ARC STRATEGIES. The Future of Industrial Cyber Security VISION, EXPERIENCE, ANSWERS FOR INDUSTRY SEPTEMBER Executive Overview... - PDF

Please download to get full document.

View again

of 20
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Biography

Published:

Views: 10 | Pages: 20

Extension: PDF | Download: 0

Share
Related documents
Description
ARC STRATEGIES By Sid Snitkin SEPTEMBER 2014 The Future of Industrial Cyber Security Executive Overview... 3 New Challenges for Industrial Cyber Security... 4 A Secure Future Requires Shifts in Perspective
Transcript
ARC STRATEGIES By Sid Snitkin SEPTEMBER 2014 The Future of Industrial Cyber Security Executive Overview... 3 New Challenges for Industrial Cyber Security... 4 A Secure Future Requires Shifts in Perspective and Focus... 8 Establish a Broad-based IT-OT Strategy Focus on Cures, Not Remedies Embrace the Opportunity for Better Security VISION, EXPERIENCE, ANSWERS FOR INDUSTRY Technology Is Changing Industrial Cyber Security Challenges Mission Scope People Processes Technology Today s ICS Cyber Security Includes Protect Plants & Infrastructure Priorities - AIC Systems Private Networks Internal ICS Groups ICS Service Groups Defense-in-Depth Manage Security at Perimeter Secure Networks Secure Zones Authorize People Manage App Vulnerabilities Secure Servers Endpoint Security Wrappers Network Firewalls Data Encryption Future ICS Cyber Security Requires Protect Plants, Infra., External Resources Priorities - AIC and CIA Systems, IIoT, Mobile Devices, Cloud Private & Public Networks Internal ICS & IT Groups ICS & IIoT Supplier Service Groups Public Networking Services Partners Cloud App & Data Services Partners Defense-in-Depth Manage Security at Device Secure Networks and Messages Secure Zones, Devices, Messages, Data Authorize People & Devices Manage App & Device Vulnerabilities Secure Servers and Data Secure-by-Design Endpoint Devices Network and Device Firewalls Data & Message Encryption The Future Demands New Industrial Cyber Security Strategies 2 Copyright ARC Advisory Group ARCweb.com Executive Overview President Obama s Executive Order identified the security of industrial assets as one of the nation s most important challenges. Growing support for the NIST Framework shows that industrial organizations are equally concerned and working to ensure the security of facilities. Smart companies will anticipate new technology developments and establish industrial cyber security strategies that address the new challenges and constraints: Most of these organizations are concerned about securing legacy plant and SCADA systems that were installed before cyber security was a concern and are insecure by design. Most efforts focus on installing and maintaining A new scope for industrial cyber security that includes external systems and remote devices A focus on managing devices instead of patching systems A broad-based IT-OT cyber security strategy including external parties Embedded Security-by-Design principles in the people, processes, and technology used throughout the organization and its cyber supply chain compensatory controls like firewalls and antimalware software and managing a never ending stream of software revisions and patches for newly discovered vulnerabilities and threats. The number of systems and vulnerabilities makes this a daunting task and many organizations are actively working on plans to overcome resource limitations. While resolving the current situation is critically important, focusing all cyber security planning efforts on legacy problems is like driving the car with only the rearview mirror. Organizations also need to look ahead and ensure that their strategies anticipate coming developments like mobility, the Internet of Things, and cloud computing. Business managers are already redesigning processes to exploit these new capabilities and automation suppliers are incorporating them into new system designs. Prudent cyber security professionals will recognize the impact this will have on cyber security strategy and the need for new approaches to manage cyber security. ARC believes that this will require organizations to make several strategy adjustments including: Extending the scope of industrial cyber security to include external systems and remote devices Shifting the focus of security strategies from protecting systems to managing devices Copyright ARC Advisory Group ARCweb.com 3 Transitioning from building stronger cyber silos to developing broadbased IT-OT Security Networks Embedding security-by-design principles in the people, processes, and technology used throughout the organization and its cyber asset supply chains Smart organizations will understand the urgency of building a roadmap for this transition. New strategies have to be in place before the organization s business leaders demand widespread adoption of these kinds of technology developments. Expecting the business to wait for security is naïve, the cost and performance benefits are simply too large to ignore and competition will force rapid adoption. New Challenges for Industrial Cyber Security Today, most large industrial organizations understand the enormous risks of cyber attacks against their facilities and many have launched programs to secure their operations. This includes investments in site assessments, new practices, and new technologies to protect networks and critical infrastructure from external and internal attacks. Control system suppliers have also instituted programs Organizations understand the changing nature of control system technology and to ensure that new systems are equipped with appropriate security software and appliances. cyber threats. But, in general, they do not recognize the revolutionary changes occurring outside the plants that will significantly change future control Organizations understand that control system system designs and the very nature of technology will change and address this in their industrial cyber security management. security practices. But many don t appreciate how technology developments like mobility, ubiquitous connectivity, cloud computing, and the Industrial Internet of Things (IIoT) will impact future control system designs and the very nature of industrial cyber security management. Mobility and Ubiquitous Connectivity Connecting mobile devices within plants is already a key concern for many industrial organizations. Lack of control over mobile software and content makes them as functionally insecure as public networks. Tight control of 4 Copyright ARC Advisory Group ARCweb.com users and devices is their only recourse, but it is difficult to enforce these policies for every person that enters the site, particularly when they are called to address urgent issues. Technology Is Changing Industrial Cyber Security Challenges Clearly, the situation is only going to get worse. Organizations recognize the enormous benefits of mobility and ubiquitous connectivity and are redesigning business processes to exploit these capabilities both within and outside plant perimeters. In the future, plant managers, supervisors, and technicians will expect free access to control system information and the ability to intermix this information with information from external sources on the same device. For example, a technician troubleshooting a control problem in the plant will expect direct Wi-Fi access to devices while they simultaneously use cellular networks to get documentation from a supplier s website. And the organization will want this person to have comparable access from outside the plant so that he or she can support problem resolution at a moment s notice. While security concerns will be acknowledged, history suggests that they will not be enough to limit this explosion in connectivity. Plant managers will support this need for boundary-less access and automation suppliers will enable ubiquitous connectivity in their products to support remote service strategies. Once connectivity is built-in, system designers will leverage it to integrate remote systems, devices, and applications. From an industrial cyber security perspective, these developments will exponentially increase the attack surface and the number of threats that must be managed. This will also reduce the effectiveness of traditional strategies for managing vulnerabilities and intrusions. The proliferation of devices Copyright ARC Advisory Group ARCweb.com 5 and users will rapidly make it impossible for organizations to track and manage software revisions and patches. Establishing a single secure remote interface will also fall out of practice as it will not adequately support all these needs. Cellular communications will also add a whole new set of industrial cyber security challenges and strain the very idea of secure perimeters. Cloud Computing Enterprise IT groups are rapidly adopting the Cloud as a platform for sharing information and managing applications across the enterprise. It enables access to resources anywhere, anytime and promotes efficiency and effectiveness through faster, more collaborative decision making. The Cloud provides a way to reduce applications, simplify IT maintenance, and improve security. Recent developments show that conservative ICS While security concerns will be attitudes toward the Cloud are changing as well, acknowledged, history suggests that they particularly for supervisory applications and will not be enough to limit the explosion in connectivity and the integration of sharing plant data with partners. Production systems with cloud services. management, MES and historian application suppliers are already offering cloud solutions for both private and public clouds. Like ubiquitous connectivity, the large benefits of cloud solutions have become too attractive to ignore. This includes, reduced CAPEX, faster deployment, lower maintenance costs, easier upgrades, and better collaboration. The proliferation of large, reliable data centers has also reduced many of the initial concerns. The security impact of the Cloud is different from that caused by ubiquitous connectivity. Mobility and ubiquitous connectivity bring the external world into the plant, cloud applications extend the plant into the external world. But both trends accelerate the erosion of plant perimeters. Use of cloud applications will also impact cyber risk management. Cloud data centers are high-value targets and increase the likelihood of attacks. Data center intrusions can also open new pathways into plant systems. Just being connected to the Cloud will make hackers more aware of plant systems and encourage malicious activity. Managing cloud application risk will also be more challenging for industrial organizations. Outsourcing applications reduces the ability to mitigate risks according to internal risk perspectives and forces more reliance on 6 Copyright ARC Advisory Group ARCweb.com contracts and contract managers to ensure alignment of internal and external risk concerns and actions. Industrial Internet of Things (IIoT) There is plenty of hype surrounding the Internet of Things (IoT). But this isn t just another futuristic fad. Industrial companies already recognize the potential benefits of IoT and are working to incorporate it in their operations and products. ARC Advisory Group refers to this industrial use of IoT as the Industrial Internet of Things, or IIoT (see Planning for the Industrial Internet of Things). As IIoT builds upon current and emerging technologies, ARC expects that adoption will be rapid and widespread. Leading IIoT isn t just another futuristic fad. Industrial companies already recognize industrial suppliers clearly agree as many have already launched major IIoT programs using the enormous benefits of IoT and are catchy terms such as Smarter Planet (IBM), Internet of Everything (Cisco), and Industrial launching programs to leverage these capabilities to improve performance. As IIoT builds upon current and emerging Internet (GE). In Europe, Industrie 4.0 is also technologies, ARC believes that adoption taking hold. All recognize IIoT s potential for will be rapid and widespread. driving significant improvements in asset and operational performance. The diversity of IIoT opportunities makes it difficult to predict all the ways that organizations will use IoT in industrial control systems, but we can be sure that system designers will find creative ways to take advantage of this enhanced intelligence and connectivity. Initial applications will likely involve adding wireless, remotely accessible sensors to plant systems to help improve asset management. As comfort grows, use of IIoT will spread across all industrial business processes and connect many external devices with plant systems. These developments will change the very nature of industrial control and the responsibilities of ICS and ICS security personnel. IIoT presents a variety of challenges for ICS cyber security professionals. IIoT will be applied within and outside plants, so the urgency for securityby-design devices will rise across the spectrum of industrial controllers, networks, and devices. This multi-environment use will also accelerate the shift to wireless, IP-based industrial protocols and demand more use of encryption and device authorization. As local intelligence expands, managing software updates will become more complex, necessitating more supplier responsibility and involvement in security strategies. Copyright ARC Advisory Group ARCweb.com 7 A Secure Future Requires Shifts in Perspective and Focus To avoid problems, organizations need to be prepared for the coming changes in industrial control. Industrial adoption of developments like mobility, cloud, and IIoT will take time, but history tells us that it will probably occur with little input from those responsible for cyber security. Lack of advanced planning will therefore place organizations at considerable risk and limit future strategic options. Mission Scope People Processes Technology Today s ICS Cyber Security Includes Protect Plants & Infrastructure Priorities - AIC Systems Private Networks Internal ICS Groups ICS Service Groups Defense-in-Depth Manage Security at Perimeter Secure Networks Secure Zones Authorize People Manage App Vulnerabilities Secure Servers Endpoint Security Wrappers Network Firewalls Data Encryption Future ICS Cyber Security Requires Protect Plants, Infra., External Resources Priorities - AIC and CIA Systems, IIoT, Mobile Devices, Cloud Private & Public Networks Internal ICS & IT Groups ICS & IIoT Supplier Service Groups Public Networking Services Partners Cloud App & Data Services Partners Defense-in-Depth Manage Security at Device Secure Networks and Messages Secure Zones, Devices, Messages, Data Authorize People & Devices Manage App & Device Vulnerabilities Secure Servers and Data Secure-by-Design Endpoint Devices Network and Device Firewalls Data & Message Encryption Current versus Future Industrial Cyber Security Strategies Organizations need to review all aspects of their cyber security strategies to understand how these developments impact current plans for ICS cyber security. While organizations differ, the table reflects the kinds of changes that should be anticipated. Every organization should review its strategy in every area from industrial cyber security scope to choice of technologies. Mission and Scope Protecting the availability and integrity of critical assets will remain the central mission of industrial cyber security programs, but the scope will broaden to include devices, systems, and services outside traditional plant 8 Copyright ARC Advisory Group ARCweb.com and SCADA perimeters as critical assets. Current scopes reflect the reference architectures used in standards like IEC While these architectures will remain relevant for plants and SCADA systems, these facilities will become elements in larger industrial control ecosystems. Embracing this expanded scope will be essential to develop effective plans for the new challenges that will develop. IEC Reference Architectures Future Industrial Control Ecosystems Some organizations will want to maintain their current ICS cyber security scope, but smart companies already recognize the inherent weakness of this position. The devastating impact of peripheral attacks like Shamoon shows that performance of industrial companies already depends upon the availability of complete, end-to-end, industrial business processes. And this dependence will grow as industry continues to strive for better performance and lower costs. Many plants are already optimized and industrial organizations are increasingly looking for opportunities in tighter integration of plants, customers, partners and logistics services. Many are also increasing use of external services to reduce costs and help overcome the challenges presented by an aging workforce. Copyright ARC Advisory Group ARCweb.com 9 People Today, most companies view ICS cyber security as an internally-focused, ICS issue. While it s common to use ICS suppliers and third parties for assessments, audits, and training; the day-to-day management of software revisions, patches, and incidents is generally addressed in-house. Accordingly, increasing the cyber security expertise of Many organizations already recognize the engineering staffs has become the focus of organizational strategies. limitations of strategies that rely solely upon strengthening internal cyber security resources. Outsourcing While understandable, many organizations already recognize the limitations of this approach. responsibilities to external resources is already growing and the future will be more focused on suppliers assuming Backlogs of software revisions and patches are responsibility for sustaining security of all growing, cyber security technology complexity is devices and systems. increasing, and the shortage of ICS cyber security expertise force them to rely more on their ICS suppliers and third parties. The coming developments will certainly exacerbate this situation and require even more outside support. As scope expands this will lead to the expectation that all suppliers of critical devices, systems, and services will have to assume primary responsibility for the ongoing security of their products. Processes Process recommendations in current ICS cyber security standards are welldesigned and proven through years of use. Concepts like defense-in-depth will certainly be as relevant in the future as they are today. But other assumptions will have to be reviewed and adapted Current security processes will require for the broader scope of ICS cyber security. review and adaptation for the broader scope of tomorrow s industrial cyber The ability to protect critical assets with secure security. They will have to incorporate perimeters, zones and conduits will certainly become challenging when many of these assets are Security-by-Design, more comprehensive authorization, broader risk analysis, and remote management of devices. located in open environments and accessed through a variety of public networks. To accommodate these changes, processes will have to place more emphasis on secure devices and secure message protocols. This will likewise necessitate change in user-centric authorization processes to include additional factors like device authorization and location. Risk analysis is another process that will have to broaden and include threats to external devices, systems, and services. 10 Copyright ARC Advisory Group ARCweb.com Future ICS cyber security strategies will also require the addition of some new processes. Examples include processes to remotely manage device credentials, patches, and new applications. Physical device security will also become an issue to protect against theft of credentials and network login information. Fortunately, these are not new issues to the overall cyber security community and ICS teams should be able to leverage the lessons learned by groups that manage mobile and cloud security. Technology Like processes, ICS cyber security technology is already quite mature. Most organizations believe that they have enough to handle most of today s risks. Ensuring that individual endpoint devices incorporate these capabilities will be the primary challenge for the future. Establish a Broad-based IT-OT Strategy Industry developed the term ICS cyber security to distinguish it from IT cyber security. Both protect hardware and software resources from unwanted
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks