Rising cybersecurity concerns relating to industrial control systems today
Until recent years, cybersecurity related to Integrated Control and Safety Systems (ICSS) has never been so prevalent, as its complexity and the distinctiveness in critical infrastructure become increasingly known through incidents.
There have been 700 documented cases on Industrial Control Systems cybersecurity of unintended and malicious attacks on power stations, utilities, refineries, oil rigs, factories and building control systems which have caused 30 billion USD of financial impact and caused 1000 deaths and injuries globally. This number is set to grow as the number of ICS devices are increasing being connected to the networks.
ICS security is normally applied to critical infrastructure via SCADA (system control and data acquisition), PLCs (programmable logic controllers), etc. these electronics are linked to networks which may also be linked to the internet and thus a concern if compromised by malicious hackers.
TUV Rheinland organises the first-ever ICSS Cybersecurity Summit to raise awareness in Asia Pacific
To address rising concerns, TÜV Rheinland co-organized with REDCON Security Advisors and local partners, the inaugural ICSS Cybersecurity Summit 2016 in Singapore on April 8, to raise awareness amongst ICS stakeholders of power distribution, refineries, chemical plants, power plants, utilities, manufacturers, Oil rig manufacturers and government in the Asia Pacific region. The event was supported by the Cybersecurity Agency (CSA) of the Singapore government which reports directly to the Prime Minister’s Office with the keynote opening address offered by Mr Martin Lui, Deputy Director of CSA. The event was oversubscribed due to overwhelming response from participants.
(from left) Mr. Joseph Weiss, Managing Director, ISA99 Standards Body, Applied Control Solutions, Mr. Timonthy Toh, General Manager, Electrical Engineering - Asia Pacific, Mr. Manuel Diez, Global Business Field Manager (Elevators, Lifting Equipment and Machinery, and Electrical Engineering).
Mr Manuel Diez represented TUV Rheinland with the opening presentation on “The Convergence of Industrial Safety and Security”. Amongst other topics presented were case studies on the Ukrainian Power Utility Cyber Attack and Aurora (USA) on Dec 23, 2015.
Mr. Manuel Diez spoke about the once-shunned topic of safety culture and how to maintain the robustness and reliability of today's safety systems to keep up with the ever-evolving technological trends and threats.
Foremost industry authority on ICS Cybersecurity and Managing Director of ISA99, Mr Joseph Weiss, advisor to the Obama administration, provided insights to the unidentified threats amongst which the security implications to safety applications in the case of a security breach.
Mr Joseph Weiss took the audience through interesting observations from the Ukrainian hacks and what they may mean to the national electric grid.
Amongst the speakers were four TUV Rheinland Certified SIS Engineers and Experts, such as Mr Rahul Gupta from Wood Group Mustang who presented and Oil and Gas industry insight into Cybersecurity Risk Management as per ISA-99/IEC 62443. Mr Gupta will be a guest speaker at the Functional Safety Symposium in Cologne on May 11-12, 2016.
Mr Rahul Gupta discusses possible ways to integrate ICSS safety and security based on best practices and lessons learnt from the oil and gas industry.
The day following the event, the Singapore Government also announced in parliament that a cybersecurity bill will be tabled in 2017 to secure Singapore critical information infrastructure and to educate senior ‘C’ level executives to cybersecurity.
How organisations can start safeguarding their industrial infrastructure against cyber-attacks
Organizations should first realize that these are not only IT issues but OT (operations technology) issues, and cannot be addressed only by IT personnel. The problems that arise should be treated as such and taken seriously by top management, such as CIOs and COO who report to the CEO.
In short, there is no ‘silver bullet’ solution. Audits under the scope of ISA/IEC 62443 are the first steps for organizations to locate gaps, and how to fix them. Many boxes are out in the market but it remains to be seen which is the most effective ones. Isolation is the best solution but not feasible in this day and age where ‘real time’ and ‘dashboards’ are the norm.
Penetration testing may also reveal flaws in the security in the system, but shall be done carefully in ICS or the assets can be damaged. A good understanding and inventory of the ICS and endpoints shall be one of the first documents to have available.
The key takeaway
In conclusion, ICS cybersecurity is not an IT problem. It is one involving operations and Process Engineers. Timely reporting of incident is key to discovering threats early and this is only done via teamwork. This has been the same line all our speakers have been reiterating at the summit.
"In the world of ICS cybersecurity, there is no ‘safety’ without ‘security’”, says Mr. Manuel Diez
If you have more questions about ICS cybersecurity or our testing services, please contact us below and one of our experts will be speaking to you shortly.
The Singapore ICSS Summit was sponsored by Palo Alto Networks, Beckhoff Automation, PAS, SANS.