Isn’t it frustrating when you experience an event that disrupts operations and then discover it could have been prevented? Very often a detailed analysis will reveal that a combination of (preventable) mistakes and unknown factors caused the incident. Training can help the mistakes, but dealing with the unknowns is a little tougher.
Setting up a Cybersecurity Management Program requires research into the kinds of attacks that could impact your operations, along with looking to existing industry standards for guidance. Additionally, network databases provide details on vulnerabilities of released software. If you use any open source code, you may want to regularly check sites like:
- National Vulnerability Database (NVD)
- Industrial Control Systems Cyber Emergency Response Team (ICS CERT)
Close relationships with vendors that supply software components in your system will facilitate early identification of cyber vulnerabilities. Perhaps more critical, a successful cyber program will incorporate the guidance available in IEC 62443 into your environment, which includes best practices for everything from evaluating competency to system integration and product development. The parts of the standard are grouped like this:
If you look at the attack paths of some recent high visibility breaches, it’s possible to map parts of those paths to specific guidance available in IEC 62443. This would mean that if the organizations had been familiar with, or compliant with, parts of the standard, the likelihood of a successful attack would have diminished. Attack paths are often complex and convoluted, and hackers can be very creative. If, however, you can put enough road blocks in place, they are more likely to get discouraged.
Consider the hack of Target’s credit card database, where card holder information was released. The initial entry point was a service provider who had limited login credentials for Target’s internal servers. Part 4-1 in the diagram above includes a section on maintaining relationships with outside vendors, and 4-2 talks about security requirements. Had Target used that guidance, they could have audited their vendor’s security framework and put in more robust authentication controls.
Another part of the attack path took advantage of old software that had not been updated. In this case, having internal IT guidelines for regularly checking for updates on internal software (guidance in part 2-4) would have shown that a patch to close the published vulnerability was missing. The network databases mentioned earlier are great resources for potential attacks when IT department maintenance teams are tardy in making their updates.
The IEC 62443 standards have hundreds of specific requirements and examples for all parts of business or control systems that could be subject to attack. EMs and service providers can become certified to establish IEC 62443 cybersecurity expertise. As an end user, having familiarity with these standards provides a stronger cyber background. That knowledge will help specify equipment in your systems and demonstrate the competence of integrators that construct them.
For additional information on cyber certification and training, please refer to https://www.exida.com/Certification/IEC62443-Cyber-Cert.