Cybersecurity resilience of Industrial Control Systems (ICS), Building Management Systems (BMS) and other Operational Technology (OT) systems is falling behind, a critical challenge considering the potential impact of a cyberattack on ICS and OT could result in the loss of lives and/or major environmental damage. These grave threats, of course, are in addition to the financial, reputational and compliance impacts of cyber incidents that affect all industries. Given the high stakes, it is time for the CISO to step up, learn about the unique characteristics of ICS and OT, and collaborate with the industrial control engineers, in order to take proper responsibility over ICS and OT cybersecurity.
I have gained experience in this area through my work on a project I conducted for the Israel National Cyber Directorate (INCD), in which we worked to provide the Israeli ICS sector with a practical tool allowing enterprises to conduct a cyber risk assessment of their ICS network. In working to develop the tool, we met with a range of OT engineers and cybersecurity professionals to draw upon their expertise and insights. Through those interactions, a concerning pain point was identified – ineffective working relations and processes between the two groups, leading to poor cyber resilience for ICS networks.
Clearly, there is a leadership vacuum that needs to be filled. Among many in the industry, there is a debate about who should assume ultimate responsibility over ICS security – the CISO or OT engineers. I believe that the CISO is best-suited to do so, given the CISO’s grounding in risk management practices and controls for cyber risk mitigation. But to properly oversee this area, CISOs must address their blind spot regarding risks in the OT environment. Since CISOs generally do not possess much knowledge of OT processes and systems as well as their sensitivity to change, they tend to overlook potential consequences if something goes wrong. Conversely, business executives might have familiarity with OT processes, but they tend to have less understanding of cyber risk, focusing instead on productivity and process reliability.
ICS and OT systems, such as Building Management Systems (BMS) and surveillance cameras, can be found in most modern organizations. ICS is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. ICS are used in critical infrastructure – areas such as the manufacturing, transportation, energy, and water treatment industries, which are essential to the health, safety, security and economic well-being of governments and society as a whole. OT systems, meanwhile, include the hardware and software systems that monitor and control physical devices in the field, such as devices that monitor temperature in industrial environments.
The convergence of IT and OT provides enterprises greater integration and visibility of the supply chain, including critical assets, logistics, plans, and operation processes. Having a thorough view of the supply chain can help organizations improve strategic planning and remain competitive. On the other hand, however, the convergence of IT and OT expands attack vectors for cybercriminals, allowing them to take advantage of poorly protected OT infrastructure.
This is part of the challenge for CISOs, who have several places to turn for guidance in shoring up this common blind spot. CISOs and others interested to learn more about reducing ICS security risk would be well-served to explore NIST’s Cybersecurity Framework Manufacturing Profile. Additionally, the ISA/IEC 62443 series of standards provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. And on the certification front, ISACA’s CISM credential can help CISOs develop a risk-based approach to managing security challenges that may arise on the ICS and OT landscape.
Editor’s note: Weisberg will present additional insights on “Illuminating the CISO’s ICS Blind Spot” at Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City, USA.