What About the ICS Cybersecurity Response?

Author photo: Eric Cosman
By Eric Cosman

Overview

Owners and operators of industrial control systems (ICS) face increasing challenges to improve the security of these systems to ensure their safe and reliable operation in the face of evolving threats, and they need to understand the ICS Cybersecurity position. Meeting these challenges requires focus on the elements of people, process, and technology.

ICS CybersecurityWhile available guidance, standards, and practices address each of these elements, the quantity and variety of this information presents its own challenges. Specifically, tools are required that can help end users select the correct elements of a cybersecurity program. These are available in the form of training certificates that demonstrate minimum competency of personnel, as well as product certifications that confirm compliance with the requirements defined in established industry standards.

Training and development programs are available from sources such as SANS, ISA, and the US Department of Homeland Security (DHS). The achievements and competency of those who complete them are typically validated through a combination of testing and by issuing certificates.

When selecting consultants or project experts, the end user should consider training certificates such as CISSP or the SANS Global Industrial Cyber Security Professional (GICSP) as evidence that the candidate has received the requisite training in the subject matter. Additional assessment will be necessary to confirm the level of experience and the relevance of that experience to the specific situation.

Independent confirmation of compliance with industry standards serves to reassure the end user that products and services meet established requirements.  This avoids the need to conduct a detailed evaluation for each specific case. Such confirmation is possible using formal product certifications such as Wurldtech’s Achilles or ISASecure from the ISA Security Compliance Institute.

Training certificates and product certifications provide the end user with objective evidence to use to evaluate and select consultants, contractors, products, and technology. ARC Advisory Group encourages end users to promote and support the development and enhancement of such programs to meet the changing needs of the marketplace.

Current Situation

Ensuring the cybersecurity of industrial control systems continues to be an area of intense interest in light of new and changing ICS Cybersecuritythreats and vulnerabilities, and reports of attacks of various types. The business drivers for improvements in this area have been well defined, as have the implications for related areas such as process safety.

Achieving sustained performance improvements in ICS cybersecurity requires close attention to the essential program elements of people, process, and technology.

A common response has been to call for improved standards, more secure products, expertise, and guidance plus practical examples in the form of case studies. In addition to availability, there must be a means to assess the quality and suitability of each of these elements.

Standards and practices are available for general business systems cybersecurity, as well as the more specialized area of industrial systems cybersecurity. The ISO 27000 and ISA/IEC 62443 standards address all aspects of the cybersecurity program, including components, systems, solutions and management processes.

New and improved tools and technology are also being developed and offered on a regular basis. Some of these take the form of repurposed tools developed for general business systems, while others are specifically intended for use with industrial control systems.

ICS CybersecurityFinally, a wide variety of resources are available for training personnel and developing cybersecurity skills and expertise.

The high level of activity and rapid changes in this area presents new challenges for those wishing to secure their systems. The first is how to choose from the wide variety of options available. While technology, system, and service providers are addressing these expectations, end users also need evaluation criteria in order to make informed decisions in the evaluation and selection process. Selections must be made based on an assessment of what is most suitable for a specific situation, as well as how a particular product or service may perform over an extended period.

Assessment of Available Options

Programs have been or are being developed to assess offerings in each of the three solution elements: people, process and technology. Each of these includes specific criteria for evaluation.

People

The first requirement for addressing the people element is the availability of relevant, high-quality expertise. This is true whether the desire is to hire or develop internal experts or to retain the expertise in the form of external services. This expertise is typically the ICS Cybersecurityresult of a combination of training and acquired expertise.

Training and development programs are available from sources such as SANS, ISA, and the US Department of Homeland Security (DHS). However, simply having such programs is not sufficient. Stakeholders must also be able to validate the achievements and competency of those who complete them. This validation is typically accomplished through a combination of testing and issuance of certificates. Both SANS and ISA provide testing based on the content of their respective courses. Those who complete the tests successfully receive a certificate that may be used to demonstrate competence with respect to the materials in their programs.

Others are pursuing a longer-term goal to have cybersecurity integrated into academic curricula, possibly in the form of certificate or degree programs. One step in this direction has been the definition of formal competency models for the automation profession and the more focused area of cybersecurity.

Processes and Technology

Proven and accepted processes and technology are typically defined in the form of standards and practices. These may be created by industry associations or standards development organizations. Some are tailored to specific industry sectors, while others have a much broader scope of applicability.

As with the people element, it is also necessary to be able to evaluate the quality and suitability of particular standards for a given situation, as well as determine whether specific products and technologies are consistent with those standards.

Business needs provide the basis for identifying and selecting relevant standards. In a regulated industry, the applicable regulations often prescribe specific standards. Examples include the NERC CIP standards for the US electrical sector or CFATS for the chemical industry. While adherence to such standards is sufficient to demonstrate compliance with regulations, it may not be sufficient to achieve a sustainable higher level of system security.

Independent confirmation of compliance with broader industry standards such as ISA/IEC 62443 serves to reassure the end user that products and services meet established requirements, without having to conduct a detailed evaluation for each specific case. Such confirmation is possible through the use of formal product certifications, such as Wurldtech’s Achilles or ISASecure from the ISA Security Compliance Institute. Programs such as these provide specifications for testing and evaluating products and technology against formal criteria derived from industry standards.

Actions for the End User

Training certificates and product certifications provide objective evidence that the end user can use to evaluate and select resources, products, and technology for a cybersecurity program. While they should not be the only criteria used, they provide an excellent starting point.

When selecting consultants or project experts the end user should consider training certificates such as CISSP or the SANS Global Industrial Cyber Security Professional (GICSP) as evidence that the candidate has received the requisite training in the subject matter. Additional assessment will be necessary to confirm the level of experience and the relevance of that experience to the specific situation.

In the case of product and system selection, the fact that an offering has been independently certified can be a significant differentiator. End users are encouraged to include such certifications in their requests for proposals.

Recommendations

Based on ARC research and analysis, we recommend the following actions for owner-operators and other technology users:

  • Research available offerings – Owners and operators of industrial control systems should become familiar with certificates and certifications that are available for assessing performance and capability.
  • State requirements of suppliers – When and where appropriate these certifications should be used as criteria for the evaluation and selection process.
  • Support certifications of choice – Promote and support the development and enhancement of training programs and product certifications to meet the changing needs of the marketplace.

 

If you would like to buy this report or obtain information about how to become a client, please Contact Us

Keywords: Cybersecurity, Certification, Certificates, ARC Advisory Group.

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients