Recent targeting of cyber attacks on critical infrastructure – such as electricity, gas and water supplies – has highlighted the need for improved security of industrial control systems (ICS). Dana Pasquali, writing in DarkReading.com, urges organisations to take immediate action and sets out three priorities.
Pasquali compares ICS protection measures to those used in protecting today’s cars. Along with inbuilt safety features, there is a vehicle identification number (VIN) which allows car owners to be contacted when recalls or upgrades are needed. Although vital to safety, these features and measures are seldom appreciated until an accident happens.
An ICS – particularly an older one – may lack built-in protection. It may also lack a unique identification number through which the organisation can be alerted to new risks and recommendations for upgrades.
Despite the fact that utility and fuel supplies would be halted by a failure in their ICS, research reveals that energy companies – along with government – rank lowest for “cyber maturity”.
Pasquali recommends three fundamental steps on which to build a cyber resilience strategy:
- Knowing and managing your assets
- Developing and testing your incident response plans
- Embracing cyber security as part of your organisation’s culture
Step 1: Asset inventory
Asset management is a prerequisite to risk management. You should fully understand what equipment and systems you have, what patches they require and how your machines and end-points communicate with each other.
Monitoring access and traffic is relatively easy in an IT environment, where computer interaction with the network is recorded at every login. In a major industrial environment there may be many connections between assets which do not involve active communication but which nevertheless affect cyber vulnerability.
Operators should keep a close eye on their equipment, with cyber risks in mind. An asset inventory should be in place before you start looking for technical solutions.
Step 2: Incident response plans
In the event of a cyber incident, your staff should know exactly how to act to deal with it quickly and effectively. Your plan should include:
- Who to contact – with correct and up-to-date contact details.
- What conditions should trigger that contact.
- What lines of communication should be followed.
- Where responsibilities lie.
Importantly, the plan should be tested routinely, through simulation exercises, to ensure it works and to identify gaps and flaws.
Step 3: Training and empowering
Your incident response plan is likely to take some members of staff into unfamiliar territory, and their knowledge needs to be supplemented accordingly. On a wider scale, all staff will be better able to minimise cyber vulnerability caused by human error if they are helped to understand how their actions may contribute to it.
As Dana Pasquali concludes, reliance on technological solutions as a silver bullet fails to take the human factor into account. She maintains that training programmes and continuing education to raise everyone’s cyber awareness are the keys to a culture in which people serve as your best defence.