The event was set at Madrid, splendid as usual, warm and beautiful. A handful of presentations showed the wide range of views on how critically important infrastructure has to be secured. Some of them were directly on the topic, but a certain number looked totally unrelated, though. The general impression is that people working on Industrial Cybersecurity are very smart and courageous. The problem is that we need even more people from different sides of the story to go further.
According to Gartner, the number of “potential hackers” will increase tenfold in the next couple of years. Investment in cybersecurity educational efforts are solid, which is good, but some people might join the forces of “the dark side”. And this means that today’s limited scope of attacks on industrial objects may increase as well.
This is the challenge. What would be the answer? Well, as I said before, action is required from cybersecurity vendors (developing new protection solutions tailored for critical infrastructure, and Kaspersky Lab does exactly that) as well as owners of industrial systems and even government.
The congress showed a good example of a visionary customer. SABIC is already heading into the right direction, not only securing their ICS, but also developing security-in-mind requirements for suppliers, which is great. Such “individual” requirements have to be converted into “typical” and eventually end up as “industrial security baseline”. Such scenario would benefit the entire industry.
To get closer to a new standard, industrial automation and security societies need to come to the common vocabulary of security terms asap. From visionary adopters environment we will move to the mass market, when people are using a reasonable set of security controls just because "everyone in my industry is talking about these things and using them, so I have too".
Oh, what a bright future. But there is a problem. Almost all current standards (industrial, such as NERC CIP, and international like ISA99/62443, or internal company standards) are focused on "having procedures and set of controls onboard", i.e. represent the compliance-based approach.
But, frankly, compliance is not security. It would be much better to embrace the strategy based on real threats. “Does a certain infrastructure with this and that protection systems withstand a common list of known and potential attacks?”. In this case of realistic testing, customers will have a real understanding of how efficient their protection is. Not in case of a simple compliance checklist.
Pitching this idea to customers and government bodies alike is still a challenge. Unfortunately, inclination to “comply” rather that “protect” brings to life a very bad, but typical scenario, such as this:
- IT department purchases the antivirus for the production plant, either because it was required by compliance, or because IT strongly wishes to secure ICS at the plant. Malware outbreaks had to be dealt with, already.
- But IT has no control over actual tools used in the plant, as this domain is owned by engineers.
- Result: engineers grudgingly install an anti-virus, but all options are switched off. It’s just an icon in the tray, and it was never updated for the last 2,5 years.
As you can see, on the customer side, there are three key groups of people involved in industrial cyber security.
- CEO. The main problem on this level is to understand how Cybersecurity spending relates to Revenues;
- General IT or IT security managers. Involved in purchasing decisions, but frequently have no power over the critical infrastructure.
- Engineers. For them the seamless operation of the infrastructure is the top priority. Hence, they might be afraid of possible consequences of deploying a new security solution much more than of cyber attacks.
The key to industrial security success is to address all issues for these three groups and provide them with a common "business continuity" language, instead of an ITsec jargon that we have now. All involved parties need to understand each other’s needs and the security (not compliance!) requirements.
To conclude my impressions from the Madrid congress, I hope that the following events will be more interactive. Communication between customers, vendors and government officials is always a benefit. It is essential for people to talk, argue and think together, not just listen to each other.
And many thanks for Samuel Linares @The Industrial Cybersecurity Center (CCI) for putting his event all together in a warm fashion.