Industrial Control Systems (ICS), Building Management Systems (BMS) and other Operational Technology (OT) systems are falling behind in terms of cyber-resilience. This is a critical problem when you consider the potential loss of lives and/or major environmental damage as a result of a cyber-attack on ICS and other OT systems. In addition to these severe consequences, the financial, reputational and compliance impacts of cyber-incidents should be considered as well. Faced with this troubling situation, a new approach is needed. CISOs need to take charge, educate themselves about the unique characteristics of ICS and OT, work collaboratively with industrial control engineers, and ultimately take responsibility for the cybersecurity of ICS and OT.
While working on a project I conducted for the Israel National Cyber Directorate (INCD), I gained an inside look at the current state of ICS cyber-resilience. We were developing a practical tool for the Israeli ICS sector that allowed enterprises to conduct cyber-risk assessments of their ICS networks. As the process unfolded, we drew upon the expertise and insights of a number of OT engineers as well as cybersecurity professionals. Before long, a troubling pain point was identified–lack of knowledge in cybersecurity and, as a result, lack of a proper control environment, leading to poor cyber-resilience of ICS networks.
Clearly, there is a leadership vacuum that needs to be filled. There is a lively debate in the industry about who should assume actual responsibility over ICS security – the CISO or OT engineers. Given the CISO’s grounding in cyber-risk management and mitigation practices, I believe that the CISO is best-suited for this role…but, in order for CISOs to properly oversee this area, CISOs must address their blind spot regarding cyber-risk mitigation in the ICS and OT environment. CISOs generally do not possess much knowledge of OT processes and systems as well as these systems’ sensitivity to change. Therefore, they tend to overlook potential consequences if something goes wrong.
Most modern organizations are using ICS and OT systems, such as Building Management Systems (BMS) and surveillance cameras. ICS is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. ICS are used in critical infrastructure – areas such as the manufacturing, transportation, energy, and water treatment industries, which are essential to the health, safety, security and economic well-being of governments and society as a whole. OT systems, meanwhile, include the hardware and software systems that monitor and control physical devices in the field, such as devices that monitor temperature in industrial environments.
The convergence of IT and OT provides enterprises greater integration and visibility of the supply chain, including critical assets, logistics, plans, and operation processes. Having a thorough understanding of the supply chain can help organizations improve strategic planning and remain competitive. However, the convergence of IT and OT expands attack vectors for cyber-criminals, allowing them to take advantage of poorly protected OT infrastructure.
So addressing this common blind spot is part of the challenge for CISOs. The good news is CISOs have several sources to consult for guidance. CISOs and others interested to learn more about reducing ICS cybersecurity risk would be well-served to explore NIST’s Cybersecurity Framework Manufacturing Profile. Additionally, the ISA/IEC 62443 series of standards provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. And on the certification front, ISACA’s CISM credential can help CISOs develop a risk-based approach to managing cybersecurity challenges that may arise on the ICS and OT landscape.
Editor’s note: Asaf Weisberg will present additional insights on “Illuminating the CISO’s ICS Blind Spot” at Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City, USA.
To help enterprises and security professionals optimize security risk and compliance, the Infosecurity ISACA North America Expo and Conference 2019 offers a diverse lineup of learning sessions for all experience levels and needs 20-21 November 2019—register now!