications, as well as direct edge sensor-to-cloud applications. As these digital technologies increasingly provide benefit to the business, they are also increasingly likely to be operationalized and considered critical elements of the operational domain. This is happening at the same time industrial companies are announcing digital strategies that include nontraditional architectures such as cloud and fog/edge compute as a foundational element, eroding the traditional digital/physical perimeters.
However, it is not as simple as just adding new IIoT technologies in order for digital transformation to take place. Both current and end-state architectures of the use case environment need to be carefully considered since the introduction of any new technology or service will expand the security attack surface and risk to the production systems. A new approach to architecture and associated security must be considered such that businesses can gain the most advantage from the introduction of new technologies into operational environments, whilst constantly being able to assess the impact to cyber risk.
In the next section of this document, we will introduce some of the key industry trends and the associated standards, architectures, and best practices that enable digital transformation, plus the associated cyber threats and security mitigation techniques.
There are a number of key areas reshaping the cybersecurity and risk landscape:
(Industrial) Internet of Things
Like many technology lifecycles, there is no single definition of IoT. Machine-to-Machine (M2M) and the Future Internet have been used interchangeably to describe IoT, as well as more verticalized movements including Manufacturing 4.0 and the IIoT. However these should be considered subsets under the encompassing IoT umbrella. With the primary driver of device connectivity coming from industrial environments rather than the consumer space, individual industries have taken IoT components and created vertical specific applications such as smart manufacturing, smart cities, smart grid, smart buildings, connected transportation, and connected healthcare. It is also important to mention that in many industrial environments such as manufacturing and power utilities, automation networks have been deployed before the concept of IoT. We need to understand that these automation networks such as a substation or a manufacturing assembly line would not be considered IoT. As these environments continue to evolve, there is now becoming a blurring of IoT and traditional industrial control systems and automation. This does not mean however that the terms should be used interchangeably.
More recent definitions have moved beyond device connectivity and data production to include people and processes. It is not enough to merely connect devices and produce data—the data needs to be consumed in the right way, at the right time, by the correct device, system, or human, and in a way that is meaningful and can be acted upon appropriately. Operational environments have experienced the connection of a proliferation of new devices to systems to supplement or replace existing functions, or perform new ones. IIoT technologies are being used for the connection of ICS networks, and to connect industrial assets and sensors. As new technologies and use cases are adopted, new and diverse devices are being connected to the network, which provides potential new areas of security vulnerability.
Big data, analytics, and remote access
Big data and analytics (streaming, real-time, and historical) trends are leading to increased business intelligence through data derived from connecting new sensors, instrumentation, and previously unconnected devices to the network. In parallel, business units and external vendors need secure remote access to operational data and systems to provide additional support and optimization services. These business requirements lead to a multitude of new entry points with the potential to compromise ICS security.
Although industrial systems and organizations have been creating, collecting, and using data for years, security of the data has unfortunately been lacking.
Whether in a plant environment such as a mobile worker or externally such as fleet or supply chains, mobility requires specific security needs due to the nonstatic nature of devices and users connecting to the network in different locations and at different times. It also greatly increases the potential attack surface, as mobile networks are by nature geographically spread, diverse, and fluid.
IT and OT convergence
Organizationally, a shift has occurred to increasing convergence between historically separate IT and OT teams and tools. This has led to more IT-centric technologies being leveraged in operational environments. Regardless of the type of technology or information, the business must treat any security challenges in a similar manner. As the borders continue to blur between these traditionally separate domains, strategies should be aligned and IT and OT teams should work more closely together to ensure end-to-end security. At a minimum, this means organizations need to rethink how they address architectures, management, administration, policies, and infrastructure.
However, OT and IT security solutions cannot simply be deployed interchangeably. The same technology may be leveraged, but how it is designed and implemented may be very different. Although IT and OT teams may be a part of the same organization, they have different priorities and often skill sets. The reality is that some organizations still have a gap between IT and OT, with some being very siloed while others are much more closely aligned. This separation, and in some cases, antagonism, is unlikely to disappear in the short term.
Interoperability and openness
The standard security approach for industrial environments has historically been a security-by-obscurity approach with physically isolated networks. Control systems were standalone with limited public access and proprietary or industrial-specific protocols, which were deemed too difficult to compromise. This approach may have been appropriate for control systems with highly restricted access (communications and people) and limited connection to IT; however, changes become necessary as systems develop with new features and functions to enhance performance and efficiencies, and organizations seek to take advantage of newly available data. In addition, newer enabling technologies such as cloud computing, distributed fog and edge computing, real-time streaming analytics, and IIoT platforms are leveraging open interoperable protocols along with standardized interfaces. This means both traditional and newer system communication architectures are based by default on IP and Ethernet wired and wireless infrastructure (Figure 4) and the associated security challenges they bring.
Virtualization and traditionally IT-centric technologies
In line with operational efficiencies introduced with virtualization and hyperconvergence, the advancement of these technologies has begun to affect system architectures. Historically, control systems were deployed on servers dedicated to specific applications or functions and on separate communication networks to isolate specific operational segments. In addition, multiservice applications supporting operational processes had separate dedicated infrastructures.
In some deployments, we now see virtualized data center server infrastructures not only being introduced, but actually becoming the standard deployment offering for ICSs and adopted by ICS vendors and end customers. The LAN and WAN networks also leverage virtualization technologies like VPNs, VLANs, and Multiprotocol Label Switching (MPLS) to logically segment traffic across common infrastructure.
Although there are many examples of physically separated systems, due to customer philosophy, standards, and compliance requirements, virtualized implementations are on the rise. As such, the security requirements and necessary skills to implement and manage these deployments are moving away from being operations-based and becoming more IT-centric. This aligns to the aging workforce in the industry, where many newer engineers come with more of an IT-centric approach due to their education, experience, and daily engagement with technology.
Commercial Off-The-Shelf (COTS) technology is increasingly being introduced into the operational environment to perform monitoring and control tasks, replacing devices that were built specifically for the industry. Devices such as mobile handsets and tablets, servers, video cameras, and wearable technology, as opposed to specifically designed ICSs hardware, are being implemented. These devices are necessary to enable new use cases, but their deployment, along with operational technology, needs careful consideration and appropriate architectural implementation to ensure the same levels of security as the operational systems to which they contribute.
Artificial intelligence and automation
Artificial Intelligence (AI) and automation are starting to support, or in some cases replace, the human workforce. Although this can lead to quicker response times and cost savings, there is also potential to create new risks. AI isn’t a perfect solution, and it is likely for some time that an integrated AI and human approach will be the best method to address security. When pitted directly against a human opponent, with clear circumvention goals, AI can be defeated. When using AI we should understand its limitations. There is also the challenge that the attackers will likely be using AI to gain access to systems!
What is clear though is that organizations are depending more and more on automation to solve efficiency, cost, scale, and reliability challenges. Security is a logical extension with AI and analytics being automated so that businesses can use the technology to stay one step ahead of attacks while by automating defenses.
We have highlighted some examples of the many trends that are already affecting the operational environment. In addition to this, architectures, best practices, and standards are changing in response to, or to meet, cybersecurity needs.
As digital and IIoT offerings evolve, the need for a standardized approach to not just allow devices to communicate, but also to perform common backend tasks such as security, automation, analytics, and business insight, is becoming increasingly relevant. Industrial companies will continue to drive this need through new use cases and technology adoption, creating a need for IIoT solutions for the operational domain to interoperate with common backend services, guaranteeing levels of interoperability, portability, serviceability, and manageability, in conjunction with today’s control system technology.
As industrial companies look to architect, design, and build new systems that include digital technologies, we need to carefully consider the standards that exist today in parallel with those emerging, and choose wisely. A broad collection of standards, alliances, consortia, and regulatory bodies are already in play, as shown in Figure 5. How the path forward is determined is critical and how it affects security must always remain at the forefront. Standards will help to minimize the attack surface, realize better visibility of security incidents, and provide consistent and usable tools to defend, detect, remediate, and report security incidents.
The standards, guidelines, consortia, and alliances landscape is broad and includes a wealth of options. The likelihood is that, in the short term, this may increase, but the industry will eventually need to converge if we are to realize the IoT vision. Figure 5 shows the main groups in 2017; note that this is not an exhaustive list, and that a number of specific security groups are highlighted.
Standards currently exist or are emerging for this space, but it must be emphasized that the industry is continuously adapting to meet the ever-arising new use cases and technologies that drive the digital ecosystem.
Newer architectural approaches
IT and OT convergence is inevitable, although the extent of this convergence, and to which parts of the business it will be applied, is not well understood. To deliver transformational operational use cases, such as real-time analytics for machine health monitoring, the full IIoT stack (infrastructure, OS, applications, data pipeline, service assurance, security, and so on) is required. This means integrated IT-centric services must be deployed alongside OT services to generate business value. As such, IT capabilities are now becoming operationalized and pushing the boundaries of traditional security architectures, like the Purdue Model and IEC 62443, where we are seeing more converged approaches based on easier sharing of data.
These newer approaches focus on open architecture for peer-to-peer, scalable systems that support edge analytics, local monitoring, decision-making, and control. Recent standardized approaches such as Open Process Automation, OPC UA, and IIC RA are defining open and interoperable architectures. In addition, how operational use cases are achieved is changing with new paradigms such as cloud computing and fog/edge computing being leveraged.
With digitization driving the connection of a plethora of new devices that can be leveraged for monitoring or control, the attack surface for cyber threats is increasing dramatically. Additionally, much of this new equipment is COTS, such as handsets and tablets, servers, video cameras, and wearable technology, versus specifically designed control systems hardware. These devices are necessary to enable new use cases, but careful consideration and appropriate architectural implementation—alongside traditional operational technology such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs)—must be given to their deployment to ensure the same levels of security as operational systems. For example, IoT-enabled video cameras appear to readily address physical security needs easily and cost-effectively, but in actuality can open a network to compromise or be used as a malicious device in botnets.
The threats and risks that are present in operational environments include the devices, the applications, the humans, and the infrastructure. Cyber risks can also be categorized through intent. Events may be the result of deliberately malicious acts, but may also be unintentional. Risk events may come from internal or external sources.
This leads to a practical framework for inventorying and categorizing cyber risks as either internal malicious, internal unintentional, external malicious, and external unintentional. Being able to monitor and address all must be a consideration.
The table in Figure 6 provides an overview of the source of incidents. It highlights malware as the most typical source, but targeted attacks were at 36%, a significant risk. The aim in any preventative process is to identify risk-mitigating security controls appropriate to financially quantify residual risk and then map security controls to business and technical objectives at specific places in an architecture.
In parallel to these changes, nonoperational business units, remote workers, and external service or vendor support companies require secure remote access to operational data and systems to provide support and optimization services. Again, these needs give rise to potential entry points, increasing the surface by which operational security may be compromised.
The reality is that easy access to cyber information, resources, and tools have increased, making it simpler for hackers to gain an understanding of legacy and traditional protocols with the aim of gaining access to production systems.
IEC 62443 is the most widely adopted cybersecurity standard globally for operational environments, and is the de facto standard in manufacturing and process industries. It evolved in the 1990s when the Purdue Model for Control Hierarchy (Figure 7) and ISA 95 established a strong emphasis on security architecture using segmented levels for ICS deployments. This was further developed through ISA 99 and IEC 62443, bringing additional risk assessment and business process focus. This segmented, layered architecture forms the basis of many industrial system architectures and ICS security architectures.
The Purdue Model describes a hierarchical data flow model, where sensors and other field devices are connected to the ICS. The ICS serves the dual purpose of controlling processes or machines and serving processed data to the operations management level of applications. Level 3 applications feed information to the enterprise business system level through an informally introduced neutral zone or Industrial Demilitarized Zone (IDMZ).
The Level 3.5 IDMZ provides a strict segmentation zone and boundary between operational and enterprise layers. However, services and data need to be exchanged between the enterprise layer and the operational environment. Systems located in the IDMZ, such as a shadow historian or application server, bring all the data together for company personnel in a near real-time system, publishing near real-time and historical information to the enterprise layer for better business decision-making.
No direct communication is allowed between the enterprise layer and the operational layer in either direction. The IDMZ provides a point of access and control for the provision and exchange of data between these two domains. The IDMZ provides termination points for the enterprise layer and the operational domain and also hosts various servers, applications, and security policies to broker and police communications between the two domains.
The traditional security model has focused on segmentation and restricted traffic flows, but this is not enough to secure an operational domain. The reality is that technology itself can only address about half of the cybersecurity threat, whereas people and process play a critical part in every aspect of threat identification and monitoring. This means that guidelines and standards are not concrete measures to provide protection, but do provide a solid foundational base from which to work. The most comprehensive approach to securing the ICS combines technology, people, and processes, both cyber and physical, in addition to understanding some of the new data flows as digital perimeters evolve.
A properly designed standards-based architecture to secure use cases and systems, bringing together the operational (Levels 3 and below) and enterprise (Levels 4 and above) domains, is critical. The architecture should provide an understanding of all components of a use case, map these elements together in a structured way, and show how they interact and work together on an ongoing basis. A cybersecurity architecture not only brings together IT and OT technologies, but also includes vendors and third-party content; in other words, it secures the ecosystem (Figure 8). This may sound obvious, but often security approaches are specific and implemented by a particular part of the organization or third party, even though the system comprises many different components and may be used by many different business areas.
The security capability should span the enterprise and should interweave with existing processes and strategies in addition to being linked to the compliance effort. An organization needs visibility into any and all potential risks across the organization to achieve a comprehensive, effective, and sustainable security and cyber risk mitigation program. The security span of influence should be designed to best address risk and meet safety and reliability goals and standards.
As we look across the most common security standards and frameworks, the security control methods and technologies shown in Figure 9 are consistent. These capabilities should provide the foundation for a cyber risk mitigation technology strategy. The challenge is wrapping them into a cohesive and ongoing approach to help organizations mitigate all aspects of cyber risk.
For additional information, a number of these areas are described in the Center for Internet Security (CIS) controls document at https://www.cisecurity.org/.
Even with the Level 3.5 IDMZ, the traditional segmented architecture poses challenges for a digitally evolving operational environment. Neither current nor future data are hierarchical in nature. Data has many sources and many clients that will leverage it, so that we are already seeing “smart” systems that can autonomously leverage data and initiate processes. Federated data structures with storage exist all over the organization, not just in central locations. Even though the segmented approach has been the de facto manner to architect operational environments, it segregates IT/enterprise and OT services, with physical or heavily virtualized segmentation implemented. This separation is inevitably blurring, and use cases may often need a combination of IT and OT services to provide the optimal business benefit. The operational environment may be evolving, but the need for secure data management and control of operating assets is still the primary concern.
These trends continue to drive the need for a more connected operational environment, along with a more open architecture, and accordingly a more robust cybersecurity posture. In whatever manner we look at it, the need for a comprehensive approach to security that acknowledges the need for control system protection, while facilitating the open data demands of the new digitization era, has never been stronger.
To maintain the high availability and reliability that industrial organizations require, security cannot be a bolt-on afterthought or a one-off effort, and it cannot be dealt with by technology alone. To best secure the operational environment, a holistic approach needs to take place at an ecosystem level and it needs to be a continual process built into the governance and compliance efforts of any production organization.
Many industrial organizations are lacking appropriate visibility into their operational environments for monitoring assets and identifying potential threats. This creates the risk of not being able to recognize and respond to attacks. You cannot adequately secure what you do not understand.
Company assets are often split between different parts of the business, not just between IT and OT, creating fragmented views. However, cyber risk is pervasive and should cover all assets. Data, users, applications, and infrastructure should be comprehensively identified and continually monitored over time to have the best success in reducing cyber risk. Wherever possible, companies should take advantage of automation tools to discover, normalize, and create inventories that cyber risk mitigation controls can be based on, moving to a framework that provides continuous assessment of risk controls. Figure 10 shows the natural evolution towards an automated cyber risk strategy that can be leveraged for legacy and new applications.
Using automation can transform cyber risk assessment into an ongoing process, rather than the point-in-time assessments that are prevalent in the industry today. This follows a process of automatic data collection that can be used as the basis for risk reporting—the more assets that are monitored, the better the opportunity to understand the extent of cyber risk in the organization, through to data unification, asset inventories, security control coverage, measurement of security, control frameworks, and ultimately continuous cyber risk assessment via ongoing monitoring of controls.
In operational environments, we would typically split this process into four phases:
● First phase: Generate an inventory of assets; gain comprehensive visibility, configuration data, and criticality of each asset.
● Second phase: Identify prudent security controls.
● Third phase: Establish a regimen to gauge control efficacy aligned to relevant framework.
● Fourth phase: Establish automated continuous monitoring aligned to most critical processes and assets to reduce cyber risk over time.
Ultimately the aim is to translate asset data into information that can be used for continuous, scheduled, or point-in-time cyber risk monitoring. When cyber risk managers attempt to produce holistic cyber risk reporting, it is typical that what they expected of their organization is not reflected in an automated tool. Many companies have no reliable inventory of users, devices, applications, infrastructure, third-party assets, and third-party access. Over time, the output from the cyber risk automated assessment will become the basis for consistent organization-wide conversations about risk.
To help industrial organizations move from a cybersecurity approach to a comprehensive risk management lifecycle approach, adopting a cyber risk blueprint as a first step is highly recommended in developing a strong cyber risk posture.
A blueprint provides repeatable best-practice information to interested parties on designing and implementing secure technology controls for a particular industry and/or environment. A blueprint:
● Takes a defense-in-depth approach to security design in line with known frameworks, best practices, regulations, and specific use cases for an industry.
● Focuses on expected threats and their methods of mitigation, rather than on technology-centric views.
● Is based on leading cybersecurity products and services, often from multiple companies, to provide a comprehensive posture for cyber risk.
Blueprints cover the most common and known threats for particular environments, in an IT, OT, or combined context. This is achieved through understanding key business flows/use cases and the security mitigation techniques and technologies that will secure them. These are aligned with architectural security approaches common in a particular environment, resulting in a strategic starting point to address cyber risk.
By taking a threat-mitigation approach, a blueprint should provide those focused on the cyber risk management lifecycle with information for making sound security control choices to mitigate risk and best ensure business continuity.
Cisco constructs blueprints, potentially (depending on the scenario) with input from partners, customers, and/or insurance companies.
An industry cyber risk blueprint is the foundation for the key capability blocks (Figure 11) aimed at addressing the risk lifecycle and providing enhanced levels of risk mitigation against an organization’s cyber risk posture.
The other capabilities of the cyber risk posture are outlined below.
Factor Analysis of Information Risk (FAIR) risk assessment
The ultimate objective of cybersecurity is to secure identified key assets. Once the assets and potential risks have been identified, experts must evaluate the risk to the organization based on likelihood of an attack occurring, and the potential impact of a breach to the organization. The impact of a breach could include operational, regulatory, compliance, reputation, and of course financial losses.
A financial quantification of cyber risk is increasingly important to organizations who wish to better understand the investment needed to protect their assets, against the cost to their business. Technology, service, and process investment decisions then become data-driven.
The market today typically communicates cybersecurity risk through ordinal scales, heat maps, and qualitative anecdotes (not money). Risk quantification can help articulate the cyber risk management value proposition through a data-driven risk mitigation story in the language of business. Note that cyber risk quantification is currently not an exact science, but with access to the right data, and building on data over time, the results can be pretty accurate.
An industry-standard cyber risk assessment based on the FAIR methodology (https://www.fairinstitute.org) is one example of how this can be achieved. Cisco’s Security and Trust Organization and Cisco® Services can deliver this capability through a risk management value proposition and cybersecurity risk exposure to communicate in financial terms. This includes running ad-hoc analysis for customers with limited data, benchmarking data, creating repeatable scalable models, using standardized methods, and providing defensible mathematical and statistical methods to quantify uncertainty.
The cyber risk assessment helps customers understand their time-bound financial exposure due to cyber risk, inform their internal clients of the financial risks they assume, prioritize operational decisions with enterprise-level security risk data, and invest smarter with return on risk mitigation analysis.
Ultimately such knowledge will evolve the business impact with financial risk overlays of technical and operational indicators that inform security services, compliance, investment management, and value metrics.
Cyber risk services
Starting as part of the risk assessment process, services help translate the customer cyber risk profile into a comprehensive roadmap to improve their cyber posture, and reduce their cyber risk. This journey would include an assessment of existing controls and vulnerabilities, plus a series of initiatives evaluated on their effectiveness in minimizing the likelihood of a threat occurring and the impact of the threat if it was successful.
Technical experts cannot determine how to improve a customers’ cyber posture until they understand the underlying commercial and organizational requirements. Many organizations tend to sub-optimally invest in security technology without understanding how it properly aligns to company asset risk.
Services required along that journey include assessment of risk, planning the cyber risk journey, designing more robust cyber defenses, and implementing and managing the cyber defenses.
A comprehensive set of products and technologies from Cisco and select third parties can best mitigate risk. These are matched to the key use cases, business flows, architectures, and frameworks specified as important for an organization.
Mitigation technology includes, but is not limited to, asset discovery, zoning and segmentation, visibility and analysis, identity management, centralized policy control, and secure remote access.
Enhanced capability—discovery and automation
Visibility provides understanding of assets leading to organizations being able to recognize and respond to attacks.
As outlined earlier in the document, customer assets are often split between different parts of their business, not just between IT and OT, creating fragmented views. However, cyber risk is pervasive and should cover all of the customers’ assets. Wherever possible, companies should take advantage of automation tools to discover, normalize, and create inventories that cyber risk mitigation controls can be based on.
Automation can transform cyber risk assessment into an ongoing process, rather than the point-in-time assessments that are prevalent in the industry today, ultimately leading to continuous, scheduled, or point-in-time cyber risk monitoring. The more data that can be extracted and normalized via the network and partner applications on an ongoing basis, the better opportunity that organizations have to understand their risk exposure. Cisco and key partners (Figure 12) provide a strong ability to extract leveraged data from infrastructure, security devices, applications, and users, bolstering customers’ visibility into risk exposure and providing controls to mitigate it.
Enhanced capability—cyber insurance
Cyber insurance can form an additional protection layer as part of an overall cyber risk mitigation framework (i.e., by transferring cyber risk to a third party). The best approach to cyber risk mitigation involves a solution that addresses both technical and business challenges. This is why Cisco is working with insurance providers to guide organizations in becoming more secure.
Today customers who choose to purchase cyber insurance are faced with a huge range of choices between available coverages. The fragmented cybersecurity marketplace makes it difficult for cyber insurance underwriters to properly understand a customer’s security posture. This currently results in policies that are conservative in nature (i.e., they offer protection against a narrow range of losses) and have high deductibles.
Companies have two options to cope with cyber risk:
1. Reduce it: By adopting more effective cybersecurity defenses
2. Transfer it: By purchasing cyber insurance
These two methods complement each other and work best in conjunction with one another. Neither is a replacement for the other. In contrast, better cyber defenses can help customers obtain more valuable and more robust cyber insurance.
To provide meaningful risk transfer solutions (insurance) for cyber risk, Cisco is partnering with insurance companies to take a different approach to cyber risk mitigation and transfer, aligned to specific use cases or threats outlined in a cyber blueprint. This approach strengthens a customer’s security posture and creates a more robust (“enhanced”) cyber insurance coverage.
The business outcome is a joint value proposition that identifies technical methods and products that customers can deploy to systematically improve their cybersecurity posture. This reduces perceived risk to an insurer, making such a customer more “insurable.” This can result in more comprehensive cyber insurance coverage for a wider range of cyber losses, lower deductibles, and reduced insurance premiums.
Today Cisco partners with Allianz and Aon and plans to continue to grow this important landscape to offer the best outcomes for our customers.
To be successful, cyber risk should be tackled head on with a best practice strategy focused on an end-state blueprint in mind, including all the capabilities from risk analysis to continuous automation. Such a strategy will address the threats that exist now, but also the next wave of emerging threats. Although cyber risk is a growing challenge, it is not insurmountable.
An effective end-to-end cybersecurity approach delivers many advantages, including increased business agility and risk awareness, lower cost of operations, and reduced downtime. These translate into tangible economic benefits. However, to secure, harden, and defend an industrial environment in the world of digital transformation, it is essential to truly understand the IIoT technologies that enable it. In the era of IIoT, everything is connected, therefore determining the best protection methodology for the type of systems, data, and communication pathways that compose the production systems is a challenge. Assets are to be protected, but their information is needed to manage and improve operations; therefore, it must be accessible while being acknowledged as a possible attack vector that must also be protected. It is a balancing act that occurs throughout the entire operational environment, from field devices to operations and control rooms to corporate. This introduces the junction where the IT and OT worlds become conjoined and must fight together, acknowledging the unique demands of each sphere of influence.
Effective cyber risk management calls for extensive, collaborative governance across an organization. Traditionally, many manufacturers distinguish between IT and OT, and between internal and external security. In today’s digital manufacturing environment, these divisions are obsolete. Understanding how IT and OT come together to effectively and securely address new use cases, or deliver new ones in a better way, and determining how best to secure them to mitigate risk exposure in a repeatable way is an incredibly valuable process. While it may be difficult to protect a company against the most advanced attacks, and no system will be 100% secure and at the same time usable, a systematic approach following a focused cyber blueprint to address the cyber risk lifecycle is the best way to mitigate the majority of everyday attacks.
To be most successful with an going cyber risk process, Ernst and Young recommends three main steps:
● Ensure a clear understanding of which assets are most susceptible to attack and likely to be attacked by potential attackers, and which assets are most critical to the business. Discussion between security teams and business leads will produce a list of key assets to be defended, which are typically associated with critical business functions. These will include applications, infrastructure, and corresponding data repositories.
● Understand what constitutes normal system operation. Typically, this is referred to as a baseline in the context of security. Ongoing assessment requires strong analysis capabilities by both systems and people to understand any deviations from the baseline that may constitute a threat.
● Be able to contextualize information and understand the threat actors that are likely to target their organization.
By anticipating attacks before they happen using an intelligence-heavy, data-driven process, it is possible to detect and respond to attacks in real time, and understand your cyber risk exposure over time. Detection depends on the ability to track baseline patterns and user behavior that deviates from expected behavior. Combining technologies that look for threats based on known vulnerabilities, known patterns, and anomaly detection against a best-practice blueprint baseline provides more comprehensive threat detection and a better ability to reduce impacts from cyber risk.
This information should come not only from network, server, and security infrastructure, but should also include applications and end users. By providing visibility and normal behavior against a best-practice blueprint, and quantifying the impact to the business, it is possible to organize and prioritize security-related technology spending. By organizing and integrating the existing security operations in a business with new capabilities, a proper cybersecurity lifecycle approach can enhance security monitoring and incident response, reduce the number of successful attacks, decrease the amount of time that attackers operate before being discovered and removed from a system, and crucially minimize the impact to critical business applications and services. In other words, it can help organizations minimize identified risk. As a result, industrial customers can better focus on their business operations, achieving a number of benefits including:
● Securely connecting things, machines, workflows, databases, and people who are on plant networks with those on enterprise networks.
● Seeing new patterns and optimizing operations and supply chain workflows.
● Sharing intellectual property securely with global employees, partners, and vendor ecosystems and helping scale expert resources.
● Minimizing operational risk to plant equipment and employee safety.
● Protecting intellectual property.
● Adhering to regulatory and compliance requirements.
OT and IT security solutions cannot simply be deployed interchangeably. The same technology sets may be used, but the architecture and implementation strategy may be different. And although IT and OT teams may be part of the same organization, they may have different priorities and often skill sets. Due to these changing needs, in conjunction with the increase in regulatory legislation aimed at critical infrastructure protection, an urgent need exists for stronger cybersecurity in OT environments, which should be designed with a defense- and detection-in-depth approach to mitigate potential damage. This must involve a multilayered, multitechnology, and multiparty (IT, OT, and vendors) strategy to protect critical assets.
New use cases, technologies, and architectural approaches for IIoT are constantly being introduced into the operational environment. Pilots are already in place focused on controlling and leveraging common infrastructure to best meet the needs of the overall organization. The resulting deployments may break the traditional segmented hierarchical approach. In reality, this is likely to only increase over time, meaning security considerations will be at the forefront of design for some time.
This is, however, not an overnight process. It will be a slow and gradual change from legacy ICS to real-time, data-driven support systems. However, as organizations benefit from new business outcomes, more and more assets will become connected with more and more sensors in the effort for organizations to become increasingly efficient and keep assets operational.
This means a properly designed standards-based architecture that secures use cases and systems and also brings together the operational domains with IIoT and IT approaches, is critical. Importantly, it will allow organizations to move toward a proactive approach to address cyber risk.
As reference and solution architectures are developed, they must provide a foundation, leveraging an end-to-end approach with technologies designed to operate together, minimizing risk and operational complexity. These requirements should be implemented across both existing and new use cases, and for control systems and emerging technologies such as IoT, big data, mobility, virtualized infrastructure, and collaboration. However slow the change, it is an inevitability, and a proactive approach to effectively move from security to continuous controls monitoring to best mitigate cyber risk is essential.