Before you can dive in and look at the core concept of automation cybersecurity, it's helpful to first define it. Automation cybersecurity is the prevention of intentional or unintentional interference with proper operation of automation systems including industrial controls, smart manufacturing, and IIOT systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system.
Automation cybersecurity goes by many different names. Everything from SCADA security to process control network security, industrial automation and control system security, or just industrial control system security. There are many different terms that that may be used. What exida standardized and uses primarily, is aligned with the IEC 62443 standard which is industrial automated control systems (IACS).
Differing Priorities
IACS falls under the category of Operations Technology (OT). Operations Technology (OT) has different priorities than a typical IT system. For corporate or business networks, ensuring that no unauthorized users gain access and steal data is their primary goal. Integrity and system availability are less critical.
A good example of availability being less critical on the IT side would be to think about a system update for a laptop connected to the business network. If a user doesn't have access to that laptop for five minutes when an update is being installed, that's really going to have a negligible consequence. On the other hand, though, when we talk about OT, availability is paramount and is the number one priority that must be maintained. If a programmable logic controller is unavailable for five minutes, that could have a major impact on the system and would most likely result in a process shutdown or another undesirable event. The priorities on the IACS side are actually the opposite of what we would look at on the traditional security side.
In addition to having different priorities, there's also different experiences between the IT and the OT groups. The IT lifecycle is very quick to turn around and may change roughly every 3 to 5 years, whereas for OT equipment is much longer, maybe 15 to 20 plus years. As a result, we often have a more difficult time securing and updating legacy equipment on the OT side because it's not as practical to update as frequently.
We are somewhat limited in the ability to update that system and make more frequent changes. From a staffing perspective, outsourcing for IT support is relatively common. For OT, we typically havededicated plant resources. Or in some cases we may have a dedicated system integrator who provides support, but it tends to be much more localized.
From a patching perspective, this also tends to be much more frequently completed on the IT side. For example, Windows devices might be updated every Tuesday. They tend to be applied as soon as possible for the OT side because patching and downloading updates to the firmware for PLCs and other network equipment has the potential to trigger an availability concern. This tends to be done much less frequently on the environment and more as an as needed basis. If there is a specific security vulnerability that needs to be updated or a specific feature that's needed, patching has to be planned more in advance and there will be some additional steps that go into that.
Antivirus and endpoint protection is very common on IT systems and tends to be pretty well implemented. On the OT side, older legacy systems may not support the use of antivirus, which may make it more difficult use that on the system. That’s mostly because on those older systems it could have a negative impact on the real time process control software and could be an availability concern.
This is an area that that has been changing over time. Today, all of the major equipment suppliers are supporting antivirus on their DCS control system platforms. This is something that is starting to improve for the OT networks.
Generally speaking, the IT community has been more aware of cybersecurity for a longer period of time and tends to have very good cybersecurity awareness. However, IT is not as familiar with the process safety implications and may not be aware of the physical impacts that a compromise of a control system could have. Alternatively for OT systems, cybersecurity awareness has in the past been relatively poor, where there's really just been a focus on making sure that the system is running and maintaining and keeping that uptime.
In conclusion, cybersecurity awareness in the OT community is improving. More focus has been put on it in recent years. It’s something that sites are continuing to look at and improve on. While that is improving in general, the awareness for process safety risks is much more mature than on the IT side because they're physically working with the sites and are familiar with those areas. If you would like to learn more about the current state of the IACS cybersecurity environment, cybersecurity hygiene, and the ISA/IEC 62443 series of standards including the cybersecurity lifecycle, check out our CS 002 self paced training course.
Related Items
CS 002 self paced training course
Tagged as: SCADA Patrick O'Brien OT IACS Cybersecurity