exida performed a cybersecurity review and assessment. The major deliverables were to evaluate the asset inventory process and methodology a and to propose changes to the Process Control Network (PCN) infrastructure with mitigation steps to improve security.
A company initially requested for us to perform specific reviews and assessments. The major deliverables were to 1) Evaluate the asset inventory process and methodology and comment on it and 2) To propose changes to the Process Control Network (PCN) infrastructure with mitigation steps to improve security. These are both important and relevant steps, but they were requested essentially as standalone processes with no real glue steps to hold them all together.
Review and comment on the inventory, for example. The real question that had to be asked was how is this process initiated, and how will this information be used? What fed this process, and what did this process feed?
Reviewing the architecture and suggesting improvements was also requested. However, how are such pertinent items known such as a) the criticality of the devices being reviewed, b) what level of security (SL) are we trying to accomplish c) the vulnerabilities inherent in the devices and d) the current mitigation steps in place, and e) what has the company already done.
After a number of conversations, it became apparent that the company simply wanted an answer, but that answer would be devoid of context and supporting data. There was more to be done, now the question was, would the customer be open to expanding their view: a potential slippery slope.
The initial meeting with the customer was the usual mix of listening to what they already had accomplished, what they were trying to accomplish, what they needed, and what they did not. exida learned a lesson a number of years ago that while the customer may not always like, accept, or appreciate a “tough love” approach, in the long run it is almost always for the best. exida therefore responded with a modified plan. First thing presented was the Cybersecurity Lifecycle from ISA/IEC 62443 and the integrated Cybersecurity/PSM lifecycle from the new TR-84.09.01 working group, and how those would apply directly to what the customer is trying to accomplish. They are actually starting in Brownfield mode but with a lot of information gaps to the point where it almost resembles Greenfield. Using the lifecycle as a reference, it was determined that the best course of action would be to give the customer the deliverables they wanted, but would also include performing necessary Risk and Vulnerability assessments, providing guidance on the inventory collection, providing samples of data flow, and Zone and Conduit documents, etc. This information would be used in a linear fashion, each step feeding the next until a complete picture was finally revealed. Asset inventories would identify the devices and where in the process they are used, their criticality, and other information about the devices. That would feed a High Level Cybersecurity Risk Assessment which would identify the assets by critical process area. A Cybersecurity Vulnerability Assessment would then identify the potential exposure to exploitation across the PCN system, and finally all these feeding the Detailed Cybersecurity Risk Assessment which would identify the devices, the criticality, the Vulnerabilities which could be exploited, the consequence, therefore the Risk, the current mitigation steps and resultant Security Level, The Security Level Target, the additional steps recommended, and finally the Security Level to be achieved. Also assessment and investigations that would yield the foundation material. Further assessments would refine it and categorize it. When the information originally asked for was reviewed, the customer would also be able to see what the path was to gain the information and how important it was to the operation of the process under scrutiny. Critical components and the vulnerabilities that were exhibited could be identified. Also, how they could be exploited and what was the consequence, and therefore risk. Additionally, there was discussion as to what counter measures could be employed to mitigate that risk to an ISA/IEC 62443 Security Level they deemed acceptable.
The company was very open to the expanded discussion and very easy to work with, listening to the proposal, countering with some additions they felt they needed, deciding not to pursue some in which they did not see the value, and ultimately were provided with multiple reference documents that gave them a complete picture, not just an answer.
The Cybersecurity lifecycles from both ISA/IEC 62443 and TR-84-09.01 gave a template and foundation from which to plot a path. The goal of this exercise was to develop a cybersecurity model at one facility which can then be duplicated at other facilities. exida not only came on site to perform the assessments but also provided the training necessary to allow the processes to move forward.
This approach is not always the best way, and not always accepted by the customer. However this customer saw the benefit of the expanded engagement, was very knowledgeable on the standards and expectation, and was very open to the possibility of getting as much from this exercise as possible. They saw the value in letting a company that was an expert in cybersecurity evaluate their systems. They provided invaluable insight and guidance on their specific installation as no one knew it better than they did. In the end the collaborative effort yielded a valuable and substantiated set of reports.