You wouldn’t begin a journey until you know where you are starting from, where you want to go and how you are going to get there.
Planning the journey to secure your control systems is no different. It starts with understanding the risks that control system security (or insecurity) can have on your business. This is known as a risk assessment and it is used to quantify the threats that pose a danger to your business. Then you rank these risks so you know how to prioritize your security dollars and efforts.
Only when these two tasks have been completed should you start planning how to apply countermeasures to reduce the risk to tolerable levels. Far too often, we see the assessment step skipped. We have seen companies throw money into a solution for what might be a minor risk, leaving far more serious risks unaddressed. As a responsible professional in your organization, you should be advocating for taking a step back and doing the risk assessment first.
We recommend starting by performing a high-level risk assessment on each of the major control systems in your plant, company or corporation. While this may seem like a daunting task, it can be very manageable if you adopt a simple, lightweight risk assessment methodology. The purpose of such an exercise is to identify the risk of a cyber incident, as a function of likelihood and consequence, and produce a list of control systems ranked by their relative risk.
If you are responsible for more than one facility, we also recommend selecting one of your “typical” manufacturing facilities and conducting a third-party security assessment on the control systems and security practices in that facility. The purpose of such an assessment is to identify the gaps between current control systems designs, architecture, policies, and procedures and industry best practices. The assessment should also provide recommendations to address the gaps.
The results of this assessment will provide management with a solid understanding of the current situation and a path forward. Most important, it will offer a framework for prioritizing investments in control system security.
While assessments like these can be performed with internal resources, we highly recommend using an experienced third-party with expertise in control system security, for at least the first assessment. A third-party can provide an unbiased review, a recommendation based on their experience, and feedback on how your organization compares with other companies in your industry.
Detailed vulnerability assessments and penetration testing are an important part of the security lifecycle, but these only make sense after your organization has first performed high-level risk assessments and gap analysis. The results of these earlier steps will help identify high-risk systems or sub-systems that require detailed analysis and testing.
Finally, it is important to understand that penetration testing of your online control system can be extremely risky. We recommend reserving this type of testing for Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT) or during a scheduled shutdown.