Lately, I have heard a lot of people mention that industrial control environments need to have more specific security definitions. Those people argue that the IT security general concepts may not apply to the more critical and fragile set of networks that make up control systems. While I agree that many generally accepted IT security practices can not be directly applied to control system environments, I’m not sold that the concepts of “cybersecurity” don’t apply. In fact, I believe that many of the IT security practices can be considered and carefully applied to these control environments.
Let’s take a general security concept universally loved and adored by millions of security fans worldwide: integrity, confidentiality and availability.
There is no doubt that the reliability of any power grid can be tied to the availability of all kinds of technology. We can all agree that availability is a primary consideration – stuff needs to be available when we need it! I believe this industry is doing a great job in the maturation of availability of technical resources (old and new). Of course, there is always room for improvement and I don’t think we have necessarily reached the levels of availability prowess that some other industries have (e.g., Wall Street), but we are heading in the right direction.
While this is still a concern, it’s probably more from a “nationstate” attacker perspective or organized crime extortion perspective (or any other malicious actor you prefer) than from the corporate espionage perspective. This concept is where corporate IT security practices could use some tweaking to fit the risk profile of control environments. Still, information about critical assets, their configurations, the designs of certain networks, etc need to be properly addressed and managed. Confidentiality can not be ignored.
I truly believe this is one of the more misunderstood principles of the trio. This is of utmost importance, and the industry needs to continue to put more attention on the integrity side of things as we build our environments on more common platforms and expand our connectivity attack surface. What are the integrity checks for e-tagging? Do we have adequate integrity elements established with time-sync protocols being used in the field? What about database integrity in the historians? Synchrophasors anyone? I know that the capabilities are maturing in all these systems, but even if the integrity checking capabilities are available they rely on proper configuration. Of course, that is conducted by an individual in most cases so there is an element of education and discipline with which to contend as well.
Integrity, Confidentiality and Availability is a general security concept. It can be applied to any environment. I don’t consider it to be solely an IT security concept. It isn’t uniquely defined for just IT environments. So let me put this concept into the Cybersecurity term bucket.
I have a difficult time coming up with a security concept that is unique to just the IT environment. That is probably because security is security – the devil is in the details, but the concepts are still applicable to all. Details come into play when we start our implementation of security practices and design of security controls. Security controls are designed based on risk profiles and the specifics of the system/environment to be secured. I’ve been designing and implementing security solutions for the better part of the last 25 years. I can honestly say that each solution has unique attributes and risk profiles that require thoughtful design and application of security concepts, standards, practices and controls. The security design is far beyond the simple steps described as stick firewall here; turn on IPS; send syslogs there and use SSL everywhere. The security design must leverage security concepts like integrity, confidentiality and availability; standards like NIST 800-53/82; principles like ongoing security awareness and training in order to build a security plan or program to address the uniqueness of these systems. I’m sorry to burst anyone’s bubble but there isn’t a cookie cutter solution to securing any system, and that is no different whether in the critical infrastructure strata or in the electric sector.
It is easy to get hung up on the security terms, but words do have meaning so it can be a barrier for various groups and individuals to get on the same page. There is a big difference between the terms IT security and Cybersecurity. There is also a big difference between IT security and Operation security. That said, the concepts of security are all the same and I don’t think we need another special set of “security” definitions for industrial control environments. Security standards bodies worldwide have been defining general security principles and guidelines for decades, and we have enough of them to secure nearly any technical widget, system or monstrosity we can conceive.
What we need now is to continue documenting and sharing the practices that work in these specialized environments. NIST and INL and many other organizations have been doing that for years at the higher levels. What I hear today from the electric utilities is that they want the next level down to be addressed in more detail with more examples. They want ICS generally accepted practices to be detailed enough that they can choose a security implementation that can be modified to fit their unique environment. They want to hear about examples of industry-specific security successes being accomplished in our industry; not just about failures. They also want to hear about successes in other sector security that use industrial control systems. Water, gas, automobile and even theme parks are using the same devices and systems we use in the electric sector. Sure…the applications can be dramatically different, but there is most assuredly common ground to be found.
How did it achieve that level of reliability? By studying the failures and continuing to improve upon operational and safety practices. We ought to be able to do the same for security in our sector. Don’t get me wrong. I appreciate a lot of the hard work that is going into doing just that from all kinds of organizations, but there is room for improvement. We have to do a better job of heralding successes, and while we should always analyze what went wrong when failures occur, we must spend less time dwelling on them. We can’t dismiss the mistakes and missteps or allow our pride to get in the way of doing good work. We must acknowledge the security gaps in our capabilities as an industry and be open to new ideas from within and outside our sector to take us to the next level of security.