With the newest rounds of cyber attacks makingĀ it clearer and clearer thatĀ industrial control systems (ICSs) and critical infrastructureĀ are not justĀ a side dish on the menu but indeed a main course, it might be natural to assume that the best course of action is to disconnect altogether. But digitalization offers too much promiseāand is too central to a competitive stance in the marketplaceāto consider ditching for even a moment.
If manufacturers are going to willingly embrace an increasingly digital future, there needs to be a substantial foundation of trust.
āAt the core of digitalization is indiscriminate trust. But the latest wave of cyber attacks has eroded that trust,ā said Leo Simonovich, vice president for global cybersecurity at Siemens. āThis is especially true in infrastructure, where the benefits and risks are so great.ā
Several experts gathered this week in Chicago to discuss the best way to gain the level of trust needed and to get a better understanding about how industry should be approaching cybersecurity. Digitalization and cybersecurity are two sides of the same coin, the panel of experts argued duringĀ Siemens Innovation Day, held at theĀ Digital Manufacturing and Design Innovation InstituteĀ (DMDII).
Siemensā goal is to bring the two sides of that coin together, noted Roland Busch, chief technology officer at Siemens and a member of its managing board. āWe must not allow that any attacks or weaknesses in cybersecurity are slowing down the process of getting digitalization into the market,ā he said.
Plenty of pressure is on the automation suppliers to make their products secure by design, but there was a certain level of admonishment directed toward customers as well. Though 2017 could be considered the year of mega attacks, most of those attacks could have been prevented, Simonovich noted as moderator of the panel.
Amit Yoran, chairman and CEO of Tenable, agreed. āIf you look at pretty much all of the high-profile attacks,ā he said, āso many of them were very preventable.ā
Yoran, who was founding director of the US-CERT program in the U.S. Department of Homeland Security, referenced Equifax CEO Richard Smith, who stepped down following the backlash over the massive breach of his companyās data. Yoran scoffed at Smithās contention of how difficult it is to defend against nation-state organizations. āMany organizations are not doing the basics very well,ā Yoran said. āThereās a tremendous difference between the ability to succeed and the high probability of failure.ā
During continued discussion after the panel presentation, Yoran was very clear: āThe people who are getting compromised are the people who are negligent.ā
About those people
In fact, much of the vulnerability comes from the human side of the equation rather than the cybersecurity tools themselves.
Good cybersecurity requires a wholesale change in attitude, Busch indicated. āFirst and foremost, we have to have the right spirit,ā he said. āWe have to start with the people and processes because the mindset makes a difference.ā
But even with the right attitude, there is a basic shortage of some 3.5 million cyber professionals, according to Cybersecurity Ventures. The problem is likely even more acute on the operations (OT) side, Simonovich added.
This issue is āincredibly critical,ā said Sid Snitkin, vice president and general manager of enterprise services for ARC Advisory Group. Industry has moved beyond the cybersecurity awareness problem that it used to have, and most companies have invested in protective technologies. āBut they canāt maintain it because they donāt have the people, and the people they have donāt have the knowledge,ā Snitkin said. āIt gives them a false sense of security. They think, āIāve bought all this technology, so I must be secure.ā But theyāre not.ā
Though suppliers are building secure systems, thatās just one step along the way, Snitkin noted. āThatās where these small companies in particular are hurting,ā he added. āThereās no way those small companies can get the expertise to maintain these things.ā
To be as secure as big companies, the small guys need to accept a different strategy in which they rely more heavily on outside services, he argued. āVulnerability could be completely outside the scope of what these companies are doing,ā added Sami Nassar, vice president of cybersecurity at NXP Semiconductors.
āSmall companies donāt have a chance at all to get the internal competence to a level they need,ā Bosch said, adding that the same is true to some extent for larger organizations.
Part of the effort to improve security comes through collaborationāamong vendors, customers and more. It requires an ecosystem rather than a one-vendor solution, commented Nassar. āA multitude of companies need to work together for something built for reliability,ā he said, noting that that was a key reason that NXP signed on as a founding member of theĀ Charter of Trust, a collaborative cybersecurity effort initiated by Siemens. āItās an aggregation of capability for a platform. We will be able to collaborate around verticals and can set at least a minimum level of security.ā
Security built in
Rather than model industrial networks on the Internet, itās important to look into what went wrong with the Internet, Nassar said. āThere are more and more hacks going into it every day,ā he said. āIt was not meant for cybersecurity. The architecture itself was not built with cybersecurity in mind.ā
Nassar contrasted that with the cell phone infrastructure, where security was built in. āThey thought about how to secure the platform before they built it,ā he said.
In the same way, industrial networks need to be secured from the start. āAt the get go, itās much more cost-effective, much more efficient,ā Nassar said. āOne common denominator of the high-security network is they start the security from the lowest level possible. Security is built from the bottom up, not added on the top.ā
This basic blueprint of trust is what is needed. āVulnerability comes typically from the higher levels,ā Nassar said. āIf you donāt have a good anchor at the bottom, it will be very expensive to secure later on.ā
āPeople need to think about cybersecurity as a core feature rather than just something you have to have,ā Busch emphasized. āThe whole thing starts with a proper, trusted system.ā
Security by design or security by default are good starting places to build the trust with customers, but itās not enough, Yoran contends. āThe unfortunate reality is that nothing works. You canāt have cybersecurity period without a strong root of trust. But even these hardware roots of trust have challenges sometimes,ā he said. āIf you have secure componentry, thatās a good start. The challenge is when youāre connecting them in ways that werenāt expected; adding software that wasnāt expected. It starts behaving in ways they werenāt designed for.ā
Responsiveness
The reality is that the probability of your organization being attacked is pretty close to 100 percent, and thereās a high probability that thereās already some form of adversary in the system. So how should industry be building resiliency?
āYou canāt protect everything equally. We know thatās a failed strategy,ā Yoran said. āI believe the key here is all about risk management and prioritization. What is the core business? What are the mission-critical applications? How do we provide the appropriate level of determinism?ā
Resiliency has more to do with being able to live through an attack, Snitkin argued. āMost of the cybersecurity technologies are defensive technologies. Theyāre reducing the likelihood that an attacker is going to get in,ā he said. āThatās important. But whatās more important is how youāre going to react to an attacker.ā
Two sides of a coin
Circling back to the idea of cybersecurity and digitalization as two sides of the same coin, panelists emphasized the good that can come from a reasonable level of care taken on security. āSecurity is the enabler for the Industrial Internet of Things,ā Snitkin said. āDonāt ignore the problem. You have that risk, but accept it and move on.ā
āSecurity is just something that needs to be thought through,ā Nassar said. āItās not something to be scared of.ā
Thereās no escaping the need for connected assets. āDigitalization is a requirement,ā Yoran said. āIf you want to be in business next year, you have to go through digitalization. But you have to recognize that that doesnāt come risk-free. You have to keep systems at a level of hygiene and preparedness that we havenāt done in the past because we were in a disconnected world. That has to be the mindset.ā
