Impressions from the 1st Ibero-American Industrial Security Congress

November 6, 2013

Talking to colleagues and potential clients during major cybersecurity events always pays back, especially if your field of expertise is Critical Infrastructure Protection. This particular part of the global cybersecurity effort is still in its infancy, and that’s why communication about the topic is so more important. Luckily, this September I had a chance to discuss industrial security with a number of devoted professionals during the 1st Ibero-American Industrial Cybersecurity congress.

Set in Madrid, a handful of presentations showed the wide range of views on how critically important it is for the infrastructure to be secured. Some spoke directly on the topic, but a number of talks were on other, unrelated topics. The general impression was that people working on Industrial Cybersecurity are very smart and courageous, but the problem is that we need even additional people from different sides of the scope to take it further.

According to Gartner, the number of “potential hackers” will increase tenfold in the next couple of years. Investment in cybersecurity educational efforts are solid, which is good, but there remains the potential for some people to join forces with “the dark side,” meaning today’s limited scope of attacks on industrial objects could increase as well.

Investment in cybersecurity educational efforts are solid, which is good, but there remains the potential for some people to join forces with “the dark side,” meaning today’s limited scope of attacks on industrial objects could increase as well.

This is our challenge, but what is the solution? Well, as I said before, action is required from cybersecurity vendors. It’s important to develop new protection solutions tailored for critical infrastructure, and Kaspersky Lab does exactly that, along with owners of industrial systems and even the government.

Congress has set a good example by acting as a visionary customer. And SABIC is heading in the right direction as well, not only securing their ICS, but also developing security-in-mind requirements for suppliers, which is great. These “individual” requirements need to be converted into typical requirements, and eventually end up as the industrial security standard. Such scenarios would really benefit the entire industry.

To get closer to a new standard, industrial automation and security organizations need to come to common definitions for security terms ASAP.

The future is bright, but it’s not without problems. Almost all current standards (industrial like NERC CIP, international like ISA99/62443, or internal company standards) are focused on having procedures and set of controls onboard that represent the compliance-based approach. But frankly speaking, compliance is not security. It would be much better to embrace the strategy based on real threats, like asking if a certain infrastructure with this and that protection system could withstand a common list of known and potential attacks. In this kind of realistic testing, customers would have a real understanding of how efficient their protection is, which is not the case with simple compliance checklists.

Pitching this idea to customers and government bodies alike is still a challenge. Unfortunately, the inclination to “comply” rather that “protect” brings to life very bad, but typical scenarios, such as this:

An IT department purchases an antivirus for the company, either because it was required by compliance, or because IT strongly wished to secure ICS, and because malware outbreaks had to be dealt with in the past. However, the IT department has no control over the actual tools used in the company, as this domain is owned by engineers, and as a result, engineers grudgingly install the anti-virus, but all options are switched off. It’s just an icon in the tray, and it is never updated for the next 2.5 years.

As you can see, on the customer side, there are three key groups of people involved in industrial cyber security.

  • The CEO. The main problem on this level is to understand how Cybersecurity spending relates to revenues.
  • General IT or IT security managers. They are involved in purchasing decisions, but frequently have no power over the critical infrastructure.
  • Engineers. For this group, the seamless operation of the infrastructure is the top priority. Hence, they might be more afraid of the possible consequences of deploying a new security solution than cyber attacks.

The key to industrial security success is to address all of the issues for each these three groups to provide them with a common “business continuity” language, instead of IT security jargon that we have now. All involved parties need to understand each other’s needs and the security (not compliance!) requirements.

I hope future events will be more interactive. Communication between customers, vendors and government officials is always a benefit. It is essential for people to talk, argue and think together, not just listen to each other.

And many thanks for Samuel Linares @The Industrial Cybersecurity Center (CCI) for putting his event all together.