Integrating Safety and Security Strengthens Cybersecurity

Summary

Most conversations about the Industrial Internet of Things (IIoT), safety, and security revolve around two separate topics: “smart” machinery or process safety to protect people and equipment, or industrial control system (ICS) security.

These conversations are important and valid. However, too many industrial companies are not focused on the inherent safety implications of common security risks. For example:

• When an oil pipeline was hacked in Turkey causing an explosion and 30,000 barrels of spilled oil, the cyber attackers negated the existing safety system to shut down alarms, cut off communications and super-pressurize crude oil in the line.
• A regional water supplier experienced a cybersecurity breach that not only compromised customer data but caused unexplained valve and duct movements, including manipulation of programmable logic controllers (PLCs) that managed water treatment and public safety.

These attacks highlight how safety and security programs are inextricably linked in industrial production.

Many manufacturers are tapping into IIoT technology to remotely access production machinery, allow wireless access to pumping stations, or connect plant-floor equipment to the information technology (IT) infrastructure. This is the future. This is how manufacturers can realize improved asset utilization, faster time to market and lower total cost of ownership. However, greater connectivity can increase security risks that will impact safety. This is where better enterprise risk management is important.

Integrating safety and security efforts Safety and security have traditionally been viewed as separate entities, but there is a commonality between them in the approaches used to analyze and mitigate risks. For example, the concept of “access control” is common between safety and security. In both cases, policies and procedures are built based on business practices, risk management approaches, application requirements and industry standards.

Manufacturers and industrial operators who want to reduce the likelihood of security-based safety incidents must rethink safety. Specifically, start thinking of safety and security in relation to each other. This relationship can have the biggest impact in three key areas:

1. Behavior: In addition to helping protect intellectual property, processes and physical assets, security personnel must make protecting safety systems a core value in everything they do. Greater collaboration between environmental, health and safety (EHS); operations; and IT teams is more important than ever. All three teams should work together to develop co-managed objectives for safety and security and identify critical safety-data requirements from plant-floor systems. Because a strong safety culture involves every employee, a companywide understanding of the relationship between security and safety is needed.

2. Procedure: Compliance efforts should meet the security requirements in safety standards, such as IEC 61508 and IEC 61511. Conversely, security efforts should follow an in-depth defense approach and address safety-related security risks at all levels of an organization. Defense in depth is recommended in the IEC 62443 (“Security for Industrial Automation and Control Systems”) standard series (formerly ISA99) and elsewhere.

3. Technology: All safety technologies should have built-in security features. They should also use security technologies that help protect against safety-system breaches and enable speedy recoveries should a breach occur.

Risk mitigation

The list of potential security threats that could have safety implications is quite vast. So, any mitigation of a company’s security-based safety risk must start with understanding where it is most vulnerable. This should be done by conducting separate safety and security risk assessments, then comparing reports to examine where security most impacts safety. This will allow users to best address their unique set of risks.

The concept of digital transformation is bringing production intelligence to manufacturers for measuring and improving nearly every aspect of their operations. It’s also providing instantaneous information sharing and seamless collaboration across organizations.

For these opportunities, more connection points can create more entrance points for security threats. Users must account for and address how these threats impact the safety of their people, their infrastructure, and the environment around their operations. The IIoT is bringing opportunity, risk and the ability to holistically integrate safety and security programs to optimize operations.

A proactive approach to ICS security

Industrial organizations must prioritize safety and reliability to protect against cyberattacks—and quickly. With risks and reporting mandates growing, a paradigm shift must occur. Five key focus areas, or steps, can help assess and improve cybersecurity hygiene and a converged IT and operational technology (OT) security strategy. These factors are based on guidance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

Step No. 1: Identify. One of the biggest roadblocks to building a great cybersecurity program is that many production environments are poorly inventoried. If users don’t know what’s connected to their network, whether it’s part of the ICS or a new type of productivity software used by an employee, they can’t secure that environment properly.

First, identify, map and verify everything that’s connected to the network. Users can do this themselves or work with a partner that offers installed base asset identification tools and services. Determining vulnerabilities and initial risk posture is the first step.

Another helpful technique in understanding exactly what to protect is reviewing operations through a zero-trust lens, using a protect surface approach that prioritizes business-critical data, assets, applications and services (DAAS) in priority order. Apply the best protect controls available as close as possible to what’s being protected.

Step No. 2: Protect. Once users have taken inventory of their assets and understand what must be protected, it’s time to apply the right safeguards against the ever-changing landscape of cyber threats.

There are many protective measures that can be implement. Choose the types of controls that are in alignment with any compliance standards or security frameworks, such as the NIST CSF. That includes multi-factor authentication, access control, data security, perimeter network deployment, and micro segmentation. Protective measures also include the common industrial protocol (CIP) product security, perimeter hardening, firewall deployment and patch management. These countermeasure controls help manage risk proactively and protect the data that’s essential to your operations.

Step No. 3: Detect. Protecting industrial networks against cyber threats requires constant vigilance. Knowledge of all endpoints on the organization’s network from plant-floor assets to laptops, mobile devices, even security cameras, or USB ports, is critical. Users also need real-time visibility into how, when and where others are accessing or manipulating assets.

Threat detection services can help users monitor and detect these increasingly complex threats. These services provide visibility across all levels of IT and OT environments, meaning they not only look for malicious activities, but offer real-time monitoring and deep network inspection across all assets.

Managed threat detection is a powerful cybersecurity defense, especially in critical infrastructure, industrial manufacturing, and other OT environments. An OT security operations center (SOC) staffed with experienced security veterans provides a unique pooling of talent, technology and first-hand experience. This cybersecurity protection expertise is difficult to duplicate for the same cost by individual organizations. With the convergence of security operation tools in IT—such as security information and event management (SIEM) and security orchestration, automation and response (SOAR)—these security tools will soon hit production environments, driving the need for automated response and triage, disaster recovery and response planning.

Step No. 4: Respond. If a security incident occurs, it’s critical to respond immediately and address the threat before it spreads and causes greater damage. That’s why having threat detection services in place beforehand is essential to effective risk management. Similarly, having a mature incident response plan or disaster recovery plan will achieve minimized downtime to restore production operations.

Step No. 5: Recover. The top priority after a security-related downtime event is to get production up and running as quickly as possible. For this step, it’s important to use backup and recovery services to keep near real-time records of production and application data. Having these resources in place will allow users to resume normal operations after an incident, shortening the recovery cycle.

Once operations are running smoothly again, investigate and analyze the incident and fully identify the root cause. This analysis will illuminate ways to close security gaps and improve security posture. It will also make the organization more resilient to related threats down the line.

_{This feature originally appeared in AUTOMATION 2023 Volume 2: Connectivity & Cybersecurity.}