The Industrial Internet of Things (IIoT) promises transformational opportunities. Yet the open, standards-based internet technologies that enable the IIoT and economic innovation also present an array of complex challenges to critical infrastructure providers. Technology is being embedded into existing Industrial and Automation Control Systems (IACS) deployments and the IIoT is being used to monitor and optimize IACS processes, with more and more network connections being made to enable digitization strategies. While the electronics of brownfield critical infrastructure—the systems currently in operation—were designed with considerations of safety, availability, redundancy; they were not built with cybersecurity in mind. Yet, the existing infrastructure in the ecosystem was designed to be operational for several more decades. And IIoT solutions are being bolted on alongside these brownfield systems, exposing them to Internet-based risks. The interconnectedness of today’s technologies exposes the insecure-by-design electronics of brownfield IACS and the physical systems they control to worldwide threats.
What can system integrators, asset owners and operators do to enhance cyber resilience of operational cyber-physical-converged systems?
To help secure new technology deployments within the IIoT, we’ve seen progress through the actions of embedding trustworthy technologies into those systems, aligning them to industry standards and focusing on value chain security to mitigate the threats of the third party ecosystem. While encouraging, these activities focus on new or greenfield IIoT and IACS deployments. It’s only when new IACS are built that there will there be a chance to insert electronics that are secure by design. This implies that there will be a gap in security for the next several decades until all legacy electronics supporting critical infrastructure are replaced.
Addressing this security gap must remain a priority as connectivity increases between legacy or brownfield systems and the internet if cyber resilience is to be achieved.
Recently, I had the chance to visit and speak directly with a variety of European customers whose primary business is industrial-focused. Our discussions focused on this security gap and covered the state of Industrial security and the IIoT, the business and technical challenges of securing IACS, the complexity of assessing cyber risks, and best practices, standards, and technologies that can aid in solving these challenges. The technical stakeholders I spoke with represented manufacturing, energy and water utilities, transportation, ports, logistics and retailers. While there was general consensus regarding the many challenges and possible solutions to securing electronic systems that support our IACS, the lack of consensus to the following question was troubling:
Does your company operate a Secure Operations Center (SOC)?
In order to keep up with the threat landscape, every critical infrastructure provider must build, operate and maintain a Security Operations Center (SOC) to enhance the cyber resilience of these operational systems. Simply put, the faster an organization can detect any incident that could impact the business; contain and minimize the scope of the impact; and restore all systems to a known good state, the less that incident will cost and the more resilient that organization and it’s operational IACS will be. Keep in mind that when security incidents arise, they have the potential to not only affect your organization, but could create cascading failures that impact your local municipality, your business partners, and your customers.
The relevance and importance of a SOC increases significantly in critical infrastructure environments where protective security measures may not always be available or implemented due to the heterogeneous systems, protocols, technologies, and standards that enable IACS and the IIoT. The capabilities of the SOC enable organizations to increase cyber resilience by accepting that cyber incidents will occur, adopting the NIST Cybersecurity Framework, and focusing on the full lifecycle of operational risk management: Identify, Protect, Detect, Respond, and Recover. Note that protective measures are just one function of this framework – in alignment with how Cisco views the cyber-attack continuum.
This is why building, operating and maintaining a SOC is vital.
Equally important is to ensure your SOC is tightly integrated with your IACS operations and control centers. Such integrations enable collaboration between IACS operations experts and cyber security experts to sift through the noise and determine which security-related events are important.
Here are four activities that will enable your SOC to build cyber resilience into your entire organization:
- Listen to your networks – enable, export, and regularly review network telemetry from all capable electronic assets in order to hunt for anomalies and potential threats. Aggregate threat intelligence from your peers and industry groups and investigate if the same Indicators of Compromise (IOC) found externally can be found in your networks.
- Test technology stacks – verify that all system backups are being performed successfully, and validate the integrity of those backups and recovery processes by cyclically restoring from backups.
- Simulate security incident scenarios – step through your business continuity and disaster recovery plans in conjunction with the integrated operations centers and larger organization on a recurring basis.
- Build a security culture – enable your SOC specialists to provide business-relevant security training to the entire organization about the threats they see, with contextually relevant content for engineering, operations, dispatch, and field teams.
Cyber resilience means identifying threats that could impact operations, being prepared to react quickly, and ensuring that systems fail safe. If you enable network telemetry data streams you can gain visibility into the baseline operations of your environment. By regularly reviewing the data against known IOCs, you can quickly detect anomalous behavior. By practicing incident response plans you’ll decrease the time it takes to respond appropriately and recover from a real incident – this is cyber resilience.