Some of the most crucial processes in your organization likely depend on Industrial Control Systems (ICS) to function properly. Because many industrial organizations, such as power plants, provide important daily services to society, the people your organization or industry serves also depend on the proper function of ICS.
When a cybersecurity threat is present, ICS are at risk of failing; something that would have significant impacts on your plant and possibly also on society and the environment.
Unfortunately, the threat to ICS from cyber attacks is only growing, with recent reports of more malware that specifically targets industrial organizations:
In addition to those attacks pictured in the graphic above, a more recent malware, called Triton, has also been discovered to specifically attack industrial control systems. Because of this, it has become more important than ever that organization implement an effective ICS cybersecurity program.
Whether your organization is implementing cybersecurity for compliance reasons, or installing a system because the growing cyber threat to ICS has become a serious concern, or looking to update and improve your anti-malware defenses with the most modern technology, you're likely to run into some organizational challenges.
At Verve, we’ve worked with many industrial organizations in the implementation of our cybersecurity platform, the Verve Security Centre. In doing so, we’ve learned a lot about the organizational challenges that companies face when implementing a cybersecurity system or program for their ICS cybersecurity challenges.
Top three organizational challenges of implementing ICS cybersecurity:
ICS vs. IT
One of the most common challenges we see organization’s facing when it comes to their ICS security is how to integrate their ICS and IT departments. ICS and IT are, historically, not unified but as industrial automation technology evolves, the importance of this integration happening increases greatly.
Why do they need to be integrated?
The actual functioning of industrial equipment is typically monitored and controlled by operators who are part of a non-IT department. They are used to turning, pushing, or otherwise using controls to make changes to the operation of equipment like motors and valves without much thought about what happens in between.
However, because ICS are now present between the controls and the actual equipment, there is now a cybersecurity risk present there as well. This means there is a need for some IT services to be part of the functioning of equipment and industrial assets.
Why can integration be difficult?
In most organizations, the IT team doesn’t do much talking to the process/operations department because they see this as all "machines and gears" which they don't have anything to do with. On the other hand, the operators in the process department probably don’t consider their job to have anything to do with IT. So where does this leave the security of ICS? Well, because more organizations don't have a lot of personnel who can bridge the gap between operations and IT, usually somewhere trapped in the middle.
Another challenge we see a lot of organization's facing when obtaining cybersecurity for their ICS comes from dealing with the aging hardware or software their ICS are built up from. While most organizations still use legacy ICS because they are critical to the functioning of the plant, their age means they can create "open doors" and opportunities for cyber attacks.
The only way to update these legacy systems is to slowly replace the aging components. But, replacing a legacy ICS with a new one without adding cybersecurity functionality is a major misstep as it may create serious risks for the organization in the future.
The final challenge we often see organization's facing when it comes to ICS security services is the justification of cost of a security system or platform. This happens for a variety of reasons.
First, making a case for investing money into ICS security can be a tough one because there are no direct profits to be gained from doing so. Instead, cybersecurity investments can only be measured in terms of the loss prevention, and who can say exactly what losses would have been incurred due to security threats had the money not been spent on the system?
Second, another cost-related challenge arises when those who are in charge of allocating funds are far removed from those who are actually operating and maintaining ICS. It can be even more difficult to make a case for spending money on a platform that does not bring direct profit to someone who has minimal contact with the actual systems that need it, and perhaps also minimal knowledge of the actual security threat to ICS.
How Can These Challenges be Mitigated?
While the organizational challenges presented above are common and can be significant, at Verve, our extensive experience in dealing with industrial organizations has shown us the best ways these issues can be mitigated or dealt with effectively.
Bringing together people from both the operations department and IT is essential for any organization that wants to successfully implement or run ICS cyberseurity. While this can be difficult, selecting the right cybersecurity platform can make the integration easier.
The Verve platform was designed from the minds of both controls engineers and IT experts. ICS is the backbone of what our company was founded on, so when creating the Verve Security Centre we were able to truly understand what your clients needed and wanted from a cybersecurity system.
The key to dealing with the challenges associated with implementing cybersecurity on legacy ICS is effective asset management. We suggest keeping an updated, comprehensive inventory of all assets, including hardware and software. This way you can know exactly what you are dealing with and will be able to make smart choices about the implementation of cybersecurity when migration opportunities from legacy to new ICS arrive.
And, speaking of migration opportunities, we also recommend creating a migration strategy and roadmap for your legacy systems. This will allow you to create a timely, phased approach to changes and updates.
Finding a solution to justifying costs associated with cybersecurity platforms can be a struggle. But there are resources out there that can explain or predict the potential losses associated with not having secured ICS.
One such resource is Gordon and Loeb's Return on Security Investment (ROSI) model. This model attempts to quantify the benefits of investing in a security system by relating the expected loss resulting from security incidents to the costs associated with mitigating security controls.
At Verve, we strive to offer our clients the best possible value for their investment. That's why we say one of our biggest advantages is that we help you "do more with what you already have." The Verve Security Centre is specifically designed to take what you already have and make it bigger, better, and faster. We do this by automating the extension of the tools you’ve invested in to give you full coverage of the facility.
With deep ICS expertise in Network Hardening, Asset Management, Change Management, Whitelisting, Security Event Monitoring, and Patching, Verve Industrial Protection is the leader in helping utilities manage complex OT security and compliance challenges.
We can help you not only protect your plant from threats, but meet cybersecurity compliance requirements, and overcome organizational challenges, all because of our unique, innovative platform. With the Verve Security Centre, you are able to perform a wide variety of cybersecurity actions and procedures all from a single, unified console.
If you are interested in obtaining the Verve Advantage, request a demo today to see how we can work in your organization.