ARC's cybersecurity team recently attended The Department of Homeland Security’s Industrial Control System Joint Working Group (ICSJWG) event in Pittsburgh from Sept. 12-14. The event consisted of international speakers from industry, government, and academia. Deputy Director of ICS-CERT, Neil Hershfield kicked-off the meeting and announced that Marty Edwards has transitioned to his role as Automation Federation managing director. Marty was awarded a plaque of gratitude for the years of service to DHS ICS-CERT, and ARC also says thank you & congratulations to Marty, whose presentation focused on the industry shortage of cyber talent, and how his new role at the Automation Federation is to promote education and create a new talent pool by leveraging academia, industry, and government.
End User Case Studies in Power and Oil & Gas Cybersecurity
Rick Kaun, VP of Solutions at Verve Industrial Protection, presented a how to improve overall security & maturity of your corporation. Rick cited a presentation given by Justin Kosar of Associated Electric Cooperative at the ARC Orlando Forum in 2017. The key focus of the presentation was on leveraging the NIST/IEC 62443 standards by utilizing Verve for Asset Inventory Management (AIM), and taking control of securing and managing plant assets. End users must have knowledge of what assets they have and situational awareness into what they are doing as a key first step in OT security. ARC vice president Sid Snitkin will present in a joint ARC/Verve webcast on November 2 on the “security gap”, or the lack of resources to maintain/use many of the defensive cybersecurity technologies that are being installed in today's plants and facilities.
Gary Bentlin, CISO of Trans Grid Australia discussed the challenges of Remote Access. The need to have secure controlled access for various parties, such as service providers, suppliers, third-parties, and their unique use cases, posed strategic challenges for the organization. Donovan Tindill of Honeywell provided some security management strategies for working with a major Canadian oil and gas client. The presentation focused on the two-year process and the stages necessary for adoption of securing IT/OT assets. They are now working with BOD level executives to brief them on what is still required to execute for their cybersecurity roadmap. The budget challenges and resource management & training costs to security plants/sites is a concern for owners/operators.
Cybersecurity and Its Impact on Insurance
Andrew Ginter, vice president at WaterFall, presented the impact of cyber insurance and coverage issues (what is and is not covered). Ginter discussed how the current insurance industry is gaining more intelligence and data regarding risk assessments for industrial corporations. Ginter also discussed how policies are now being enforced with proving best practices vs. neglect or lack of effort to securing assets and data. He highlighted that at least one insurance company is now providing a policy discount based on the use of Waterfall’s unidirectional gateway product.
ARC’s Sid Snitkin: New Approaches to Plant Security are Necessary
Sid Snitkin presented need to look beyond ICS/SCADA to plant centered security. The ICS cybersecurity community has done a good job of developing standards and guidelines for the protection of plants and SCADA systems. To make progress we have rightfully defined a specific set of use cases and scope boundaries. But recent events and new developments show that these assumptions are too restrictive. The cybersecurity challenges that industrial companies and infrastructure organizations face span the IT-OT-IoT spectrum. The industries that need such support are also expanding as more attention is being paid to building automation systems and Smart Cities.
DHS ICS CERT Update
Jeff Gray, Chief of Training & Outreach, DHS ICS-Cert presented his team of incident response and cyber emergency tracking of industrial incidents. Jeff indicated that the team is reorganizing under the National Cybersecurity & Communication Integration Center at https://www.us-cert.gov/nccic.
Other Notable Presentations
- ABB’s Mike Radigan provided some insights on cyber risk and operational issues.
- Gib Sorebo of Leidos highlighted key issues and best practices for ICS assets and configuration management.
- Matt Cowell & Joe Slowik of Dragos presented the threat and potential impact of CRASHOVERRIDE.
- Brad Hegrat of IOActive, presented on “what we are doing wrong” STILL in ICS Cybersecurity – highlighting many process and lack of simple execution on securing well-known matters.
Overall, the event generated great discussions. The theme is quite consistent, there is still a lot of work to be done, systems are vulnerable to attack no matter how confident we think thing are, obtain greater visibility on assets & data to respond quickly to incidents. Training and people resources are difficult challenges in organizations