Remaining Secure In A Connected World

While risks will never be entirely eliminated, and have already affected various industries and economies around the world, there are important steps you can take to secure your ICS and your business against mounting threats in our increasingly cyber world.

Oct 24, 2017
Mnet 193257 Cybersecurity
Ken ModesteKen Modeste

Data communications and control technologies are critical in today’s increasingly global economy. As industrial devices and infrastructure become more connected than ever before, the safe operation of this equipment is also becoming increasingly complex and growing in importance. More specifically, connecting an industrial control system (ICS) to the internet can create an access path for possible malicious activity, placing both proprietary and confidential information at risk while also creating the potential for bad actors to take control of the system.

Critical infrastructure and higher-profile industries are particularly vulnerable due to their appeal to bad actors, especially when third-party software is used in an ICS outside of the control of the ICS system manufacturer. Despite being one of the most damaging points of vulnerability, third-party software, including open source or vendor-provided software and snippets of code taken from internet-based sources, often remains as a key unidentified cause of security breaches. Thus, an important first step toward securing your system is understanding how these security risks are evolving and where they are most prevalent.

Fortunately, while these risks will never be entirely eliminated and have already affected various industries and economies around the world, there are important steps you can take to secure your ICS and your business against mounting threats in our increasingly cyber world.

How Risk is Evolving

With critical infrastructure serving a central role in everyday life, it presents an attractive target for cyberattacks. The vulnerable position of these critical industries — any network or service that, if tampered with, would negatively impact civilian health, security or economic well-being — makes them the primary focus for cybersecurity improvement efforts. In 2015, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 reported cybersecurity incidents in the United States, with 57 percent of those incidents occurring in the critical manufacturing, energy, and water industries.

Due to the prevalence of these issues and the potentially serious consequences of an attack, all entities working within critical infrastructure are often required to comply with mandated or recommended cybersecurity requirements and practices. For example, the European Programme for Critical Infrastructure Protection (EPCIP) adopted requirements for the transportation and energy industries in the European Union (EU) and the North American Electric Reliability Corporation (NERC) has taken similar steps in the energy industry in North America.

In the interest of remaining on budget and accelerating the ICS development process, many companies are turning to off-the-shelf solutions from third-party software providers. Though many of the most used and reliable applications come from trusted third-party developers, the prevalence of such systems is putting industry and infrastructure at risk, due in large part to ineffective processes involving the selection, implementation and use of this software.

For example, several attacks in 2014 and 2015 took advantage of security system deficiencies and exposed the personal records of more than 21 million U.S. federal employees. Similarly, poor user management/installation of Internet of Things (IoT) devices allowed a piece of malware, known as Mirai, to successfully carry out the 2016 Dyn cyberattack that essentially shutdown a long list of major websites including Amazon.com and various social networks.

Despite growing risks, the increasing number of attacks and the incredible sophistication in the world of cyberattacks, companies can still take action to help safeguard their information and systems. Even for companies with robust ICS and safeguards against cyberattacks already in place, additional precautionary steps and internal procedural changes can help ensure continued security.  For example, companies should guard against attacks that use Havex malware which can compromise an industry standard like OLE for Process Control (OPC) to gather intelligence on ICS systems that are prone to the use of OPC.

Five Next Steps You Can Take Now

A safer, more secure ICS starts with stronger internal procedures, attention to detail and diligence. In addition to internal efforts, third-party review such as UL’s Cybersecurity Assurance Program (UL CAP) can help improve security in the infrastructure supply chain. Developed with input from the U.S. federal government, academia and industry, UL CAP uses the requirements of the recently-issued UL 2900-2-2 (specific to ICS) to assess software vulnerabilities and help companies become more aware of security issues. In addition, these five steps can help you work toward a more secure future: 

No. 1 - Formalize Security Specifications

Establishing and implementing internal security specifications will help you narrow the list of potential software providers and other supply chain partners. Once complete, these specifications should be provided with every RFP to simplify the process and avoid surprises.

No. 2 - Due Diligence of Software and Supply Chain

Guaranteeing specifications in a quote is one thing, ensuring ongoing compliance with current requirements and the presence of adequate safeguards is something else entirely. Assessing all suppliers and performing regular audits ensures continued compliance and reduces risk. Additionally, an independent evaluation of all software should be conducted to identify security flaws and weaknesses for all software applications. 

No. 3 - Formal Update Policy

Many security issues arise from using outdated software. Formalizing a policy to perform routine updates and maintenance to a system will ensure that all security precautions are in place and as strong as possible.

No. 4 - Validation Testing

Following an initial review, routine evaluation of the software — a process that can often be automated to improve efficiency — should be conducted to ensure compliance with security specs. If these specs change with your business, these evaluations will also help to identify shortcomings. Further, a “track and trace” program will help monitor the software supply chain and ensure updates that will help guarantee ongoing compliance.

No. 5 - The Right Information for the Right People

Proper staff training is essential to maintaining security. This training should include security practices and third-party vendor selection requirements. Additionally, all vendors should be treated on a “need to know” basis, meaning that only necessary information about your software and ICS structure should be provided.

Though the sophistication of bad actors is only likely to increase, that does not mean the industry needs to remain ill-prepared and vulnerable to attack. With proper procedures in place and an ongoing focus on security throughout the software supply chain, it is possible to remain one step ahead.

Ken Modeste is the principal technical advisor and SME for UL’s cybersecurity program.

Read Next
Financial Cyber
Cybersecurity
Ransomware Report Shows Fewer Incidents, Future Concerns
May 3, 2024
Latest in Cybersecurity
Intuitive and Flexible Manufacturing ERP
Sponsored
Intuitive and Flexible Manufacturing ERP
May 1, 2024
Financial Cyber
Ransomware Report Shows Fewer Incidents, Future Concerns
May 3, 2024
Manufacturing Infrastructure Cyber
CISA Releases Latest ICS Advisories
May 3, 2024
Ep92tn
Security Breach: Predictions That Hit
May 2, 2024
Related Stories
Financial Cyber
Cybersecurity
Ransomware Report Shows Fewer Incidents, Future Concerns
Cybersecurity
Cybersecurity
ZAG Technical Services Announces New Cybersecurity Offering
I Stock 1251037786
Cybersecurity
What is Volt Typhoon?
Intuitive and Flexible Manufacturing ERP
Sponsor Content
Intuitive and Flexible Manufacturing ERP
More in Cybersecurity
Intuitive and Flexible Manufacturing ERP
Sponsored
Intuitive and Flexible Manufacturing ERP
Acumatica looks to offer new solutions.
May 1, 2024
Financial Cyber
Cybersecurity
Ransomware Report Shows Fewer Incidents, Future Concerns
The fear is that larger RaaS groups are exercising greater control over their affiliates.
May 3, 2024
Manufacturing Infrastructure Cyber
Cybersecurity
CISA Releases Latest ICS Advisories
Cisco, Siemens, Honeywell and Mitsubishi systems top the list.
May 3, 2024
Ep92tn
Video
Security Breach: Predictions That Hit
A look back at Security Breach guest's most accurate and timely industrial cybersecurity predictions.
May 2, 2024
Ransomware
Cybersecurity
Report Identifies Hidden Costs, Challenges of Ransomware
Too many are paying, and the reasons range from understandable to infuriating.
April 25, 2024
Ep90
Video
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
The new factors impacting a growing attack surface, and how to evolve your cyber risk strategies.
April 25, 2024
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Cybersecurity
Transportation and Logistics Under Siege
A look at how this vital and increasingly targeted market sector is responding to more cyberattacks.
April 24, 2024
Industrial Cyber
Cybersecurity
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
Maximizing technology investments while maintaining security.
April 24, 2024
Manufacturing Infrastructure Cyber
Cybersecurity
Avoiding Shutdowns from Ransomware Attacks
A strategic approach for protecting OT networks.
April 24, 2024
IEC 62443 is a key standard to reduce risk of cyberattacks in industrial workplaces.
Cybersecurity
How to Build a More Secure Connected World with IEC 62443
The goal is better efficiency, improved sustainability and interoperability, enhanced reliability and greater cost-effectiveness for system integrators, product suppliers and other stakeholders.
April 24, 2024
Coding
Cybersecurity
CISA Releases 7 ICS Advisories
Unitronics, Rockwell and Mitsubishi head the list.
April 19, 2024
Financial Cyber
Cybersecurity
Alarming Trends Reinforced in Ransomware Attack of Semiconductor Mfr.
Experts assess the fallout from the Dark Angel attack on Nexperia.
April 19, 2024
Industrial Cyber
Cybersecurity
Hexagon, Dragos Announce Partnership
The team-up looks to "revolutionize OT cybersecurity."
April 18, 2024
Ransomware
Cybersecurity
Report Shows Updated Ransomware Concerns
Hackers are elevating the complexity of their attacks - making them harder to detect.
April 18, 2024
Cybersecurity In A Bubble
Cybersecurity
Responding to Emerging Risks and Attack Vectors
Insight on key hacker strategies, response plans and creating a culture that embraces cybersecurity.
April 18, 2024