Infrastructure and the manufacturing sector concerns pose tempting targets for cyberattacks. Widespread effects that can harm vast sectors of society can occur when these systems are compromised.
When considering Cyber Security first thoughts usually go to computers and information technology, but industrial devices and processes can fall victims as well. On May of 2021 the Colonial Pipeline Company was targeted by a ransomware attack. The pipeline supplied nearly half of the gas, diesel, and jet fuel to the U.S. east coast. The outage resulted in over 10,000 gas stations being without fuel.
In a similar incident in 2019 the Cybersecurity and Infrastructure Security Agency (CISA) reported on a cyberattack that effected the Operational Technology (OT) of a natural gas compression facility. This event led to a controlled shutdown that lasted for about two days. The attack involved ransomware using a Spearphishing Link.
The event was finally rectified when replacement equipment was installed and configurations reloaded. Perhaps the biggest takeaway from this event is that the facility’s emergency response plan focused on physical emergency scenarios and that no plan was in place for cyber incidents.
A Large and Serious Problem Not Easily Solved
Most industrial sites were constructed before the age of cybersecurity. Where information technology has been introduced, legacy systems are often in place with little or no IT support.
Many facility managers or maintenance personnel have insufficient expertise in IT and requisite cybersecurity protocols. This has created systems with high vulnerabilities that are extremely difficult to secure. These type of attacks have occurred at petrochemical facilities, and even nuclear power plants, making this a very real threat beyond the immediate sites.
Risk Management and Cyber Security
Successful integration of risk management to address cybersecurity involves the foundation of a program that outlines processes. These processes must include participation from external parties.
The management system should include functions that:
- identify processes and assets that require protection
- implement protections
- detect events and anomalies continuously
- respond to events
- recover from events
Information Security Management Systems
An Information Security Management System (ISMS) is a collection of policies, procedures, and controls that systematically address information security in an organization. It provides a framework to conduct risk assessment and risk management. The most widely recognized and instituted ISMS in the business environment is ISO 27001. It shares many of the features of a quality management system such as ISO 9001.
Because an ISMS is a management system it incorporates mitigation strategies beyond technical solutions such as firewalls and anti virus programs. As such, an ISMS must be designed to the specific requirements and risk profile of an organization. This would include the establishment of objectives for the establishment of security controls and the identification of all information assets within the organization (this includes electronic data, people, and paperwork.
Once these steps have been accomplished a risk assessment can be undertaken to identify and rank vulnerabilities. Involvement of all stakeholders is important in this process, including clients, customers, and supply chain participants. Then the necessary policies and procedures can be developed taking into account the specific regulatory requirements applicable for an organization’s industry.
These policies and procedures should not only involve mitigation strategies but should include incident response procedures in the event that a data breach should occur. As with many management systems, buy in from all levels of an organization is required starting at the top. Once instituted the program can be monitored, audited, and reviewed for effectiveness so that a continuous improvement cycle is in effect.
IoT Device Recommended Security
IoT devices are widely used in industrial controls technology, agriculture, military, and critical infrastructure applications. IoT devices are functional, inexpensive, and easy to implement. As a result there has been an amazing growth in this market. Presently the global market value in the trillions of dollars.
NIST has provided a list of six recommended security features that should built into IoT devices to prevent infrastructure and manufacturing cyberattacks. These features should be considered when consumers are selecting a device.
- Device Identification: The IoT device should have a unique identifier when connecting to networks.
- Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
- Data Protection: Internally stored data should be protected by a device. This can often be accomplished by using encryption.
- Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
- Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
- Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.
Infrastructure and Manufacturing Cyberattacks will remain posing a threat to the international community.
CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats. We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.
Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.