Industrial cybersecurity: is the IT department your friend?

Managing cybersecurity risk is something the process industries are still coming to grips with. The information technology discipline has on average a greater level of maturity in understanding, but can your IT department help you?

In my former life (prior to being the editor of ProcessOnline) I worked in the IT industry. My most recent role in that industry was working in the area of IT security and compliance, and I am still involved in this area in a part-time way.

Recently I attended an industry event where I attended an open forum on industrial cybersecurity. There were two vendor experts in cybersecurity basically fielding questions from an audience made up mostly of process engineers from the mining and oil and gas industries. I was only a background audience member, but it was interesting to listen to the types of questions that were asked by the audience.

• How does the threat express itself? Where is it coming from? I feel I don’t understand …
• So who is doing this? Is it external or internal?
• The process industries are quite good at learning from past mistakes and events (such as safety issues), but for cybersecurity incidents, there doesn’t seem to be a lot of information around to learn from. Do we all have to repeat the same mistakes?

The implication, from these questions and others like them, is that (at least for those in the room), managing cybersecurity threats is still a ‘black art’ full of mystery and the ‘fear of things that go bump in the night’. People don’t really know where to begin.

Security maturity - where is it?

I think it is true to say that as a whole, the processing, mining and manufacturing industries lack the maturity of security awareness that the general business IT industry has acquired over the years, and so the whole issue can seem very daunting. The publicity around high-profile malware incidents, like Stuxnet and the others that have followed, have raised the profile of cybersecurity as a business need, but also skew the perceptions of the uninitiated into viewing malware and hacking as the main threats to focus on. Vendors across the board are now selling technology squarely aimed at these particular types of threats, further supporting the narrow, reactive view that ‘mysterious bad guys’ pushing viruses and malware are the main thing we need to be afraid of. This can also lead to the idea that once these technologies have been implemented, then the cybersecurity issue is ‘covered’ - much like the idea that implementing a firewall will magically secure the process network from everything else.

Don’t get me wrong though - malware and hacking are real and present dangers, but they only represent a certain percentage of the things that need to be taken into account in a cybersecurity program.

In many organisations there is still reluctance among process people to follow what IT do, but I believe that the ‘silo mentality’ that decrees that IT people don’t understand the needs of process systems is only partially true. They may not have an understanding of the safety and process reliability implications, but with the present-day common use of the same networking technologies and operating systems, they do share the same general types of security issues and threats as the plant. Malware infection, for example, can bring a business IT system down, or it can cause a gas explosion - the results are very different, but the actual threat vector is the same. And with greater business visibility into the process becoming a business necessity, the lines between process and IT are beginning to blur more and more.

Is the IT department your friend?

Well, with all this being said, you might expect that with my IT security background I am going to say that “the IT department is your friend”, and that process engineers should leverage IT security experience. Well, maybe - but maybe not. It all depends on the real security maturity in your IT department.

It is true that the IT industry and business in general have gained a high level of maturity in understanding what is needed to implement best practice security in information systems. There is so much useful information available, so many training courses and certifications, as well as government recommended programs and mandates that can provide valuable guidelines about what to do. But there is so much of it - and it has a language all its own - that I guarantee will have you lost the minute you start looking. And, in all honesty, most IT people get lost as well. What I have found over the years is that while the recommended policies, frameworks and standards that are available are very useful, not a very large percentage of organisations get the benefit from them that they should. So here are some ‘big secrets’ about security in IT departments that you may not be aware of:

• True security compliance knowledge and awareness is a specialist knowledge that requires a person to be focused on it as their main job function - and therefore comes at the price of specialised professionals.
• IT departments that include security as part of IT and do not dedicate staff to the function will fail in achieving any real security benefits in the long run.
• Small organisations are vulnerable because they don’t have the financial resources to dedicate staff to security and compliance functions.
• Large organisations, while they have the financial resources, often have such large IT departments and infrastructures that the IT function is siloed into separate groups, introducing internal vested interests and politics that get in the way of implementing best practice security.

In my experience, it is very rare to find any IT department in an organisation that is doing security well - even notwithstanding the knowledge that is available. The best ones are the ones where there is an IT security manager/department that is independent of the day-to-day workings of IT and actually has a real mandate to enforce security policy decisions on the business. They not only need to have the knowledge (both security knowledge and business understanding), but they also need to have the budget and the authority to achieve their goals. This is rare, and even then the security people nearly always face an uphill battle to get their goals implemented for the better of the organisation.

Communicate - secrecy will not help

Good communication is always the key to a successful security program. By ‘communication’ I mean not only both interpersonal and interdepartmental communication, but also reporting functions and technical visibility into the security posture of the organisation.

Both IT and process functions in the organisation need to be made aware of the benefits of investing in good security practices - that it is not an ‘imposition’ that will create more work, but a way of improving quality, reliability and safety outcomes while reducing workload in the long term. Business decision-makers also need to be made aware of the business benefits of investment in good security practices or they will not provide the funding or support the security professional in their endeavours.

I think it would be useful for any organisation in the process industries to take a holistic approach to security across both IT and process control systems - the cost and security benefits of reducing duplication are many. However, the differences in perception of IT and process engineers needs to be addressed up front with a clear understanding of the needs and challenges of the process automation as they pertain to cybersecurity.

Systems also need to be implemented that provide a measure of automated audit or system checking and reporting, aligned with the goals and benchmarks that have been set as aims for the organisation. Relying on human beings for this process will never work - it is tedious and too prone to error. When security flaws are found or compliance slips, this needs to be seen as a positive and the problem approached in the spirit of working together to improve. After all, you can’t fix what you don’t know about, so it is better to know and to work on the problem without blame.

Last of all, security is not an end goal but an ongoing process - a process of monitoring and checking, reporting and communicating, acting and remediating. What to check, how to report it and how to act on it are where the knowledge comes in. If your organisation doesn’t have the knowledge in-house, then you may need to seek it from a third party. Vendors can help you but many will stop at selling you a product - make sure you can get access to real expertise.