Some of the most crucial processes in your organization likely depend on Industrial Control Systems (ICS) to function properly. Because many industrial organizations, such as power plants, provide important daily services to society, the people your organization or industry serves also depend on the proper function of ICS.
When a cyber security threat is present, ICS are at risk of failing which has significant impacts on your plant, society and the environment.
Unfortunately, the threat to ICS from cyber attacks is growing, with recent reports of more malware that specifically targets industrial organizations:
In addition to those attacks pictured in the graphic above, a more recent malware, called Triton, was discovered to specifically attack industrial control systems. Because of this, it is important than ever for organizations to implement an effective ICS cybersecurity program.
Whether your organization is implementing cyber security for compliance reasons, installing a security system because the growing cyber threat to ICS has become a serious concern, or looking to update and improve your anti-malware defenses with the most modern technology, you're likely to run into some common organizational challenges.
In working with many industrial organizations to implement the Verve Security Center (VSC), we’ve learned a lot about the organizational challenges that companies face when implementing a cyber security system or program for their ICS cyber security challenges.
Top Three Organizational Challenges When Implementing ICS Cyber Security:
ICS vs. IT
One of the most common challenges we see organizations facing when it comes to their ICS security is how to integrate their ICS and IT departments. ICS and IT are, historically, not unified but as industrial automation technology evolves, the importance of this integration happening increases greatly.
Why do ICS and IT need to be integrated?
The functioning of industrial equipment is typically monitored and controlled by operators who are part of a non-IT department. They are used to turning, pushing, or otherwise using controls to make changes to the operation of equipment like motors and valves without much thought about what happens in between.
However, because ICS are now present between the controls and the equipment itself, a cyber security risk develops there as well. This means there is a need for some IT services to be part of the functioning of equipment and industrial assets.
Why is the integration of ICS and IT seen as difficult?
In most organizations, IT teams and process or operations departments lack collaboration because they see this as all "machines and gears" which IT is not concerned with, and vis versa, operators in the process department don’t consider their job function to be related to IT. So where does this leave the security of ICS? Organizations that don't have a lot of personnel who can bridge the gap between operations and IT find themselves somewhere trapped in the middle.
Legacy Systems in ICS
Another challenge we see a lot of organizations facing when obtaining cyber security for their ICS comes from dealing with the aging hardware or software their ICS are built up from. While most organizations still use legacy ICS because they are critical to the functioning of the plant, their age means they can create "open doors" and opportunities for cyber attacks.
The only way to update these legacy systems is to slowly replace the aging components. But, replacing a legacy ICS with a new one without adding cyber security functionality is a major misstep as it may create serious risks for the organization in the future.
Cost of ICS Security Services
The final challenge we see organizations facing when it comes to ICS security services is the justification of cost of a security system or platform. This happens for a variety of reasons:
First, making a case for investing money into ICS security can be tough because there are no direct profits to be gained from doing so. Instead, cyber security investments can only be measured in terms of the loss prevention, and who can say exactly what losses would have been incurred due to security threats had the money not been spent on the system?
Second, another cost-related challenge arises when those who are in charge of allocating funds are far removed from those who are actually operating and maintaining ICS. It can be even more difficult to make a case for spending money on a platform that does not bring direct profit to someone who has minimal contact with the actual systems that need it, and perhaps also minimal knowledge of the actual security threat to ICS.
How Can Challenges Implementing ICS Cyber Security be Mitigated?
While the organizational challenges presented above are common and can be significant, at Verve, our extensive experience in dealing with industrial organizations has shown us the best ways these issues can be mitigated or dealt with effectively.
IT vs. ICS: IT OT Cooperation
Bringing people together from both the operations department and IT is essential for any organization that wants to successfully implement or run ICS cyber security. While this can be difficult, selecting the right cyber security platform and obtaining buy-in from both parties can make integration easier.
The VSC was designed from the minds of both controls engineers and IT experts. ICS is the backbone of what our company was founded on, and the Verve Security Center was built with a true understanding of what clients needed and wanted from a cyber security system.
Legacy Systems: Updated Asset Inventory
The key to handling the challenges associated with implementing cyber security on legacy ICS is effective asset management. We suggest keeping an updated, comprehensive inventory of all assets, including hardware and software. This way you can know exactly what you are dealing with and will be able to make smart choices about the implementation of cyber security when migration opportunities from legacy to new ICS arrive.
And, speaking of migration opportunities, we also recommend creating a migration strategy and roadmap for your legacy systems. This will allow you to create a timely, phased approach to changes and updates.
Cost: Quantifying Risk
Finding a solution to justify the costs associated with cyber security platforms can be difficult, but there are resources explaining or predicting the potential losses associated with not having secured ICS.
One such resource is Gordon and Loeb's Return on Security Investment (ROSI) model. This model attempts to quantify the benefits of investing in a security system by relating the expected loss resulting from security incidents to the costs associated with mitigating security controls.
Verve strives to offer our clients the best possible value for their investment. That's why we say one of our biggest advantages is that we help you "do more with what you already have." The Verve Security Center is specifically designed to take what you already have and make it bigger, better, and faster. We do this by automating the extension of the tools you’ve invested in to give you full coverage of the facility.
Realize the Verve Advantage
With deep ICS expertise in Network Hardening, Asset Management, Change Management, Whitelisting, Security Event Monitoring, and Patching, Verve Industrial Protection is the leader in helping utilities manage complex OT security and compliance challenges.
We can help you not only protect your plant from threats, but meet cyber security compliance requirements, and overcome organizational challenges, all because of our unique, innovative platform. With the Verve Security Center, you can perform a wide variety of cyber security actions and procedures all from a single, unified console.
If you are interested in obtaining the Verve Advantage, check out the VSC brochure or request a demo to see how your organization can become more secure tomorrow than you are today.