Академический Документы
Профессиональный Документы
Культура Документы
Industrial Cybersecurity
INTRODUCTION
Our global economy is at a critical junction, compelled by the imperative to take advantage of the Industrial
Internet of Things (IIoT). But our increasingly digitalized world has also increased the risk of mega attacks
against critical infrastructure, which threaten to affect operations, create financial losses, and even put lives
at risk. As our physical and digital worlds converge, the reality of more frequent and sophisticated industrial
cyber attacks makes evident that the operational technology (OT) cyber threat has become greater than
that presented by information technology (IT).
The global oil and gas sector has become a primary target of this growing industrial cyber threat. Yet, while
the energy industry is indeed highly vulnerable, its transformation in the era of mega OT cyber attacks is not
inevitable. By innovating with purpose and collaborating closely, we can gain confidence and more readily
recognize best practices. But it will require leadership and strategic vision to protect not only individual
organizations, but also the broader energy industry.
That is why Siemens and the International Society of Automation have partnered on this guide: Lessons for
Operators in Industrial Cybersecurity. It is our shared belief that effective management of the growing cyber
threat is an imperative shared by all organizations, public and private, large and small. This joint effort is a
starting point for oil and gas professionals at every level to prepare for potential OT cyber threats while still
reaping the benefits of digitalization. It is a product of a continuous collaboration between Siemens and the
International Society of Automation.
Lessons for Operators in Industrial Cybersecurity includes the results of in-depth studies of cybersecurity
within the oil and gas industries of the United States and the Middle East by the Ponemon Institute, an
independent research organization focused on data protection and information security policy. Here
you’ll also find focused guides from ISA designed for oil and gas industry Corporate Executives and Small
Business leaders who must be empowered to take the necessary steps toward higher states of cyber
readiness. We present these tools and insights to help industrial leaders keep their organizations secure
and running strong.
TABLE OF CONTENTS
We are Signing for Cybersecurity: Charter of Trust Page 3
The State of Cybersecurity in the Oil & Gas Industry: United States Page 4
Sponsored by Siemens, independently conducted by Ponemon Institute LLC
Page 32
Assessing the Cyber Readiness of the Middle East’s Oil and Gas Sector
By: Siemens and the Ponemon Institute LLC
We are signing for
Cybersecurity
We and are signing for
The digital world is changing everything. It’s improving our
lives economies; at the same time, the risk of exposure
Cybersecurity
to cyberattacks is growing dramatically. That’s why we are
joining forces and have established the Charter of Trust.
The digital
Ourworld
Our principlesis changing everything. It’s improving our
principles
lives and11economies;
Ownership of
Ownership of cyber at
cyber and the
and IT same
IT security
security time,
|| Anchor
Anchor the risk
the responsibility
the responsibility of exposure
for cybersecurity
for cybersecurity at
at
the highest
the highest governmental
governmental and and business
business levels
levels by
by designating
designating specific
specific ministries
ministries and
and
to cyberattacks
CISOs. is clear
CISOs. Establish
Establish growing
clear measures dramatically.
measures and
and targets as
targets as well
well as That’s
as the
the why
right mindset
right mindset we are
throughout
throughout
Cybersecurity
all
allOur IoTprinciples
IoT layers with
layers with clearly
clearly defined
defined and
and mandatory
mandatory requirements.
requirements. Ensure
Ensure confidentiality,
confidentiality,
authenticity, integrity,
authenticity, integrity, and
and availability
availability by
by setting
setting baseline
baseline standards,
standards, such
such as
as
1 Ownership of cyber and IT security | Anchor the responsibility for cybersecurity at
·· Identity
Identity and
and access
access management:
management: Connected
Connected devices
devices must
must have
have secure
secure identities
identities
the highest governmental and business levels by designating specific ministries and
and safeguarding
and safeguarding measures
measures thatthat only
only allow
allow authorized
authorized users
users and
and devices
devices to
to useuse them.
them.
CISOs. Establish clear measures and targets as well as the right mindset throughout
The digital world is changing everything. It’s improving our
·· Encryption:
Encryption: Connected
organizations Connected
transmission purposes
transmission
devices must
devices
– “It is everyone’s
purposes wherever
must ensure
task.” ensure confidentiality
wherever appropriate.
appropriate.
confidentiality for
for data
data storage
storage and and
Sponsored by Siemens, independently conducted by In fact, just 35 percent of respondents rate their
Ponemon Institute LLC | February 2017 organization’s OT cyber readiness as high. With most
respondents describing their organization as having
Ponemon Institute is pleased to present the results of low to medium cybersecurity readiness, 68 percent of
The State of Cybersecurity in the Oil & Gas Industry: respondents say their operations have had at least one
United States sponsored by Siemens. The purpose of security compromise in the past year, resulting in the
this research is to understand how companies in the oil loss of confidential information or OT disruption.
and gas industry are addressing cybersecurity risks in
the operational technology (OT) environment. Read on to learn more about the findings of our
research, including cybersecurity challenges in the oil
According to the findings, the deployment of and gas industry with examples of specific exploits and
cybersecurity measures in the industry isn’t keeping security breaches, as well as solutions for achieving
pace with the growth of digitalization in oil and gas cyber readiness.
operations.
1. Fifty-nine percent of respondents believe there is greater risk in the OT than the IT environment
and 67 percent of respondents believe the risk level to industrial control systems over the past
few years has substantially increased because of cyber threats.
2 Oil and gas companies are benefiting from digitalization, but it has significantly increased
cyber risks, according to 66 percent of respondents.
3. cybercompromise, yet many organizations lack awareness of the OT cyber risk criticality or
have a strategy to address it.
4.
Sixty-one percent of respondents say their organization’s industrial control systems protection
and security is not adequate.
Sixty-five percent of respondents say the top cybersecurity threat is the negligent or careless
5.
insider and 15 percent of respondents say it is the malicious or criminal insider—underscoring
the need for advanced monitoring solutions to identify atypical behavior among personnel.
Only 41 percent of respondents say they continually monitor all infrastructure to prioritize
6.
threats and attacks. In fact, an average of 46 percent of all cyber attacks in the OT
environment go undetected, suggesting the need for investments in technologies that detect
cyber threats to oil and gas operations.
Security technologies deployed are not considered the most effective. Sixty-three percent of
respondents say user behavior analytics and 62 percent of respondents say hardened
8.
endpoints are very effective in mitigating cybersecurity risks. In addition, 62 percent of
respondents say encryption of data in motion is considered very effective. Yet, many
companies do not have plans to deploy these technologies. Specifically, in the next 12 months
less than half of organizations represented (48 percent of respondents) plan to use encryption
of data in motion, only 39 percent plan to deploy hardened endpoints, and only 20 percent will
adopt user behavior analytics (UBA).
11%
systems protection and security is not adequate.
Report to the IT security These perceptions are based on the following findings:
leader 61 percent of respondents believe their organization
has difficulty in mitigating cyber risks across the oil
and gas value chain and less than half (48 percent)
We surveyed 377 individuals in the United States of respondents believe their organization is effective
who are responsible for securing or overseeing in achieving compliance with security standards and
cyber risk in the OT environment1. Most of these guidelines in the oil and gas industry.
individuals report to the head of industrial control
systems (19 percent), head of quality engineering Organizational challenges affect cybersecurity
(15 percent), OT security leader (14 percent), head readiness. Only 33 percent of respondents believe
of process engineering (14 percent), and IT security there is full alignment between OT and IT with respect
leader (11 percent). to cybersecurity operations. Sixty percent say they
do not have enough staff and only 45 percent of
Respondents work in the downstream (30 percent), respondents say they have the internal expertise to
upstream (24 percent), middle stream (17 percent), manage cyber threats in the OT environment.
or all of these environments in the oil and gas
industry (29 percent). Together, negligent and malicious or criminal
insiders pose the most serious threat to critical
operations. Sixty-five percent of respondents say the
top cybersecurity threat is the negligent or careless
insider and 15 percent of respondents say it is the
malicious or criminal insider.
Migration to the digital oil field has benefits and Security technologies deployed are not considered
risks. Oil and gas companies are benefiting the most effective. Sixty-three percent of respondents
from digitization. However, 66 percent of respondents say user behavior analytics and 62 percent of
are concerned that it has made them more vulnerable respondents say hardened endpoints are very effective
to security compromises. These increases have made in mitigating cybersecurity risks. In addition, 62 percent
organizations more aware of the need to have security of respondents say encryption of data in motion is
analytics. Sixty-eight percent of respondents say this considered very effective. Yet, many companies do not
technology is essential or very important. have plans to deploy these technologies. Specifically,
in the next 12 months less than half of organizations
The biggest vulnerability to organizations is represented (48 percent of respondents) plan to use
outdated and aging control systems in facilities. encryption of data in motion, only 39 percent plan to
Sixty-three percent of respondents say outdated and deploy hardened endpoints, and only 20 percent will
aging control systems in facilities put organizations at adopt user behavior analytics (UBA).
risk. Also vulnerable are using standard IT products with
known vulnerabilities in the production environment (61 Sharing of threat intelligence is considered valuable
percent of respondents). in reducing cyber threats. Critical to reducing cyber
risks in the OT environment is the sharing of threat
Most organizations are in the early to middle stages intelligence, according to 71 percent of respondents.
of OT cybersecurity maturity. Forty-one percent of However, only 43 percent of respondents say they
respondents say their organizations are in the early to participate in the Oil & Natural Gas Information
middle stage of maturity with respect to their cyber Sharing and Analysis Center. The primary reasons for
readiness. This means many OT cybersecurity program not sharing are concerns about the quality of threat
activities have not as yet been planned or deployed or information (56 percent of respondents) and insufficient
they have been planned and defined but only partially resources (53 percent of respondents).
deployed.
Operational solutions should focus on alignment
Many organizations are outsourcing OT security between OT and IT and in-house expertise. As
operations. To support their efforts in addressing the shown in this research, organizational challenges create
heightened risk created by digitization, 52 percent of difficulty in enhancing OT security. Only 33 percent of
respondents say their organization currently outsources respondents say there is full alignment between OT and
(16 percent of respondents) or would consider IT with respect to cybersecurity operations and only 45
outsourcing its OT security operations (36 percent of percent of respondents say their organization has
respondents). the internal expertise to manage cyber threats.
Cybersecurity training and awareness of employees is
critical because 60 percent of respondents say their
organizations do not have such initiatives in place.
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a
representative sample of individuals, resulting in a large number of usable returned responses. Despite non-
response tests, it is always possible that individuals who did not participate are substantially different in terms
of underlying beliefs from those who completed the instrument
• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of OT and IT security practitioners who are familiar with their organization’s use of security
analytics. We also acknowledge that the results may be biased by external events such as media coverage.
Finally, because we used a web-based collection method, it is possible that non-web responses by mailed
survey or telephone call would result in a different pattern of findings
• Self-reported results: The quality of survey research is based on the integrity of confidential responses received
from subjects. While certain checks and balances can be incorporated into the survey process, there is always
the possibility that a subject did not provide accurate or truthful responses
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible information
and privacy management practices within business and government. Our mission is to conduct high quality,
empirical studies on critical issues affecting the management and security of sensitive information about people
and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold
strict data confidentiality, privacy, and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we have
strict quality standards to ensure that subjects are not asked extraneous, irrelevant, or improper questions.
Smaller companies may not be fully aware of the risks they face or that they can contract for
cybersecurity-related services.
Effective cybersecurity management is essential for all SMBs need to understand their cybersecurity risk and
organizations, regardless of size. There are many to take action to reduce this risk, just as they do
standards and guidance documents available to help with other business risks. The absence of previous
organizations determine a way forward. incidents, or the belief that the organization is not a
likely target, is not sufficient justification for ignoring
This document is intended to provide a starting point this issue.
for small- and medium-businesses (SMBs), particularly
those that manage industrial processes and employ SMBs can be at risk from a wide variety of threats,
some level of automation. Specific examples include including amateur and professional hackers,
SMBs in the chemical and water and wastewater environmental activists, disgruntled employees or
treatment sectors. contractors, and even nation states or terrorists. In
addition, many cybersecurity incidents are a result of
While it is generally accepted that Operational accidents or unintentional actions. A company
Technology (OT) system security requires different or does not have to be a specific target to be affected.
additional measures than general-purpose Information
Technology (IT) system security, it is also true that The consequence to an SMB can vary tremendously
smaller companies might have difficulty implementing based on the nature of operations and the
much of the available guidance. vulnerabilities of each. It is essential that the
underlying vulnerabilities are recognized and that these
Standards and practices are often based on the vulnerabilities be mitigated to minimize the likelihood of
assumption that engineering and operations resources potentially dire events.
are available to define, implement, and monitor the
technology, business processes, and associated This document provides guidance based on well-
controls. Unfortunately, this is often not the case. established frameworks and standards. Further
Smaller operations are typically not staffed to include reference should be made to these frameworks and
such roles. It is more common to have broadly defined standards, focusing on the recommendations in this
staff roles, with support and operation of IT systems as document.
only part of an individual’s responsibilities.
Cybersecurity management is not a one-time activity.
Smaller companies may not even be fully aware Like quality and safety management, cybersecurity
of the risks they face or that they can contract for management is an ongoing activity where continuous
cybersecurity-related services. This guide is intended improvement must be made in order to manage
to identify the essential controls that need to be the risks.
established.
Very few, if any, businesses today operate without some dependence on systems and equipment that are vulnerable
to a cybersecurity incident. The impact to the business of such an incident will vary. However, this impact needs to
be understood and managed accordingly if businesses are to be able to operate as expected.
There are two broad categories of systems and equipment: Information Technology (IT) and Operational Technology
(OT), each with their own characteristics, as shown in the table below.
Definition Used in a business or office environment Used to monitor and control processes in
to support day-to-day activities, such as industrial environments, such as factory
accounting, ordering, human resources, floors, refineries, oil and gas platforms, and
and data analysis. water treatment operations.
Cybersecurity Data confidentiality is the primary System availability is the primary concern,
concerns concern, followed by integrity of the data followed by integrity of the data, and finally,
and system availability. data confidentiality. In OT, data integrity and
confidentiality are particularly important for
device logic or configuration files used in
control applications.
Management of Change-control processes are largely Technological changes are part of the overall
Change self-contained within the IT function. Management of Change process. It can be
difficult to take equipment out of service to
update.
Other factors • It is becoming more common for Equipment and communications protocols
employees to use their own devices, tend to be proprietary, and it can be difficult
especially mobile technology, to to implement typical cybersecurity controls.
access business systems • Underlying technology can be
• New technologies are being adopted antiquated and, therefore, more
with insufficient concern for security vulnerable to basic cybersecurity
incidents
• The equipment environment is almost
always heterogeneous, with devices of
various ages and sources
In simple terms, risk can be defined as a function of threat, vulnerability, and consequence. Each of these elements
must be assessed in order to gain a full understanding of the situation.
Common threats
When considering cybersecurity threats, many consider only deliberate, targeted attacks from professional hackers.
As a result, some dismiss the risk to their facilities.
The table below shows that SMBs are subject to numerous types of threats, both deliberate and otherwise.
Cybersecurity incidents can arise as a result of accidents or unintentional actions by authorized individuals
(employees, vendors, or contractors). Many threats are often non-targeted and SMBs can be impacted as collateral
damage.
In all of the examples below, SMBs could be impacted indirectly, simply because they have equipment similar to the
primary target.
Table 1: Threat Examples
Amateur With access to many online tools and The online community HackForums.net is a popular
hackers resources, anyone can find systems forum for amateur hackers, and is believed to be
connected to the Internet and behind the PlayStation network attack on Christmas Day
interfere with their operation, often 2014, as well as the attack on the Internet Name
for the challenge or prestige. Servers in the Eastern USA in October 2016.
Professional Hackers with more skills and In 2016, the Lansing Board of Water & Light was
hackers resources target organizations with forced to pay a $25,000 ransom to unlock its internal
ransomware and other disruptive communications systems, which were hit as part of a
techniques and tools larger attack. The utility estimated the total cost of
for profit. responding to the attack and strengthening its defenses
against future attacks was $2.4M.
Environmental Groups can work with hackers In 2011, the group Anonymous posted confidential
activists to disrupt the operations of information on 2,500 Monsanto employees and
organizations whose business associates and shut down the company’s international
practices they oppose or are websites for nearly three days.
contrary to their beliefs.
Nation states Organizations with very large In 2010, a virus known as Stuxnet compromised
or terrorists resources target critical infrastructure Iran’s nuclear enrichment facility. The virus targeted
organizations to create instability or the control system for the centrifuges in the facility
to influence their will. and, while providing pre-recorded data to operators,
would cause the centrifuges to operate outside of
their normal envelope. Analysts suggest the enrichment
program was set back several years as a result
of the attack.
A mitigation is an action or solution that is implemented to reduce the likelihood of a vulnerability being exploited or
offset the adverse effects of an incident should that vulnerability be exploited.
There are many cybersecurity vulnerabilities, and each organization possesses different ones depending on the
equipment they use and the policies and procedures they have in place. As noted previously in this white paper,
SMBs can be impacted by a non-targeted attack, simply because they utilize equipment similar to that used by the
primary target. The table on the following page provides a list of common vulnerabilities found in all organizations to
some degree, along with key mitigations that should be implemented to control these vulnerabilities.
These key mitigations are essential for all SMBs to provide a basic level of cybersecurity management. It is highly
recommended for SMBs to consider additional mitigations. Further guidance is available from several sources,
including:
• International Society of Automation (ISA). The ISA/IEC 62443 standards (Security for Industrial Automation
and Control Systems) provide detailed guidance on how to create a cybersecurity management system for OT
environments. These standards are also available internationally as IEC 62443
• The US Chamber of Commerce [6], Department of Homeland Security (DHS) [7], US Small Business
Administration (SBA) [9], National Institute of Standards and Technology (NIST) [10], as well as many business
and technology websites [5], [8]
• The Center for Internet Security (CIS). CIS produces the Critical Security Controls [2], which identify the top
20 mitigations that reduce the likelihood and/or consequence of a cybersecurity incident. These controls are
referenced in the Key Mitigations table below as CSCxx where “xx” is 1 to 20 (for example, CSC17)
Inadequately Employees who have received little or no training Provide (internally or using external
trained in the risks of cyber incidents are more likely to: parties) a variety of training resources
for employees, including classroom-
employees • Be victims of social engineering, such as based, computer-based training courses/
phishing (the use of faked email messages assessments, informational videos,
to extract confidential information or to gain posters, and email newsletters (CSC17)
unauthorized access to equipment)
• Use removable media without performing
virus checks
• Fail to observe the signs of a cyber incident
Inadequately Networks that are inadequately secured can: Use standards to define and implement
secured effective network security. In particular,
• Allow external users unauthorized access to avoid direct connection with external
network systems and equipment networks, control traffic in and out of the
• Increase the chances of a cybersecurity internal network, and between different
incident extending throughout an areas of the internal network
organization (CSC1,2,6,12,13,15,20)
Inadequately Equipment that is inadequately secured can: • Where possible, keep equipment in
secured • Lack appropriate physical security, allowing locked cabinets or rooms to avoid
ease of access to unauthorized users and unnecessary contact
equipment increase the likelihood of accidental actions • Where not possible, use locks
• Lack appropriate protection on physical (physical and electronic) to secure
inputs, such as USB ports and DVD drives, access to physical inputs
making it easier for malware to be transferred • Remove unnecessary applications
• Contain unnecessary applications or and disable unnecessary services on
run unnecessary services, increasing the equipment (CSC1,2,3,6,7,11,13,18)
possibilities of a cyber incident
Inadequate Equipment running without anti-virus protection • Ensure anti-virus is operational and
anti-virus is vulnerable to malware attack. With some maintained on all equipment, where
malware, the infection may not be obvious possible
management and this can lead to a spread of the malware • Where not possible, ensure
throughout the organization. equipment is adequately secured to
remove opportunity for introduction
A failure to maintain anti-virus protection (with of viruses
the latest security patches or with the latest • Use standalone machine to perform
malware signatures) makes equipment much virus checking on incoming machines
more vulnerable to newer malware threats. and media (CSC8)
Inadequate There are two important considerations for change • All changes must be reviewed
change management: before implementation. The review
• Making changes to system software or must assess the potential impact
management hardware can introduce new vulnerabilities on system operation (reliability,
that, if not considered, could be exploited performance, etc.) as well as any
• Inadequate change procedures can create changes to cybersecurity risks
cybersecurity incidents. For example, a failure • A change procedure must be in
to implement a backup before updating place that ensures that all changes
software could result in system unavailability if are implemented with a step-by-step
the update fails plan and a means to restore any
equipment to its previous state, if
required (CSC4,20)
Inadequate Equipment running without the latest security Ensure equipment is kept up to date with
security patch patches is much more vulnerable to newer latest security patches from vendor(s)
malware threats. The more security patches that (CSC3,11,18)
management are missed, the more vulnerable
the equipment becomes.
Inadequate Backups are essential to the restoration of failed • Determine what needs to be backed
backup hardware or equipment infected with malware. up and how often
• Maintain backups to defined regime
management In order to be effective, backups must occur • Periodically test backups using a test
frequently to avoid the loss of significant environment (CSC10,13)
amounts of data. In addition, unless backups are
periodically tested, they can prove to
be useless when required.
Inadequate There are two key issues: • Avoid use of shared accounts, where
password • Weak passwords are easy to guess (e.g. possible
‘password’) or use only letters or numbers. • If not possible, ensure shared
management A weak password can be determined using accounts have limited privileges
‘brute force’ techniques, within 1-2 minutes • Enforce a policy to change account
• Passwords that are never changed, or changed details when someone leaves
infrequently, are much more vulnerable to or moves to a new role in the
exploitation organization (CSC5,14,15,16)
Use of default Many devices or systems have manufacturers’ • Remove or change default account
accounts default accounts. If these accounts are not details (username and/or password),
changed, anyone with knowledge of the default where possible
details can gain unauthorized access much more • If not possible (e.g. hard-coded
easily. In some cases, default account information by vendor), enforce strict physical
is freely published on the Internet. access control on equipment
(CSC5,14,15,16)
Inadequate Many organizations have no plans in place to deal • Create an incident response plan
incident with a cybersecurity incident. that identifies the possible incidents
and the appropriate response to
response Organizations that have plans in place may not each, as well as the key internal and
exercise those plans sufficiently, to validate that external contacts
they are effective. • Exercise the incident response
plan periodically to verify that it is
Without an effective incident response plan in effective (CSC20)
place, organizations can be exposed to major
consequences should a cybersecurity incident
occur.
Theft of IT/OT Hackers use social engineering techniques In 2014, payment card data for
confidential to obtain confidential information, such as 70 million customers was stolen
usernames and passwords that can be used to gain from Target, after hackers
information unauthorized access to systems. gained access using the
credentials of a supplier, stolen
Hackers with unauthorized access to systems can in a separate phishing attack.
extract confidential information, such as customer
names, credit card numbers, trade secrets,
drawings, or plans.
System IT Computer viruses can be downloaded onto IT In 2012, a virus called Shamoon
unavailability workstations, laptops, and servers remotely (using infected more than 30,000
unauthorized access or through the use of social office workstations belonging
engineering), or using removable media, such as to Saudi Aramco. Business
USB drives, CDs, and DVDs. operations were slowed and,
in some cases, paused as
Viruses can propagate across a network to infect employees were forced to
other machines. Viruses may be used to: resort to manual/offline
• Obtain confidential information (such as activities and the use of
usernames and passwords) personal emails for several
• Cause excessive network traffic that disrupts weeks.
normal operation
• Wipe an entire hard disk clean
• Lock a disk until a ransom is paid
Operations or OT Since operations or production are heavily In 2013, a virus infected the
production dependent on the OT systems that monitor and operational network of the
control them, a failure of these systems can result in Cook County Department
shutdown a shutdown of the plant or process. of Transportation and Highways
in Chicago, affecting 200
Typical cybersecurity causes are: computers. The department
• Viruses was shut down for nine days
• Unauthorized access until normal service could be
• Lack of backup of system data, program, or restored.
settings
Equipment OT Production or operational plants are connected In 2014, hackers gained access
damage to the monitoring and control systems that can to a steel mill in Germany and
be impacted by a cybersecurity incident. Without disrupted the operation of the
adequate mechanical or independent shutdown safety system, causing massive
systems, physical damage is possible. damage to the blast furnace.
Injury or death OT Many OT control systems monitor or control In 2008, a 14-year-old boy
processes that, in the event of failure or incorrect modified a TV remote to
operation, can cause harm to personnel or change the points on a train
members of the public. Examples include oil and network in Lodz, Poland. Twelve
gas production, transportation, and wastewater people were injured and four
treatment. trains derailed.
The US Cybersecurity Framework, produced by the National Institute of Standards and Technology (NIST) [1], is an
excellent starting point for SMBs. The Framework identifies five core functions that encapsulate cybersecurity
management. The Framework then further defines all the activities that may need to be undertaken for each function
and identifies relevant standards to help identify how to implement these activities.
The table below identifies the essential cybersecurity activities that should be undertaken by all SMBs. These are
described in more detail below the table.
Table 4: Essential Cybersecurity Activities
Framework Activities
Functions
Identify
The identify function focuses on understanding the nature of the systems inventory owned by the SMB and what
risks are associated with this inventory.
Additionally, some organizations identify equipment location, owner, and other useful information.
Risk assessments require the involvement of all key stakeholders (to ensure accuracy) and
should identify the likely threats and the vulnerabilities in the asset base. From this, the
organization should identify the potential consequences, e.g. loss of confidential information,
loss of revenue, environmental impact, injury or death, and so on.
SMBs should rank their risks using a common methodology to allow the identification of risks in
priority order.
Protect
The protect function is a core cybersecurity management activity that an organization must
undertake on an ongoing basis.
• Physically locking or disabling all equipment inputs to prevent unauthorized use, including
smart device charging
• Using only dedicated devices that are kept secure, with anti-virus software scanning before
and after use
• Using a quarantine area to check incoming removable devices of unknown provenance and
transfer files to dedicated, known devices
• Only allowing a transfer of files from removable devices under strict supervision and in
compliance with anti-virus checks
• Applying recommended patches to operating system and application software in a timely
manner
• Testing patches before applying to live equipment
• Keeping anti-virus software up to date
• Performing an anti-virus scan regularly and frequently (e.g. monthly)
• Maintaining a record of all updates applied to allow for identification of issues
• Limiting external access to equipment and networks to only those authorized to access
them
• Keeping confidential information secure (e.g. in locked cabinet or safe) and disposing
confidential information in a secure manner (e.g. shredding)
• Being aware of who is around you and taking care to avoid disclosing sensitive information
• Being suspicious of emails if you do not recognize the sender
• Making sure you don’t click on links or open attachments unless you are certain the sender
is trustworthy
• Making sure you do not download or install anything after following a link in a suspicious
email
• Making sure you do not provide confidential information via email unless you are certain the
recipient is appropriate/authorized
• Making sure a supervisor or trained expert is available for advice before individuals take
any action
• Maintaining physical and electronic security to ensure that only authorized persons have
access to the equipment they require in performing their role
• Securing equipment in locked rooms or cabinets and monitoring access
• Performing background checks on all users before approving access
• Maintaining a register of approved users
• Preventing sharing of login credentials between users
• Removing or changing credentials when a user moves to a new role or leaves
• Removing or changing default accounts
• Enforcing strong passwords and changing regularly
• Providing temporary external access as required, supervise during use, and remove once
complete
Detect
Having established an understanding of its asset base and the risks to it, the SMB must then
have methods to monitor for incidents, so that it is able to respond promptly and effectively to
minimize the impact.
Identify improvements
Cybersecurity is an ever-changing situation. Threats, vulnerabilities, and risks change and
SMBs need to be able to adapt. In the detect function, SMBs must regularly review their
monitoring methods and adjust them to suit changing circumstances and according to incident
experiences.
Identify improvements
SMBs will need to update their incident management plans in response to changes in the
cybersecurity landscape, and also as a result of their incident response tests.
Recover
While the respond function comes into effect when an incident occurs, the recover function
comes into effect once the respond function is completed. As with the respond function,
preparation is essential to a successful recovery, and so an SMB must take actions well in
advance of any incident.
Identify improvements
SMBs will need to update their recovery processes in response to changes in the cybersecurity
landscape, and also as a result of their incident recovery tests.
External classroom and online training courses are recommended for SMBs to give their employees a clear
understanding. Internal resources, such as assessment (surveys, tests) and awareness (videos, posters, emails)
tools, should be used to complement external courses and provide a constant reminder to employees.
Effective cybersecurity management should be a high-profile business objective that is reported on by management
so that employees are constantly reminded of its importance.
The International Society of Automation (ISA) provides training courses and certificate programs based on the ISA/
IEC 62443 (Security of Industrial Automation and Control Systems) standard [4].
Third-party assessment
For a nominal fee, ISA can review an SMB’s survey responses. ISA utilizes a pool of international cybersecurity
Subject Matter Experts (SMEs) to provide this service. This third-party assessment will provide a more
comprehensive and independent review of the SMB’s cybersecurity posture with advice on how to proceed.
Continuous improvement
Effective cybersecurity management requires continuous improvement. The essential activities outlined above are
only the beginning.
For each of the five core functions of the Cybersecurity Framework, there are many degrees to which SMBs can go.
For example:
• Network and equipment monitoring can be a manual activity in its simplest form, but SMBs can purchase
speciality software to assist
• Third-party organizations can provide assessment services, including penetration testing, to validate the
effectiveness of cybersecurity mitigations
The degree to which SMBs should go will depend on the level of risk they perceive, and this may vary with time.
In addition, cybersecurity is continuously evolving, with new vulnerabilities, exploits, and threats arising all the time.
SMBs must continuously review their risk and adapt their mitigations to suit this changing landscape.
[3] ISA-62443 Series, Security for Industrial Automation and Control Systems, International Society of Automation
(ISA), https://www.isa.org/isa99/#diagram
[4] ISA/IEC 62443 Training Courses and Certificates, International Society of Automation (ISA),
https://www.isa.org/templates/two-column.aspx?pageid=124579
[7] Cybersecurity Resources for Small Businesses, Department of Homeland Security (DHS),
https://www.dhs.gov/publication/stopthinkconnect-small-business-resources
[9] Cybersecurity For Small Businesses course, US Small Business Administration (SBA),
https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses
[10] Small Business Information Security: The Fundamentals, National Institute of Standards and Technology (NIST),
http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Ask yourself the following questions about your company’s exposure to Industrial Control Systems
Cybersecurity vulnerabilities:
It’s important to recognize and understand the However, because IT is so prevalent in the
cybersecurity field, cybersecurity is effectively being
differences between IT cybersecurity and ICS
viewed as a malicious attack via the Internet against
cybersecurity, and the table below highlights some of
a Windows-based system with the intent of stealing
the most significant factors to consider. information. Unfortunately, this paradigm does not
apply to ICSs and does not address the most important
aspect of ICSs—safety.
It is the consequences that are of the most interest when considering the
security of critical control systems. Many of these are installed in facilities
with an expected life expectancy of 10–25 years. The nature of their design
and the close connection to the underlying process means that they often
cannot be upgraded to the latest cyber technologies easily, or even patched
on an expedited basis.
Why aren’t we paying closer attention and working to solve this imminent
challenge facing our infrastructure? One of the biggest reasons given for this
lack of attention on arguably the most critical system in a modern economy
is that there have been few reported control system cyber incidents affecting
these systems.
• Loss of control—as I’m driving, do I have control of the gas pedal, the
brake pedal, and the steering wheel?
Some attackers view exploits where you can damage physical processes as
the holy grail of cyber attacks—imagine the devastation, and the resulting
terror, that would be caused by the damage or compromise of the power
grid, or the water supply.
Industrial Control Systems cybersecurity is an issue with multiple facets, spanning technology, processes,
equipment, and people—and it crosses traditional barriers of geography, industry, and application. Vulnerabilities
and associated attacks, whether malicious or unintentional, can bring devastating financial, safety, and brand
reputation consequences—and executive management should be carefully considering their exposure to these
risks.
Culture, knowledge, and experience gaps exist between IT and Operations personnel in most companies, and the
coordination of these functions with guidance from a team of Industrial Control Systems Cybersecurity Experts
is critical to the success of a comprehensive cybersecurity program. Global consensus standards focused on
Industrial Control Systems cybersecurity can help to bridge the gaps between IT and Operations and between
safety and cybersecurity. These standards can be applied to processes, the associated training and certificate
programs can be leveraged to train people, and the associated compliance programs can be utilized to test and
certify equipment.
By using data from known incidents and vulnerabilities, and leveraging standards, training, and compliance
programs, systems engineers and Industrial Control Systems Cybersecurity Experts can reduce the risks to critical
infrastructure from hostile actors, human mistakes, and design flaws. We can make our systems more reliable,
less sensitive to malicious or unintentional breaches, and secure the safety of our people and processes in industry
and critical infrastructure.
Additional Resources
Download a brochure detailing ISA’s resources for Control Systems Cybersecurity, including the ISA/IEC
62443 standards and associated training, certificate programs, books, technical papers, and more:
www.isa.org/cybersecurityresources
Visit Applied Control Solutions at http://realtimeacs.com/ to learn more about Joe Weiss, the author of this
white paper.
By Siemens and the Ponemon Institute LLC led Siemens, in conjunction with the Ponemon Institute,
to delve more deeply into the cyber readiness of the oil
and gas industry in the Middle East.
Foreword
The impact of these cyber intrusions against OT
assets in the Middle East, especially in the oil and gas
sector, the target of 50 percent of all cyber attacks
in the region, is more significant than in other parts
Until recently, most cyber attacks have targeted the
of the world: greater frequency relative to return on
Information Technology (IT) environments, comprised
investment (ROI), more expensive relative to ROI, and
of PCs, work stations, and mobile devices. As the
with greater downtime.
process of digitalization has accelerated, so too has
the convergence of IT and operational technology (OT)
To their credit, organizations in the region have been
connectivity. This provides a wide range of benefits that
early enthusiasts for digitalization, ahead of many
enable organizations to optimize processes, capture
others in the world in recognizing the unprecedented
cost savings, and turn data into value. At the same
business value. They have also recognized the greater
time, connectivity has also created a larger cyber
cyber risk associated with greater connectivity. Oil and
“attack surface” that is harder than ever to secure.
gas companies in the region are beginning to invest in
protecting their assets from cyber intrusions, while
Attackers have identified this convergence of IT and OT
lagging behind in terms of awareness and the rate of
as a key opportunity to penetrate an organization. As a
deploying technology that can protect their operating
result, an emerging trend of cyber attacks is designed
environment. In the government sphere, regulations
to disrupt physical devices or processes used in
intended to address the OT cyber threat are being
operations.
rolled out, though, admittedly, these are mostly at an
early stage.
The operating model of some oil and gas organizations Sixty percent of respondents believe they face a
in the region often serves to introduce additional greater risk in the OT than in the IT environment. Sixty-
OT cyber risk. We have seen joint ventures between seven percent of respondents believe the risk level to
national and international oil companies with an industrial control systems over the past few years has
absence of clear ownership of OT cyber risk. This substantially increased because of cyber threats.
disconnect – between operations and OT cyber – can
expose dangerous gaps in cyber asset management These perceptions are, in fact, borne out in reality. A
and detection, and severely hamper cyber teams heightened risk environment is being driven by:
attempting to secure the environment.
This survey highlights the close linkage between digitalization and cybersecurity for the oil and gas sector. In order
for organizations to capture the full benefits of digitalization, it is essential that they rigorously address the OT cyber
risk.
address the OT OT cyber services and solutions have not kept up with
the threat. Oil and gas organizations in the Middle East
cyber challenge
are today dedicating only a third, on average, of their
total cybersecurity budget to securing the OT
environment. Given the risk shift we are witnessing in
oil and gas – from the IT to the OT – this suggests that
Best Practice in Cybersecurity Middle Eastern organizations are not aligning their cyber
investments with where they are most vulnerable. This
OT investment shortfall is all the more alarming as
Our study finds that oil and gas organizations in the Middle Eastern oil and gas organizations reported
Middle East recognize the growing OT cyber threat smaller average total (IT + OT) cyber budgets
as well as the imperative to strengthen their cyber than their global peers.
readiness. In fact, Middle Eastern organizations have
already begun to take critical steps to improve their
OT cybersecurity preparedness. Specifically, oil and CYBERSECURITY JOURNEY
gas companies in the Middle East have undertaken
crucial steps such as: Most organizations are only at the early stage of their
OT cybersecurity journey. Just under two-thirds of
respondents considered their OT cybersecurity
programs at an early or middle maturity, with nearly
a quarter saying they had the lowest level of OT
cybersecurity maturity. In these lower maturity
organizations, we see recurring traits that undermine
effective OT security:
Only 39 percent plan to ensure hardened endpoints The survey data shows the importance of addressing
in the next 12 months, and only 20 percent will adopt the fundamentals (e.g., hardening endpoints), as well
analytics. The disconnect between establishing priorities as leveraging advanced technologies (e.g., analytics) to
and placing investments against those priorities secure the OT environment. Oil and gas companies can
highlights the importance for having a rigorous, long- also build on security analytics data to safeguard and
term OT cybersecurity strategy. optimize operational processes. By combining data from
the network, controls, and asset layer, organizations are
enabled to reap important benefits around, for example,
process safety in refining.
MOST EFFECTIVE SECURITY
TECHNOLOGIES Organizations need to develop integrated OT cyber
strategies that are adopted across the organization.
Respondents recognize and call for solutions to address
insider threat, aging control systems, and secure As shown in this research, organizational challenges
connectivity. create difficulty in strengthening OT security. Only
9 percent of respondents say there is full alignment
Very effective and effective responses combined between OT and IT with respect to cybersecurity.
Though employee training and awareness is critical to
developing a robust internal cyber culture, 65 percent
of respondents say their organizations do not have
initiatives in place that would build such a “cyber-
safety” culture.
Methodology
In creating this report, we surveyed