• How to protect industrial control systems from cyber attacks

Worker with tablet computer in front of oil rig, oil and gas, sustainability reporting, internet of things.
The Defense-in-Depth approach developed by the National Security Agency (NSA) and incorporated into the Schneider Electric strategy for cyber security

Federal agencies today recognize the heightened threat of cyber intrusion and are taking steps to guard their industrial control systems (ICS), which include building and energy management systems, SCADA, and PLC systems. However, improving cyber security remains a constant and evolving challenge.

Cyber attacks increasing each year

According to the Ponemon Institute’s 2013 Cost of Cyber Crime Study, the average annualized cost of cyber crime that year was $11.6 million; resolving an attack averaged 65 days. The U.S. Computer Emergency Readiness team (CERT) found that the number of cyber security incidents reported by federal agencies increased by 782% between 2006 and 2012. In addition to economics, federal agencies must account for cyber crime consequences in terms of how they impact their mission and the lives of citizens.

Frost & Sullivan, a global market research, analysis, and consulting firm, reports that cyber attack vectors include: physical intrusion, the human factor, a lack of security expertise, and network loopholes.

A cyber attack can result in significant loss through production or process downtime or disruption, as well as damage to equipment and infrastructure, and may risk penalties for noncompliance to regulations. Most end users have taken some steps to protect against cyber attacks, but eliminating vulnerabilities requires overcoming various obstacles.

Barriers to improving cyber security

According to Frost & Sullivan’s research, barriers that hinder federal agencies in improving cyber security include:

  • Open and collaborative nature of industrial control systems: Many federal agencies have adopted open systems for productivity advantages; however, open systems are more vulnerable to attack.
  • Inadequate end user awareness and action: Users may be unaware of the risk of cyber attacks or hesitant to implement security strategies for fear of an impact on system function.
  • Increased use of off-the-shelf IT solutions: Economics and ease of operation and integration have shifted agencies toward standard IT solutions, exposing them to threats that target similar systems used in the commercial sector.
  • Lack of expertise: An industrial workforce focused on automation and process systems does not necessarily have expertise in industrial IT networks.

A protect-and-prevent strategy

To help address these barriers, many agencies are partnering with solutions providers to help improve security in both new and existing systems. For example, the “Defense-in-Depth” approach, developed by the National Security Agency (NSA), underlies a multilayered strategy that provides holistic security throughout an industrial enterprise.

Schneider Electric, in partnership with software solutions provider Industrial Defender, offers a unified platform for security, compliance, and change management based on the Defense-in-Depth approach. One option of the solution is “whitelisting,” which blocks potential threats by allowing only approved applications to run on a network.

While the Defense-in-Depth approach encourages agencies to create and implement a comprehensive cyber security strategy, a common misconception is that this is an “all or nothing” approach. But it’s also possible to move forward with security improvements in measured steps.

Implementing a step-wise plan

According to the Pareto Principle, approximately 80% of impacts arise from 20% of causes. Recognizing that the reason for inaction can sometimes be the sheer enormity of the task, breaking down a cyber security strategy into steps is a workable approach:

Step 1: Identify the biggest impact upon an organization in terms of a security breach.

Step 2: Zone in on which specific area of plant operations links to that impact.

Step 3: Outline the biggest vulnerabilities in relation to that area of operation.

Step 4: Minimize or eliminate those vulnerabilities.

After following these steps, an organization can move on to the next impact area or vulnerability issue. Rather than revamping an entire system at once and falling victim to “analysis paralysis,” a focused step-by-step approach ensures that the significant changes with the highest impact occur immediately. It also keeps an organization from spreading itself too thin and helps to realize the best value for dollars invested.

To learn more about how to protect industrial control systems against cyber intrusion, download the white paper, “Cybersecurity for Industrial Automation & Control Environments.”

Learn more