In this session, participants focused on sharing practical insights in protecting ICS networks from cyberthreats.
The P2P session focused on 3 key areas:
- What are the common practical challenges in implementing cybersecurity practises in ICS environments?
- What are the practical steps one can take to address these challenges? The focus in our discussion was not on controls on frameworks, but on key practical steps that are not found in existing body of knowledge that has been tested.
- How can a manager know whether the steps taken is successful and if not, how can it be amended?
Participants shared many challenges including inadequate communication, understanding/terminology and prioritization (overall governance), lapses in information sharing across IT & ICS teams, knowledge gaps in IT teams about ICS devices, process, etc., ICS devices/infrastructure that may not support updates good cybersecurity practices, insecure third party vendors’ solutions. Other challenges include funding, shadow IT, intense focus on safety and inability to clearly articulate security requirements. Participants agreed that the top three challenges are:
- Governance – Most IT & ICS teams fall under different areas within the organizations which automatically brings challenges in getting consensus on what cybersecurity practices to adopt, when they should be adopted and how they should be implemented.;
- Information Sharing – Because of the governance challenge, most IT & ICS team adopt a “us” against “them” approach, which makes it difficult to share information and work towards the same goal; and
- Vendor Solutions & ICS Devices – Most ICS networks have old and dated hardware, replacement cycles take decades if not more and until recently, vendor solutions that have cybersecurity capabilities built in may be very expensive, if they are available.
Practical Steps to Address Challenges:
We discussed 4 practical steps, that teams can take to address the top 3 challenges that we identified. These include:
- Performing ICS Cybersecurity Risk Assessments – Performing risk assessments within ICS infrastructure does help in bringing cybersecurity risks to light, for discussion and remediation. Remediation will be required at some point in time once risks are identified. To be able to do this, a risk assessment framework needs to be put in place, to remove any form of bias from the risk assessment process.
- Finding an ICS Cybersecurity champion – Finding a ICS cybersecurity champion, preferably from the ICS organization, will help bridge the knowledge gap, build credibility to the program and will also help enlighten IT stakeholders on how to seek/gain consensus in implementing cybersecurity solutions.
- Building awareness within Executives and ICS personnel will help bring the reality of cybersecurity threats to the front and will make it easier to get support especially to fund projects, hire personnel, in support of the cybersecurity program.
- Cybersecurity Controls – While there are many cybersecurity controls that may be required based on ICS security standards, one important control that was identified was network monitoring. Getting a handle on what devices are communicating on the ICS network and what the communication patterns look like will likely help identify suspicious activities on the ICS network.
How Do I Know if my ICS cybersecurity program is succeeding?
Two notable indications of success that we discussed in the ICS cybersecurity program are:
- Inclusion of cybersecurity requirements in the life cycle of ICS projects. This shows that the ICS teams understand the cybersecurity challenges facing ICS infrastructure and are at least ready to build secure solutions. Building sure solutions is always cheaper than bolting security on much later; and
- Funding to support ICS cybersecurity program activities in a clear indication of senior management buy in and support. To whom much is given thought, much will also be expected.
The most interesting take away from this session was that above all things, everything we discussed all depends on communication. Getting both IT & ICS teams to talk, make key decisions jointly, while making some concessions wherever necessary will ultimately bring success to the ICS security program.