ICS Cybersecurity Resources
Blogs
(Almost) FREE Security Training
The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings are filled with presentations by industry experts on cyber security for ICS. The meeting format can vary somewhat but usually includes several tracks of presentations that cater to the interest of the attendees. There is also one day set aside for cyber security training for either a beginner or intermediate level. One of the best things about these conferences … they are FREE to attend. You only have to pay your…
2012 - Good Progress for Cybersecurity and Functional Safety
Product Certification
Over 60 new products received functional safety or cybersecurity certification this year. Those products and more can be found on our Safety Automation Element List. Most significant to me are the new product categories including:
- Microprocessors
- Integrated circuits
- Middleware packages
- Complete safety systems
exida Certification has expanded its scope…
A False Sense of Security
About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal. Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people. I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode.
I was brought to the facility by a control system integrator who had been working onsite and had concerns about the control system security and the potential risk that it represented. They wanted me to discuss options to evaluate and improve the…
An Integrator’s Guide to Managing the Cybersecurity Risks of Remote Access
Last week I attended the ISA Water/Wastewater and Automatic Controls Symposium in Bethesda, Maryland. The conference was attended by equipment manufacturers and municipalities, but system integrators composed the largest group. The technical sessions mainly discussed new opportunities for implementing the industrial internet of things (IoT) and cybersecurity concerns. Both topics are central for the future of IACS (industrial automation and control systems) and SCADA (supervisory control and data acquisition) systems, but they provide disparate advice regarding remote access, a critical component of SCADA systems.
Due to the remote nature of the control devices in SCADA systems, wireless networks are a necessity for the overall cost and feasibility of the design. Industrial IoT focuses on helping integrators design an…
Are Cybersecurity Servers Making Your ICS Less Cyber Secure?
ICS cybersecurity standards such as ISA 62443 (formerly ISA 99) and NERC CIP require operators to have policies and procedures in place to monitor and maintain their critical ICS cyber assets. For anything other than very small systems, the obvious choice is to implement systems to automate these procedures. So, in our practice of performing cybersecurity vulnerability assessments, we are seeing a large number of servers being installed to provide services such as asset management, user authentication, anti-virus management, whitelisting management, patch management, backup/restore, etc. These servers are being installed “in the name of” improving cybersecurity but are they really? These are generally IT-driven projects, so, in most cases these servers are being installed on the…
Are Your Control Systems Really Protected?
I don’t know whether you’ve noticed recently, but the number of cybersecurity alerts issued by CISA (Cybersecurity and Infrastructure Security Agency) seems to be increasing at an alarming rate. The latest alert I’ve seen now relates to GPS tracking systems for children. A device which is supposed to keep your children, pets, and elderly loved-ones safe, which has been sold online in the hundreds of thousands, now appears to have a number of vulnerabilities that can potentially be exploited by attackers. This was just one notification I saw, which was closely followed by one regarding a nation state issued malware attack from North Korea: ELECTRICFISH and BADCALL, referred to as HIDDEN COBRA.
According to CISA, the…
Attack on Florida Water System Highlights Weak Security Protections for Critical Infrastructure
The Oldsmar Water Treatment Facility in Pinellas County Florida was compromised by hackers on February 5th. Hackers took advantage of the TeamViewer application that was still installed on the water facilities network to gain remote access1. The TeamViewer was originally installed to allow for status checks and troubleshooting of alarms or other issues, but it had not been used in around six months1. Additionally, each computer used to monitor the system remotely had a single password.
The attackers successfully gained access to the system were able to modify the concentration of water treatment chemicals and increased the amount of sodium hydroxide (lye) by a factor of 1002. This much higher concentration had the potential to cause illness to the public…
Automation Cybersecurity - Myths vs. Reality
In today’s automation systems environment, certain myths continue to persist. For example, "cyber attacks are only a concern for big companies". Although it may be less likely to be targeted by, say, a nation state attack, we’ve seen that malware can cause a shutdown of a system or trigger a loss of network equipment. Although there are security requirements that need to be met by the equipment suppliers and system integrators, there are also a lot of ongoing activities for cyber security that must be maintained by the asset owner.
Another myth we often hear is "my system is totally secure because it's air gapped or isolated from the network". What we've seen is although the system was air gapped, attackers…
Automation Cybersecurity: IT vs OT - Differing Priorities
Before you can dive in and look at the core concept of automation cybersecurity, it's helpful to first define it. Automation cybersecurity is the prevention of intentional or unintentional interference with proper operation of automation systems including industrial controls, smart manufacturing, and IIOT systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system.
Automation cybersecurity goes by many different names. Everything from SCADA security to process control network security, industrial automation and control system security, or just industrial control system security. There are many different terms that that may be used. What exida standardized and uses primarily, is aligned with the IEC 62443 standard which is industrial automated control systems (IACS).
Today, we are going to talk a little bit about Contractor Cyber Training. What's in a good contractor cyber training course? Why do you need one? Why aren't policies, practices, and contract language enough?
Today's operators of industrial production facilities frequently utilize contract labor. This means a number of contractors have physical access to the site. Contractors could include your electrical contractor, your process automation contractor, your instrument and control technicians, or your electrical technicians.
As a point, remember contractors serve many clients, travel to many sites, have their own engineering tools, files, and copies of code. If you grant contractors access to your network, you need to provide a level of due diligence…
Creating a Cyber Hygiene Plan
One of the things that automation companies are beginning to do is to plan for cyber hygiene. More and more companies are implementing automation specific awareness training for their employees. They conduct periodic exercises which like sending phishing emails to see who if you respond. They might leave USB devices around to see who's going to pick it up and use it without either reporting it or cleaning it. Companies want to make sure that the cybersecurity policies and procedures are being followed.
Informing Employees on Cyber Hygiene
Automation companies should be sending some level of information on cyber hygiene out to employees such as posters or intranet postings. These will normally communicate their expectations for employees. Uneducated employees have a…
Cyber Risk Assessments and Security Level Verification: Detailed Risk Assessments (Part 2 of 3)
The exposure of industrial facilities to cybersecurity threats has never been higher. An analysis performed by IBM security found that the number of attacks on SCADA systems increased 636% from 2012 to 2014, with 675,816 cybersecurity incidents in January 20141. Finding an effective method for evaluating the current level of risk in a facility and implementing additional security risk reduction as needed is becoming an essential part of managing the safety, security, and operability of industrial systems.
The three fundamental activities for the analysis of cybersecurity risk are High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. This is the second of a three-part blog series breaking down the IEC 62443 lifecycle steps for evaluating cybersecurity risk, with…
Cyber Risk Assessments and Security Level Verification: High-Level Risk Assessments (Part 1 of 3)
As the number, scale, and connectivity of industrial automation systems continues to grow, it becomes increasingly crucial to fundamentally understand, evaluate, and manage cybersecurity risks. The objective of an effective cybersecurity management program should be to maintain the industrial automation system consistent with corporate risk criteria.
Ownership for industrial automation cybersecurity concerns often fall to someone with a different full-time focus, as just one more task piled onto an already overbooked schedule. This makes it even more critical to manage cybersecurity both efficiently and effectively. The cost for failing to adequately manage risk for cybersecurity concerns can be seen from an ever-growing list of industry examples.
The first step in actively managing cybersecurity risk is understanding the current level of…
Cyber Risk Assessments and Security Level Verification: Security Level Verification (Part 3 of 3)
The exposure of industrial facilities to cybersecurity threats has never been higher. An analysis performed by IBM security found that the number of attacks on SCADA systems increased 636% from 2012 to 2014, with 675,816 cybersecurity incidents in January 2014 [1]. Finding an effective method for evaluating the current level of risk in a facility and implement additional security risk reduction as needed is becoming an essential part of managing the safety, security, and operability of industrial systems.
The three fundamental activities for the analysis of cybersecurity risk are High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. This is the final installment of a three-part blog series breaking down the IEC 62443 lifecycle steps for evaluating…
Cyber Security, Beyond the Internet: An Automation Engineer’s View
The world of automation has changed significantly over the past 30 years. I have fond memories of starting my career by calibrating, adjusting, and tuning pneumatic control loops while working my way through the electronic age right up to the present digital and cyber generation of automation. If you are like me, it is easy to get lost in all the technical changes that have made our jobs so rewarding and challenging. I want to highlight these changes by sharing my thoughts related to “Cyber Security.”
At the beginning of my career, the biggest concern was having clean dry air supplied at 20 psig and a 3 to 15 psi control signal. This may be a bit simplified,…
Cyberattacks Succeed Where Humans and Systems Are Weak
Have you noticed that over the last several years, cybersecurity seems to be “trending?”
Companies of all sizes are starting to learn how to prevent, or at least minimize, these attacks. They hire third-party experts and attend trainings to learn more about the human and system weaknesses that are common because competency is lacking.
For example, the mechanisms of attack listed below are only successful with the existence of human and system weaknesses:
- Users accidentally click on link in phishing email.
- Program passes user input directly into SQL query.
- Program doesn’t check size of data buffer and overwrites buffer when a larger-than-expected message is received.
- Controller accepts messages from any source without authenticating the source.
- System allows six-character passwords…
Demystifying the Threat Modeling Process
The thought of tackling a threat model (TM) might not be the most appetizing to some people. Doing a quick Internet search, someone could get stuck under a mountain of acronyms and terms. I mean, what is a CVSS anyway? And then there are the diagrams, attack trees and feedback loops that could drive even the sanest person mad. Oh, and then you encounter the Threat Model Manifesto which sounds like something that’s straight out of an occult. What does this all mean and where in the world does someone begin?? Take a deep breath and relax.
Let’s see if this can all be simplified to a few simple tenets.
The first logical step is to identify what threat modeling actually is. The National Institute of Standards…
Does Your ICS Service Provider Need Training?
Today’s owner operators and lease operators of industrial production facilities frequently employ service providers for projects and upgrades, as well as operations and maintenance. These contractors often travel to many sites, carry their own copies of source code and files, and use multiple PCs with multiple engineering tools for the automation platforms they support.
What quality practices does the contractor have in place to keep their client’s networks from being exposed to a virus or other vulnerability? How is downloadable content (e.g., drivers, firmware) that the contractor brings on site for the ICS system managed? And how does the contractor handle portable media?
What are the limits of authority allowed to the contractor? How is access to the network granted?…
exida Cyber Blog Series 03 - Process Safety and Cybersecurity, Related or Still Distant Cousins?
To be clear, the above title is meant to capture your attention. We all understand and know that it is unusual for a Process Safety engineer and the IT architect to possess detailed knowledge of both safety and security. In today’s world, the operators, engineers, design and support personnel of an operating asset are required to be aware of the implications of cybersecurity attacks that can not only impact the business from a financial perspective, but can also initiate process safety-related incidents.
There are two clear hurdles in the interaction of these two disciplines. The first is technological vocabulary. I have often found that these two disciplines have completely different vocabularies and especially from a different context. A process safety engineer…
exida Cyber Blog Series 04 - Cybersecurity Metrics, Diagnostics, and Alarms: What’s What?
Co-written by Todd Stauffer, Director of Alarm Management Services at exida
A wise man once said, “You can’t manage what you don’t measure.” Let's apply this to the world of cybersecurity to discuss the importance of cybersecurity metrics and how they are different from a cyber diagnostic and a cyber alarm.
Cybersecurity Metrics are usually defined in terms of either leading or lagging performance. Think of cyber metrics as the Key Performance Indicators (KPI’s) that help you evaluate your cybersecurity performance and whether things are improving or getting worse. Audits or performance measurements /calculations of specific work processes or cyber events are the norm. However, the addition of performance expectations or specific target goals for each metric allows for an…
exida Cyber Blog Series: 01 - What is Cyber Hygiene?
exida would like to welcome our new director of cybersecurity services Dave Gunter. Dave will be taking us through a multi part blog series based on general cybersecurity evolving into how it pertains to your industrial work environment and what you should do to protect your company and its assets from cyber criminals.
Let's Get Started
In a manner of speaking, cyber hygiene is an individual’s base behavior when it comes to handling, managing, operating, and maintaining today's computing devices and software. The term computing devices is a broad term, however in pragmatic terms, it can viewed to represent computers, tablets, phones as well as boundary devices used to connect to the internet.
Ask yourself the following simple…
exida Cyber Blog Series: 02 - Does your position qualify as a Cyber Sensitive position?
That’s a great question.
What is a Cyber sensitive position?
A cyber sensitive position is a subset of a job position description that can be graded as Ultra, High, Medium or Low sensitivity with respect to cybersecurity assets and associated potential consequences that may impact an operating company.
What this means is that more and more companies are qualifying their operating assets within the context of cybersecurity risk. These risk qualifications of operating assets require having engineering, operation and maintenance positions defined as cyber sensitive positions as appropriate for their role with respect to the asset(s) they support.
Today’s companies have an obligation to ensure they manage the risk envelope of their operating assets to tolerable levels. In the past,…
Grasping the Power of the (Stuxnet) Virus (or What I did during the COVID-19 Pandemic)
The travel and group meeting restrictions from COVID-19 have allowed me to catch up on some reading about viruses; not the type that get transmitted to humans. This article is about the Stuxnet virus and what I learned from the book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon” by Kim Zetter (Published in 2014). It focuses on how Stuxnet manipulated control and safety systems to inflict physical damage to the equipment under control (centrifuges). Some information is also taken from “To Kill a Centrifuge”, by Ralph Langner, one of the people credited with uncovering Stuxnet.
Stuxnet was way more than “just” a virus. It was a combination worm (for spreading) and virus (for infecting) that ultimately propagated to…
How Cybersecurity is like a Goldfish
Oh look! Squirrel!
I am not much of a blogger. I should be but I’m not. This is strange, because I always have plenty to say.
This subject just gets me going so I am writing about it. I welcome feedback and opinions.
I have been in cybersecurity in one form or another for over 30 years, whether it be as the target of the attacks as an IT Manager, or a consultant trying to educate and help client companies with products and services, I have seen the same trend over and over again.
When a company has a realized or suspected a cyber-event, they go into proactive response mode, begin investigating and at that point my phone generally rings…
How Does the IEC 62443 Cybersecurity Standard Apply to Integrators?
The IEC 62443 series of cybersecurity standards include over ten documents covering various subjects. Buying a full set is a bit expensive, but for me the real cost is the time needed to read and understand them. So I often ask one of the experts at exida for a quick overview. Since not everyone has the IEC 62443 expertise that exida has, we hope that the overview info in this blog is useful.
Integrators must perform a number of important tasks if they wish to improve the cybersecurity of any automation system they deliver. And in today’s environment, end users demand strong cybersecurity strength. The IEC 62443 committee has documented their list of these important tasks; IEC 62443-2-4…
How Much Cybersecurity Do I Need?
During an IACS cybersecurity risk analysis, each zone of a network is given a target security level. The levels are one to four, with one being the least amount of protection and four giving the most protection. For each zone we ask, “How much cybersecurity protection do we need?” “Is there any real need to get products with cybersecurity certification?” “If so, to what security level?”
I just read the September 2018 issue of WIRED magazine. The cover article is “The Untold Story of Notpetya, the Most Devastating Cyberattack in History .”
After reading, I come away with one strong thought:
it is amazing how threat agents can get through so many defense mechanisms. The…
How Secure Are Your SIS, BPCS, and/or SCADA Systems?
As an end-user, do you know how reliable and safe your Safety Instrumented Systems (SIS) and Basic Process Control Systems (BPCS) are from potential cyber issues? Do you rely on your vendor statements regarding the robustness of their products? If the answer to these questions is “don’t know” or “yes” then maybe you should be considering using an independent 3rd party to perform a cybersecurity vulnerability assessment (for existing installations) and/or performing a cyber-risk assessment (as part of a HAZOP) for new installations. This is especially true for legacy systems that are still in operation using products from the mid-1990s. Although most software engineers won’t admit it, they often used to have “back doors” to enable fault-finding and…
How Secure Is Your Safety Instrumented System (SIS)?
As the cybersecurity threats in the industrial world continue to rise, the automation world continues to grapple with how to address these issues. As such, the newly released IEC61511-1: 2016 edition has included a new clause to address this (Clause 8.2.4). In essence, End Users have to carry out a security risk assessment to identify any potential security vulnerabilities of the Safety Instrumented System (SIS).
Clause 8.2.4 then goes on to specify that there needs to be a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS); together with a description of identified threats that could exploit vulnerabilities and result in security events. This should also include intentional attacks…
I Did Not Lock the Car Door
I was driving one of exida’s top risk experts from Europe to a business meeting. We parked and I locked the car door. He commented “I noticed you did not lock the car door when you parked at the exida office.” He was right. In an area I do not know, I always lock the car door. But not always in the exida lot. He added “A risk analysis will show car theft is a low risk due to random events, but remember cars are stolen by humans. These are not random events as we know them.” He added “A good risk return on investment analysis would show you should always lock the car door. The cost is so little,…
IACS Cybersecurity IEC 62443: Agile Lifecycle and Documentation
Industrial Automation Control Systems (IACS) Cybersecurity based on IEC 62443 was created to be compatible with agile development methodology. The standard deliberately talks about processes and not phases, such as those in the waterfall model. The processes defined can be met simultaneously and are, most likely, already being followed as part of your agile process; however, you may not be explicitly calling them out. One of these processes is documentation.
Agile does not mean no documentation; it means useful documentation. To start, documentation helps you and your team review the cybersecurity aspects of your current sprint, and provides evidence for the certification process. It also allows you to understand the impact of any changes, track down security issues and find…
IEC 62443 - The Evolution of IACS Cybersecurity
When we were doing safety system designs in the 1980s, there was no Windows, there was no TCP/IP, there was no in Ethernet. We had to write our own protocols to transmit data to our I/O and our controllers.
Fault-finding was always a challenge . What we ended up doing was putting in what were known as “back doors”. I could go up to some of our equipment that's running in automatic, I could plug into the RS-232 port on the front with a handheld RS-232 ASCII keypad. I could put in a sequence of ASCII keys and it would take the controller out of automatic. It would allow me then to start looking at the serial registers to see what…
Webinars
Approaches to Cybersecurity Lifecycle for Existing and New Facilities
Approaches to Cybersecurity Lifecycle for Existing and New Facilities
CACE – IEC 62443 Personnel Automation Cybersecurity Path
Which road should you take?
Cybersecurity attacks on industrial control systems (ICS) are now considered a credible risk. Due to this risk, the demand for Cybersecurity Automation Personnel Certification per IEC 62443 is greatly increasing. The question now becomes, which path is best suited for you in your organization/company? How do you get the most out of your certification? This presentation will describe the different Cybersecurity paths for personnel per IEC 62443 for those seeking Certification.
Commissioning Barrier Devices
This webinar will focus on activities performed after the Cybersecurity Vulnerability Assessment is complete and the recommendations to segment your network have been made. We will review multiple manufacturers product offerings, evaluate selection criteria, and delve into the actual process taken to isolate critical devices from the general control network. Actual network traffic screen shots will be used to demonstrate the steps that will be required to identify and isolate the devices from unwanted traffic while allowing necessary traffic to pass to the devices.
Commissioning Deep-Packet Inspection of Barrier Devices
Many vendors are producing firewalls designed for the Industrial Control environment. Some very simple; some quite complex. One idea that is rapidly expanding on the Defense-in-Depth concept and becoming more important is that of “Deep Packet Inspection” or DPI. The idea of not only firewalling a protocol, but firewalling what that message is trying to do, allowing for example, a read but not a write command to pass. A number of vendors have released some sort of DPI firewall, and more are adding theirs to the list.
This webinar will explore the uses and special aspects of the industrial control firewall and will review how a firewall works to protect an ICS network. Subsequent webinars will present some of the specific DPI products available on the market today. Who they are from, what protocols they can filter, and what additional functionality they offer.
Control System Vulnerability Assessment
While many standards have changed, and more information is constantly becoming available, what has not changed is the responsibility of the equipment owner to assure his process is reliable, secure and safe. One major step in that process is the Cybersecurity Vulnerability Assessment. This webinar will discuss the need and the path towards accomplishing that goal.
Cyber Risk Assessments and Security Level Verification: Detailed Risk Assessments (Part 2 of 3)
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The second webinar will provide a detailed review of the steps and objectives for a Detailed Risk Assessment as well as the benefits of completing a Detailed Risk Assessment, and the information that feeds the Security Level verification.
Cyber Risk Assessments and Security Level Verification: High-Level Risk Assessments (Part 1 of 3)
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The first webinar will provide a detailed review of the steps and objectives for a High-Level Risk Assessment as well as the benefits of completing a High-Level Risk Assessment, and frame the scope of discussion for the remaining webinars in this series.
Cyber Risk Assessments and Security Level Verification: Security Level Verification (Part 3 of 3)
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The final webinar in this series will provide a detailed review of the steps and objectives for performing a semi-quantitative Security Level (SL) Verification as well as the benefits of completing SL Verification, and the information that feeds future lifecycle steps.
Cybersecurity Incident Response - When Disaster Strikes, How Will You Respond?
In today’s industrial control environment, where over half of ICS have experienced an attack in the last two years, it is not a question of if an attack will occur, but a question of when. When an attack does occur, how will your organization respond? Do you have monitoring in place to detect security excursions? Once the excursion is identified what measures are in place today to respond to and mitigate the concern? This webinar will focus on the keys to an effective Cybersecurity Response and Recovery plan, starting at the moment the attack is discovered all the way to when operation is successfully restored.
Cybersecurity Monitoring and Metrics - “You Can’t Manage What You Can’t Measure” Continuously?
Cybersecurity monitoring and metrics are keys to measuring cybersecurity performance, improving the ability to respond when incidents occur, and improving cybersecurity maturity. What metrics does your organization use to measure cybersecurity performance? Do you have monitoring in place today to identify security excursions? In this webinar we will break down how leading and lagging indicators can be used to improve cybersecurity monitoring as well as how improved continuous monitoring capabilities are becoming a critical part of the automation cybersecurity lifecycle. This non-vendor specific webinar will provide general guidelines and criteria that can be used for establishing an effective continuous monitoring capability for any system.
Cybersecurity Risk Assessment: A Component of the PHA
This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.
Deep Packet Inspection for ICS Devices: Modbus/TCP Deep Packet Inspection
This is the second in a series of webinars which will review vendor products who offer Deep Packet Inspection (DPI). In this webinar we will review the background and steps required to implement an Industrial Control System (ICS) firewall using DPI for Modbus/TCP. Multiple vendors products will be shown and their specific configurations reviewed.
Defining Industrial Cybersecurity Incidents
Cybersecurity for industrial control systems has changed significantly in the past two decades as the question has changed from “who would want to target an industrial automation and control system?” to “which industrial facility will be affected next?” This webinar will review major industrial cybersecurity incidents including: Stuxnet, the attack on the Sadara Petrochemical Facility, NotPetya, and the German Steel Mill. These events and others will be used as case studies to outline how industrial cybersecurity has been shaped over the years, and introduce key lessons learned that will help IACS be better prepared to defend against and respond to cybersecurity incidents.
End User Cybersecurity Evaluation Report Card
This webinar will discuss how to make an objective assessment of a vendors equipment to see where it meets (or doesn’t meet) the IEC 62443 requirements through the use of a report card. The report provides a visual presentation of the results that are easy to view and follow. It covers the 7 fundamental requirements of IEC 62443, as well as communications robustness testing and the security development lifecycle. This will give the end user confidence that the products they are using are as secure as possible.
exida Automation Cybersecurity (ACS) Certificate Program
This webinar will introduce and discuss the exida Automation Cybersecurity (ACS) program. This is a certificate program that addresses a growing need to provide confirmation that an attendee showed competency by retaining the knowledge presented in a training course. The ACS program will also provide an analysis of where the candidate’s strengths and weaknesses lie. This program will also help a participant judge their competency level if interested in obtaining a certification like the Certified Automation Cybersecurity Expert (CACE) or Certified Automation Cybersecurity Specialist (CACS).
Getting started on Integrator Cybersecurity Certification
Many integrators and service providers are realizing the benefits of cybersecurity certification both as a business differentiator and way to reach new clients, and even as a prerequisite for consideration in some applications. The IEC 62443-2-4 and IEC 62443-3-3 standards provide detailed requirements for the integration and maintenance practices and security system requirements, respectively. At first the process for achieving compliance and certification may seem daunting, but in this webinar, we will cover all of the information needed to begin making progress towards the goal of process or system certification based on lessons learned from many certification projects.
High-Level Risk Assessments using exSILentia Cyber
This webinar will demonstrate how exSILentia cyber supports the completion of high-level risk assessments consistent with the methodology described in part one of the Cybersecurity Risk Assessment and Security Level Verification series. This webinar will provide a brief description of the method and then focus on how the exSILentia cyber tool can be used to effectively complete and document high-level risk assessments in a consistent manner considering the example chemical plant. The main track of the Cybersecurity Risk Assessment and Security Level Verification series will continue later this month with Part Two - Detailed Risk Assessments
How can I use my PHA to Streamline Cybersecurity Risk Assessment?
Many organizations have mature processes in place for evaluating process or machinery hazards in traditional safety risk assessments, but fewer have developed a robust approach to cybersecurity risk assessment. Alignment between safety risk assessment and cybersecurity risk assessment is critical, and the 2016 version of IEC 61511 now requires that a cybersecurity risk assessment be conducted for all Safety Instrumented Systems (SIS) and connected systems. Fortunately, traditional process hazard analyses (PHAs) have valuable information that can be used to improve the speed and efficiency of the cybersecurity assessment, including corporate risk criteria, potential consequences resulting from control system failures, severity rankings for consequence scenarios, existing mechanical protection layers. With this information organizations can jumpstart their approach to managing cybersecurity risk.
How Can Templates Lead to Improved Cybersecurity Policies and Procedures?
Cybersecurity management is critical for maintaining a secure Industrial Control System over time. Having well documented procedures from risk assessment, through system design, and into the operations and maintenance phase is a key difference between a purely reactive cybersecurity posture and a mature approach that builds on continuous improvement. Using templates for these policies and procedures not only speeds up the development process, but also ensures alignment with the IEC 62443 standards and industry best practice.
How Do I “Manage” my Cybersecurity Management System?
Cybersecurity management has become a business imperative for organizations across many industries. The first attempt can result in mounds of unruly and often unhelpful paperwork. This problem can be emphasized by identifying the correct location of cybersecurity requirements: Is the correct file for documenting the firewall rules, the firewall policy overview, firewall installation procedure, the access control philosophy, the system zone & conduit diagram, or some combination of all the above?
With a Cybersecurity Management System (CSMS), one central document outlines the “what” an organization aims to achieve for cybersecurity and provides clear direction on where to find the procedures that outline the “how” for a given security task, leading to effective cybersecurity management and fewer headaches.
How is Cybersecurity Changing Process Safety?
Cybersecurity has become a significant and credible threat to process safety. The consequences of cyber-attacks are well understood for business networks (e.g. data theft, ransomware, denial of service), but for Industrial Automation and Control Systems (IACS) there is the potential for even more severe consequences because IACS control physical systems in the real world. Case studies will be used to demonstrate how cyber-attacks on IACS can cause damage to equipment, the environment, and safety. This webinar will look at how cybersecurity is impacting process safety, considering the impact of cybersecurity events on traditional strategies for safeguarding and risk assessment, as well as introduce key steps for managing cybersecurity risk.
IEC 61511 & Cybersecurity
This webinar examines the revision in IEC61511-1 earlier this year to include a new clause regarding Cybersecurity and how this will impact end users. It has been recognized for sometime now that Industrial Control Systems can be susceptible to cybersecurity events, which could have potentially disastrous effects on Safety Instrumented Systems and Basic Process Control Systems. How immune a SIS or BPCS is depends upon how it was designed, its network topology and “openness” to the outside world. Compromising a SIS could result in a loss of protection, or worse still initiate unsafe or unstable process conditions.
IEC 62443 - An Introduction to exida Cybersecurity Certification Programs
After a number of cybersecurity attacks on industrial control systems (ICS), most plant owner/operators now consider a cybersecurity attack to be a credible risk. In 2007 the ISA Security Compliance Institute (ISCI) was founded and defined the first cybersecurity certification scheme. Now in 2018, IEC 62443 standards have since been released, new schemes have been defined based on cybersecurity experience and these new standards. The presentation will describe the IEC 62443 Certification Program based on the progression of the IEC62443 standard.
IEC 62443 and Agile / Scrum
This webinar gives a short overview of IEC 62443 and agile/Scrum and then shows one way to incorporate the requirements for IEC 62443-4-1/2 into an agile/Scrum process.
IEC61511 and Cybersecurity: Are Your Safety & Control Systems Really Protected?
When it comes to process safety, most companies will focus on the functional safety lifecycle and compliance with IEC61511. However, with the advent of the industrial internet of things (IIOT) and the growing use of wireless technologies, it is becoming more important to consider cybersecurity and the consequences of control and safety systems being compromised due to a cyber-related incident. Recent ransomware attacks such as Wannacry and NotPetya have again highlighted the need to be more vigilant when it comes to protecting control systems and OT infrastructure. The number of Malware attacks has risen exponentially over the past 10 years but still companies have been slow to react.
The update to IEC61511 in 2016 to include a cybersecurity assessment of an SIS, means companies can no longer procrastinate and/or delay reviewing any SIS for cyber vulnerabilities. Since the standards for functional safety (IEC61511) and cybersecurity (IEC62443) both follow a similar 3 phase lifecycle, it makes sense to consider these two together, when it comes to process safety. This means being just as vigilant with cybersecurity, as with functional safety. As such an integrated lifecycle approach will help in mitigating risk.
This webinar highlights the risks and need to address cybersecurity per the IEC61511 standard and the reasons why. Ignorance may be bliss until your system, network and plant becomes compromised. Then it’s a whole other story.
IEC62443: Attention all Software Development Experts!
Proactive cybersecurity efforts have been on the rise. Some even call it “Trending.” ISA and the global IEC 62443 committee have taken the baton and created a set of standards to help protect manufacturers, end users, and people. The IEC 62443 document series is an international standard intended to provide a flexible framework to enhance Industrial Automation Control System (IACS) cybersecurity. IEC62443-4-1 and IEC62443-4-2 were created with the Software Developer’s roles and responsibilities in mind.
Software Development Experts have started taking the initiative and are taking this exam to become a Certified Automation Cybersecurity Expert (CACE).
If you are someone that has ever wanted to become a leader, a mentor, or someone that just wants to stay ahead of the curve, then this webinar will be extremely valuable.
Industrial Automated Control System (IACS) Cybersecurity Program Management (IEC 62443)
The presence of threats, and the success of attacks has been felt by virtually every individual and organization around the world. Protecting assets must be a well-organized, wide ranging effort that involves everyone who has assets to protect. There are organizational conflicts to understand, policies to create, and specific security activities to coordinate. This webinar discusses key aspects of a Industrial Automated Control System (IACS) Cybersecurity Program, provides concrete recommendations for getting started, and references that provide additional insight.
Integrated System Cybersecurity: Understanding and Applying IEC 62443-3-3
IEC 62443-3-3 System Security Requirements and Security Levels documents the seven foundational requirements for achieving robust system cybersecurity. These requirements can be applied to integrated industrial automation and control systems (either implemented in-house by an end-user or provided as an automation solution by a service provider). This webinar will cover the structure and key concepts from the standard, as well as introduce the process of IEC 62443-3-3 certification, and the benefits that system certification can provide to integration service providers and end-users.
Integration Cybersecurity: Understanding and Applying IEC 62443-2-4
IEC 62443-2-4 documents “a comprehensive set of requirements for security capabilities for IACS service providers.” These requirements can be applied to integration or maintenance service providers and documents a framework for negotiations between asset owners and IACS service providers for cybersecurity requirements. This webinar will cover the structure and key concepts from the standard, as well as introduce the process of IEC 62443-2-4 certification, and the benefits that certification can provide to integration and maintenance service providers.
Introduction to Process Control Cyber Security
This webinar provides an introduction to Control System Cyber Security and the Security Lifecycle for managers and engineers involved in operating, maintaining and integrating Industrial Automation and Control Systems. While the course follows the Security Level Lifecycle from ANSI/ISA-99.01.01 and ANSI/ISA-99.02.01, it also references other relevant industry standards and industry best practices, in particular drawing parallels to the well established Functional Safety Lifecycle from ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod).
IT and OT Cybersecurity, Two Sides of the Same Coin?
Information Technology and Operational Technology are the two groups responsible for managing industrial cybersecurity, but often they work separately with little communication or common understanding of how each groups’ objectives play a role in the overall cybersecurity of the IACS. Developing clear communication and common understanding between IT and OT groups is essential for securing the IACS from the business network to the BPCS and SIS zones.
Co-presented by exida Senior Cybersecurity Engineer Robert Michalsky.
It’s an Assessment, Not an Audit
This webinar outlines the steps and process exida takes to perform its Cybersecurity Vulnerability Assessment without it taking on the uncomfortable feeling of an audit. The spirit of the assessment needs to be cooperative to be successful for both parties. We are not issuing pass/fail criteria, we are not hiding the results to give you a simple pass/fail rating. We are looking to evaluate you against best practice and standards, recommend enhancements, and document what you have already done right.
We discuss:
- What steps you can take to make the process more streamlined
- What information would be helpful in advance if available
- What we investigate during the assessment
- What you will receive at the end of the process
Learning from the Florida Water Hack
In early February of this year a water treatment facility was compromised in Florida. The attackers successfully increased the concentration of sodium hydroxide (also known as lye) by a factor of 100 risking potential illness for the public as well as significant erosion and pipe damage. Fortunately, operators of the Oldsmar water treatment facility saw the attackers increase the concentration and were able to return the concentration to normal levels before there was any risk for harm to the public. This near-miss highlights several important trends for industrial cybersecurity: Industrial cybersecurity incidents can have major health and safety implications, Critical infrastructure makes an attractive target to a variety of hackers, Critical infrastructure is highly susceptible to cybersecurity attack. In this webinar we will review what is known so far about the attack on the Florida water system and identify practical steps that can be taken to improve the cybersecurity of critical infrastructure systems.
Lessons Learned From Actual Control System Security Incidents and Assessments
Lessons Learned From Actual Control System Security Incidents and Assessments
Leveraging IEC 62443 Security Level (SL) Requirements to Define IACS Cybersecurity Metrics
The IEC 62443 document series is an international standard intended to provide a flexible framework to enhance Industrial Automation Control System (IACS) cybersecurity. Seven core functional requirements are used to assist with the design, development, testing and construction of an integrated security architecture. As the Security Level (SL) targets and capabilities are defined, cybersecurity metrics become necessary to be able to assess the efficacy and comprehensiveness of the design. These Security Levels are organized into four increasing tiers each requiring more stringent controls be in place.
As the security architecture matures and the logical and physical assets are grouped into zones, they need to be evaluated along with the connections and data flows between zones that are called conduits. Both the zones and conduits need appropriate security controls to insure plant operational safety. Cybersecurity Best Practices have principles (such as ‘defense in depth’) that can be evaluated through cybersecurity metrics that evaluate architectural components such as zones and conduits.
Furthermore, security is a process that requires continual risk management and risk reduction via the mitigation of identified threats. Cybersecurity metrics are generated and evaluated to determine if adequate risk management is being enabled. Through the usage of well defined, repeatable and accurate cybersecurity metrics, SL adequacy can be assessed.
This presentation goes through the IEC 62443 foundational requirements and describes appropriate and relevant security metrics for evaluating that architectural components such as zones and conduits have appropriate cybersecurity controls in place and that the SL target has been achieved.
Managing Cybersecurity Risks in Wireless Control Networks
The Industrial Internet of Things (IIoT) offers companies many potential benefits such as decreased operational costs and further optimized processes; however, the increased use of wireless control networks also introduces the potential for additional cybersecurity risks. This webinar will briefly review the trends in IIoT and discuss important factors to consider when mitigating the additional risk of wireless control networks.
Meeting IEC 62443 - OEM Cybersecurity Threat Analysis with ARCHx
Cybersecurity Threat Analysis is the process of creating an abstract model of an automation system in an assumed cybersecurity threat environment in order to identify security problems and mitigation measures. This webinar explains the Threat Analysis method, objectives, and output using the exida ARCHx tool. An example of how one threat might impact an automation component and possible mitigation techniques from the Cybersecurity Knowledge Base will be described.
New Year’s Resolution: Plan for OT Cybersecurity
The New Year is a great time to make resolutions and look to make changes from the previous year, but often as the weeks pass, these resolutions fall to the back burner. For 2023, let’s try to change that when it comes to OT Cybersecurity. In this webinar we will examine common pitfalls that prevent progress on goals in the new year, the specific need for improved OT cybersecurity in industrial control systems (ICS), how to develop and implement a roadmap-based approach, and lastly how to track progress. With these steps anyone can be successful at improving their cybersecurity knowledge this year, whether it is setting a personnel goal for better training, or an organization wide goal for better posture, this webinar can serve as the catalyst to get the New Year moving in the right direction.
Performing a Cybersecurity Risk Assessment as a Component of the PHA
This webinar focuses on a methodology to perform a cybersecurity risk assessment designed to identify potential hazards that can arise from a cybersecurity attack on process control and protection systems. This is done in the context of the functional safety and cybersecurity lifecycles, and the potential process safety, environmental, and financial consequences.
Pipelines – Are You Really Protected?
As we have read in the media recently, regarding the Colonial Pipeline cybersecurity incident, the vulnerability of critical infrastructure to cybersecurity incidents is very real. However, it is not just cybersecurity incidents that can adversely affect pipeline operators but also functional safety issues too. It is quite alarming the statics regarding pipeline incidents that have occurred over the past 10 years, as published by the Pipelines and Hazardous Materials Safety Administration (PHMSA). According to PHMSA, since 2010 there have been 906 incidents that have occurred in pipelines that were installed within the decade, up to 2020. This is compared to the same number of incidents occurring in the same period for pipes installed in the 40 years between 1970 and 2009. Clearly, there needs to be closer attention paid to pipeline safety and security.
From its studies, PHMSA established that the primary cause of these incidents was equipment failure, with leakage being the second highest cause. The American Petroleum Institute (API) issued API 1160 3rd edition in 2019 to cover overall pipeline safety with updates on pipeline mechanics, as well as API 1164 (2009) to cover SCADA cybersecurity. However, is this really, enough or should a more risk-based, performance approach based upon a 3-phase lifecycle, as proposed by International Standards, be adopted?
The webinar highlights some of the issues, concerns, standards involved with pipelines and proposes some further considerations for pipeline safety and security.
What you will learn?
- The current issues with pipeline safety
- What some of the common causes of pipeline incidents are
- What current standards are in place for pipeline safety and security
- How a risk-based, performance approach could help
Who should attend?
- Pipeline SCADA/SIS designers
- Pipeline Operations and maintenance personnel
- Plant Managers and Supervisors
- Pipeline insurance companies
White Papers
Cybersecurity Risk Assessment Strategies Based on Process Safety Risk Assessment Techniques
Accurately identifying and analyzing potential sources of risk for both process safety (e.g., equipment failure, human performance issues) and cybersecurity (e.g., targeted attack, unintentional mistake) scenarios are core parts of an effective loss prevention program. The recently published CCPS book Managing Cybersecurity in the Process Industries, A Risk-based Approach discusses strategies for managing cybersecurity risk by adapting RBPS elements to address the unique challenges of cybersecurity threats. This paper will present key concepts from the book including the alignment of cybersecurity and process safety risk management and strategies for adapting process safety risk assessment techniques including Hazard Identification and Risk Assessment (HIRA), Bow Tie, and LOPA for cybersecurity scenarios. Additionally, practical guidance on completing cybersecurity risk assessments will be shared from real-world case studies.
How is Cybersecurity Changing Process Safety?
Cybersecurity has become a credible threat to process safety, and the exposure has never been higher with 70% of Industrial Automation and Control Systems (IACS) now using remote access. The consequences of cyber-attacks are well understood for business networks (e.g., data theft, ransomware, denial of service), but for IACS there is the potential for even more severe consequences, because IACS control physical systems. Case studies will be used to demonstrate how cyber-attacks on IACS can cause damage to equipment, the environment, and safety. This paper will look at how cybersecurity is changing process safety, considering the impact of cybersecurity events on traditional strategies for safeguarding and risk assessment, and introduce key steps for managing cybersecurity risk. These concepts are at the core of the ongoing CCPS project Managing Cybersecurity – A Risk-based Approach Building on the Process Safety Framework.
Integrating Cybersecurity Risk Assessments Into the Process Safety Management Work Process
Cybersecurity is rapidly becoming something the process safety can no longer ignore. It is part of the Chemical Facility Anti-Terrorism Standards (CFATS). In addition, the President’s Executive Order 13636– “Improving Critical Infrastructure Cybersecurity,” has drawn attention to the need for addressing cybersecurity in our plants as it has been demonstrated that in our new world, they are now a source of potential process safety incident.
IEC 61508[2], “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)” now has a requirement to address cybersecurity in safety instrumented systems and ANSI/ISA 84.00.01, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector” is looking to include this requirement in the next revision. Currently the industry is playing catch up as there tends to be a gap in understanding between information technologists, traditionally responsible for cybersecurity, and the process automation and process safety engineers responsible for keeping our plants safe with help from automated controls and safety instrumented systems. As a result, guidance is being developed, but much of it continues to be a work in progress.
The 7 Steps to ICS and SCADA System Security
The past two years have been a wakeup call for the industrial automation industry. It has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu. An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries.
If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. This white paper will give you the information you need to get started. It won’t make you a security expert, but it will put you on the right path in far less time than it would take if you were to begin on your own.
We began by condensing the material from numerous industry standards and best practice documents. Then we combined our experience in assessing the security of dozens of industrial control systems. The result is an easy-to-follow 7-step process:
Step 1 – Assess Existing Systems
Step 2 – Document Policies & Procedures
Step 3 – Train Personnel & Contractors
Step 4 – Segment the Control System Network Step 5 – Control Access to the System
Step 6 – Harden the Components of the System Step 7 – Monitor & Maintain System Security
The remainder of this white paper will walk through each of these steps, explaining the importance of each step and best practices for implementing it. We will also provide ample references for additional information
The ICS Cybersecurity Lifecycle
With the ever changing threats posed by cyber events of any nature, it has become critical to recognize these emerging threats, malicious or not, and identify the consequences these threats may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the ability to take on many forms and threaten not only industrial but also national security.
Saudi Aramco, the world’s largest exporter of crude oil, serves as a perfect example depicting how devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better known as the “Shamoon” virus. According to InformationWeek Security this was roughly 75 percent of the company’s workstations and took 10 days to complete clean-up efforts.
The seriousness of cyber-attacks in regards to national security was addressed by former United States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a strong warning to business executives about cybersecurity as it relates to national security.” A cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation,” he stated. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country.”
In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by ABC News.
This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS) and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.