Welcome to the latest edition of the Cybersecurity Advocate, the official newsletter of the ISA Global Cybersecurity Alliance (ISAGCA). This issue includes information about the recent Virtual Cybersecurity Standards Implementation Conference, where ISAGCA member companies saw a significant turnout, as well as exciting developments from our four work groups.
The Virtual Cybersecurity Standards Implementation Conference (VCSIC) took place online on 16 July 2020, and ISAGCA had a strong presence there. ISAGCA staffed a virtual booth—conference attendees could visit us between presentations, chat with ISAGCA members, and learn more about the benefits of membership. The International Society of Automation (ISA), ISAGCA’s parent organization, hosted the conference. Representatives from several ISAGCA founding member companies (aeSolutions, exida, PAS Global, Schneider Electric, and Xage Security) also presented talks.
The day kicked off with a keynote speech from Andrew Kling, an industry-recognized authority on cybersecurity. He addressed the unique cyber risks we are encountering due to COVID-19, as well as how to mitigate them and find our way to “the next normal.”
Patrick O’Brien, a safety and cybersecurity engineer at exida (an ISAGCA founding member company), followed the keynote with a discussion on high-level cybersecurity risk assessments (HLRA) and control hazard and operability studies (CHAZOP). He said that organizations can significantly improve cybersecurity awareness of their systems with a minimal time commitment by pairing a cybersecurity HLRA with a CHAZOP, demonstrating that OT cybersecurity and safety are interrelated.
Garrett Myler, a digital network intelligence analyst for STAG, offered a critical review of the concepts and methodology behind ISA/IEC 62443-3-2, which introduces unmitigated likelihood, unmitigated risk, and the cyber risk reduction factor.
John Cusimano, head of the industrial cybersecurity division at aeSolutions (an ISAGCA founding member company), also discussed ISA/IEC 62443-3-2, providing an overview of the standard as well as best practices for ICS risk assessments.
Matt Selheimer, CMO at PAS Global (another ISAGCA founding member company), spoke about the shift to remote work for industrial organizations, underway long before the onset of COVID-19. COVID-19 has significantly accelerated the transformation, however, and Matt recommended ways to enable effective, secure, and safe remote operations.
Bar Katz, director of product management at Xage Security (another ISAGCA founding member company), highlighted key differences between IT and OT/IoT networks and presented an overview of cybersecurity design principles and trends across the different types of networks.
Chad Lloyd, a security and software architect for Schneider Electric (yet another ISAGCA founding member company!), dove into social engineering attack methods and prevention techniques. “The human factor” is a common vector for cyberattacks, but there are ways to prepare and educate your workforce—and yourself.
Johan Nye, author of the ISA/IEC 62443 Series of Standards Quick Start Guide, wrapped up the sessions with a preview of ISA’s new on-demand course, “Overview of ISA/IEC 62443 for Product Suppliers” (IC46M). By understanding the series of standards, product suppliers will be able to communicate its value to stakeholders.
Thank you to each of the many ISAGCA affiliates who staffed the booth, attended the conference, or presented a talk. The event was a success thanks to you!
Stay tuned for Virtual CSIC+, another online event that dives deeper into automation cybersecurity. Hosted by ISA, you are invited to join us on 25 August 2020 to attend talks on adversary cybersecurity attacks, purple teaming, and hunting ransomware. You can view the schedule and sign up to attend here.
To learn more about the robust suite of ISA virtual events on the books for the rest of the year, visit www.isa.org/virtualevents.
ISAGCA booth at VCSIC
Word of mouth is spreading about ISAGCA. Thank you for your continued support in this area!
The Cyber Threats Are Real – We’ve Got to Be Ready
4 March 2020
Top 20 PLC Secure Coding Practices
Dale Peterson, LinkedIn
16 July 2020
Learning OT Cybersecurity from the TV Show ‘Mr. Robot’
23 July 2020
The Top 20 PLC Secure Coding Practices Project
Sarah Fluchs, Medium
29 July 2020
We’ve collected a sampling of recent and upcoming events related to ICS/OT/automation cybersecurity. At the time of writing this newsletter, all events are taking place online, but please check the event websites for the most up-to-date information.
American Institute of Chemical Engineers’ (AIChE) 2020 Spring Meeting & 16th Global Congress on Process Safety
17-21 August 2020
*ISAGCA and ISA will have a presence
ISA Virtual CSIC+
25 August 2020
*Hosted by ISA
Cyber Security for Critical Assets Summit USA
2-3 September 2020
ISAGCA work groups have been intensely active this summer. We have a lot of exciting developments and upcoming projects planned in each of the four work groups. Read on for the latest news.
Advocacy & Adoption Work Group
The Advocacy & Adoption Work Group is involved in global legislation and regulatory affairs advocacy. Member companies have contributed intelligence and insights about legislation and pending regulations around the world involving OT cybersecurity. Plans include reaching out to governments and agencies to identify references to ISA/IEC 62443 and identify any implementation help needed. The goal is to increase awareness and understanding of the ISA/IEC 62443 series within global governments—and to increase the likelihood of standards being included in regulations.
A cross-reference or matrix of standards is also planned. This effort maps the parts of the ISA/IEC 62443 Series to the relevant parts of other known standards and regulations so that asset owners can recognize where the series intersects and overlaps with other documents. In its final form, this document will reduce the complexity or perception of the complexity of blending multiple standards into a facility’s approach to cybersecurity, and it will enable CISOs, suppliers, and integrators to receive credit for compliance to multiple standards.
Two whitepapers are being created—one discussing how to evaluate the health of product security programs, and one addressing similarities and differences between the Singapore Cybersecurity Code of Practice (CCOP) and the ISA/IEC 62443 Series. The product security whitepaper will present an organized, cohesive approach to evaluating product security practices and advocate for a healthy approach to conformance and compliance testing. The CCOP whitepaper, co-authored by TUV SUD and Nova Systems, will provide an additional level of detail mapping the standards to specific country guidelines and encourage engagement with the 62443 series of standards in the Asia Pacific region.
Finally, several ISA99 standards committee members have created a framework for an online tool bench that offers important reference documents, implementation examples, and other materials helpful for those using the ISA/IEC 62443 series of standards. Although specific plans are to be determined, ISAGCA seeks to leverage this work to develop a one-stop online presence for reference information about the series of standards.
Awareness & Outreach Work Group
The Awareness & Outreach Work Group is creating a crowd-sourced guide to secure coding practices for PLCs. Security experts created a starting draft of a top 20 list, and the wider community is invited to join a Discourse site to comment and add to the initial list. The project kicked off with a webinar co-produced with IEEE in late July, followed by a marketing effort to engage people with the Discourse site. The result will be a community-sourced top 20 list to be published as a free downloadable resource and/or kept current on the Discourse site. The project underscores the inclusive nature of our work and underscores the value of ISAGCA as a home for automation cybersecurity topics. To contribute your insights (or to view the progress made so far), please sign up for a free account at top20.isa.org.
Training & Education Work Group
The Training & Education Work Group is planning two whitepapers. One deals with the automation cybersecurity lifecycle and stakeholder viewpoints; another addresses the importance of product certification to asset owner cybersecurity programs. Many companies are confused and unsure about the division of responsibilities in a standards implementation project, and around cybersecurity management in general – the first whitepaper will provide a starting point for individual tweaking and changing based on specific relationships and environments. The second whitepaper will make the case that requiring or encouraging commercial off the shelf product security certification can increase compliance with standards across the marketplace, and encourage the use of the standards in a broad cybersecurity management program.
Compliance & Prevention Work Group
The Compliance & Prevention Work Group plans to establish an insurance underwriters’ work group to explore ISA/IEC 64223’s impact on insuring automation-related facilities and processes. Willis Towers Watson’s Tom Finan (previously with the DHS) is leading this group to explore how the series of standards might be able to help inform underwriting models for insuring cybersecurity risk in the OT space. The first work group of its kind, this is a powerful interaction opportunity between industry and insurance firms in the context of a standards-based approach to pricing risk. It is also an opportunity for significant thought leadership from involved insurance firms as well as ISAGCA as an organization in a market that is very unsettled and undefined.
In connection with this work group, ISAGCA is officially endorsing and participating in a DHS CISA-led collaboration called ICS4ICS to establish an ICS incident response protocol that facilities may leverage in their own crisis planning efforts. Megan Samford is a leader of this group and a leader within ISAGCA, coordinating our participation. DHS and CISA will be leveraging DHS/FEMA templates to model disaster response plans based on lessons learned from other crisis plan development work at the federal level. ISAGCA will participate in the development of these resources and recommendations as well as look at ways to share the information broadly and promote its existence and use.
An IIoT reference architecture project seeks to define the top two or three IIoT reference architectures, beginning with the work done within the ISA/IEC 62443 committee, to analyze how each architecture could be secured and certified using the series of standards.Bringing an IIoT architecture layer to the implementation of the standards will be important for relevance and getting the attention of higher-level positions within companies. IIoT cybersecurity is one of ISAGCA’s core principles, so it makes sense to address these questions and challenges within our work scope. Relationships with IIoT infrastructure providers may also prove key to this effort, and likewise bring these voices deeper into the organization.
ISAGCA’s blog features a wealth of insights from industry thought leaders, many who work for our member companies. To receive updates in your inbox each week, subscribe to the ISAGCA blog today.
What IT Pros Should Know About OT Cybersecurity
Joshua Carlson, Dragos
As industrial organizations strive to reduce cyber risks in their operational technology (OT) environments, cybersecurity leaders who look after the enterprise/IT environments are requested to assist in leading the charge.
Many IT cybersecurity veterans have been through their paces over many years, building security controls and experience for IT environments. They have already made some common mistakes and have learned from them. This experience allows them to bring a proper perspective on what it takes to mature a set of security processes to fend off modern threats.
If you are one of the IT leaders who are helping to transfer their knowledge to the OT side of the house, the trick is not to let all that IT security experience go to your head. As a guiding principle, my encouragement is not to make the mistake of assuming that the expertise gained in the enterprise/IT security domain will automatically establish your credibility to know the right path for reducing risk in OT environments.
3 Ways to Reduce Insider Cyberattacks on Industrial Control Systems
Michael Pyle, Schneider Electric
When power grids, water networks, and gas utility systems are targeted by cyberattacks, systems that are essential to our everyday lives are affected. While the damage potential due to external attack sources is alarming, insider threats also exist and constitute an attack vector that is difficult to monitor and control.
Sources of insider threats can include current and former employees, partners, vendors, or anyone else who at one time was granted access to proprietary or confidential information from within the organization. Although not all of these insider attacks are intentional, any such attack on an OT (operational technology) system can result in loss of data/trade secrets, equipment damage, lost revenues, and even personal injury.
The number of insider-related cyberattacks increase every year. The Verizon 2019 Data Breach Investigations report states that 34% of all breaches in 2018 were caused by insiders (as compared to 24% in 2016). As the incidents increase, so do the costs. A 2018 Ponemon Institute Cost of Insider Threats study shows that the average cost of an insider-related incident is around $513,000.
Motivation for such attacks includes financial gain, political ideology, a desire for recognition or public attention, fanatical loyalty to country, or a simple act of revenge. Unfortunately, many infrastructure organizations today have yet to implement proactive security controls to monitor areas that govern unauthorized access.
1898 & Co.
We’re building a roster of cybersecurity experts who are interested in sharing their knowledge at vendor-agnostic conferences and events around the world. We invite ISAGCA member companies to submit their experts to work with us as we deliver the latest, standards-based, unbiased information about cybersecurity.
Are you known for your thought leadership in the industry—or would you like to be? We hope you’ll consider the personal benefits of joining the ISAGCA Speakers’ Bureau in alignment with your own cybersecurity expertise.
To indicate your interest in the ISAGCA Speakers’ Bureau, click here to fill out our form.