Sie sind auf Seite 1von 43

Lessons for Operators in

Industrial Cybersecurity
INTRODUCTION
Our global economy is at a critical junction, compelled by the imperative to take advantage of the Industrial
Internet of Things (IIoT). But our increasingly digitalized world has also increased the risk of mega attacks
against critical infrastructure, which threaten to affect operations, create financial losses, and even put lives
at risk. As our physical and digital worlds converge, the reality of more frequent and sophisticated industrial
cyber attacks makes evident that the operational technology (OT) cyber threat has become greater than
that presented by information technology (IT).

The global oil and gas sector has become a primary target of this growing industrial cyber threat. Yet, while
the energy industry is indeed highly vulnerable, its transformation in the era of mega OT cyber attacks is not
inevitable. By innovating with purpose and collaborating closely, we can gain confidence and more readily
recognize best practices. But it will require leadership and strategic vision to protect not only individual
organizations, but also the broader energy industry.

That is why Siemens and the International Society of Automation have partnered on this guide: Lessons for
Operators in Industrial Cybersecurity. It is our shared belief that effective management of the growing cyber
threat is an imperative shared by all organizations, public and private, large and small. This joint effort is a
starting point for oil and gas professionals at every level to prepare for potential OT cyber threats while still
reaping the benefits of digitalization. It is a product of a continuous collaboration between Siemens and the
International Society of Automation.

Lessons for Operators in Industrial Cybersecurity includes the results of in-depth studies of cybersecurity
within the oil and gas industries of the United States and the Middle East by the Ponemon Institute, an
independent research organization focused on data protection and information security policy. Here
you’ll also find focused guides from ISA designed for oil and gas industry Corporate Executives and Small
Business leaders who must be empowered to take the necessary steps toward higher states of cyber
readiness. We present these tools and insights to help industrial leaders keep their organizations secure
and running strong.

TABLE OF CONTENTS
We are Signing for Cybersecurity: Charter of Trust Page 3

The State of Cybersecurity in the Oil & Gas Industry: United States Page 4
Sponsored by Siemens, independently conducted by Ponemon Institute LLC

Industrial Cybersecurity for Small- and Medium-Sized Businesses Page 10


By: ISA

What Executives Need to Know About Industrial Control Systems Page 24


By: Joseph Weiss, Managing Director ISA99, Applied Control Solutions, LLC

Page 32
Assessing the Cyber Readiness of the Middle East’s Oil and Gas Sector
By: Siemens and the Ponemon Institute LLC
We are signing for
Cybersecurity
We and are signing for
The digital world is changing everything. It’s improving our
lives economies; at the same time, the risk of exposure

Cybersecurity
to cyberattacks is growing dramatically. That’s why we are
joining forces and have established the Charter of Trust.

The digital
Ourworld
Our principlesis changing everything. It’s improving our
principles

lives and11economies;
Ownership of
Ownership of cyber at
cyber and the
and IT same
IT security
security time,
|| Anchor
Anchor the risk
the responsibility
the responsibility of exposure
for cybersecurity
for cybersecurity at
at
the highest
the highest governmental
governmental and and business
business levels
levels by
by designating
designating specific
specific ministries
ministries and
and
to cyberattacks
CISOs. is clear
CISOs. Establish
Establish growing
clear measures dramatically.
measures and
and targets as
targets as well
well as That’s
as the
the why
right mindset
right mindset we are
throughout
throughout

We are signing for


organizations –– “It
organizations “It is
is everyone’s
everyone’s task.”
task.”
joining forces and have established the Charter of Trust.
22 Responsibility
Responsibility throughout
throughout the the digital
digital supply
supply chain
chain || Companies
Companies –– andand ifif necessary
necessary ––
governments must
governments must establish
establish risk-based
risk-based rules
rules that
that ensure
ensure adequate
adequate protection
protection across
across

Cybersecurity
all
allOur IoTprinciples
IoT layers with
layers with clearly
clearly defined
defined and
and mandatory
mandatory requirements.
requirements. Ensure
Ensure confidentiality,
confidentiality,
authenticity, integrity,
authenticity, integrity, and
and availability
availability by
by setting
setting baseline
baseline standards,
standards, such
such as
as
1 Ownership of cyber and IT security | Anchor the responsibility for cybersecurity at
·· Identity
Identity and
and access
access management:
management: Connected
Connected devices
devices must
must have
have secure
secure identities
identities
the highest governmental and business levels by designating specific ministries and
and safeguarding
and safeguarding measures
measures thatthat only
only allow
allow authorized
authorized users
users and
and devices
devices to
to useuse them.
them.
CISOs. Establish clear measures and targets as well as the right mindset throughout
The digital world is changing everything. It’s improving our
·· Encryption:
Encryption: Connected
organizations Connected
transmission purposes
transmission
devices must
devices
– “It is everyone’s
purposes wherever
must ensure
task.” ensure confidentiality
wherever appropriate.
appropriate.
confidentiality for
for data
data storage
storage and and

lives and economies; at the same time, the risk of exposure


2 Responsibility throughout the digital supply chain | Companies – and if necessary –
·· Continuous
Continuous protection:
protection: Companies
Companies must must offer
offer updates,
updates, upgrades,
upgrades, and
governments must establish risk-based rules that ensure adequate protection across
and patches
patches
throughout aa reasonable
throughout reasonable lifecycle
lifecycle for
for their
their products,
products, systems,
systems, and
and services
services viavia aa secure
secure
to cyberattacks is growing dramatically. That’s why we are
all IoT layers with clearly defined and mandatory requirements. Ensure confidentiality,
update mechanism.
update mechanism.
authenticity, integrity, and availability by setting baseline standards, such as
joining forces33·and have
Security
Security
Identity by
by
and established
default
default
access || management:
Adopt the
Adopt the
the highest
highest Charter
appropriate
appropriate
Connected level
devices ofof
levelmust
of Trust.
security
security
have and data
and data
secure protection
protection
identities
and
and ensure
ensure
and that itit is
that
safeguarding is preconfigured
preconfigured
measures that into into the
onlythe design
design
allow of products,
of
authorizedproducts, functionalities,
users functionalities,
and devices to use processes,
processes,
them.
technologies, operations,
technologies, operations, architectures,
architectures, and and business
business models.
models.
· Encryption: Connected devices must ensure confidentiality for data storage and
Our principles
transmission purposes wherever appropriate.
44 User-centricity
User-centricity || Serve Serve as as aa trusted
trusted partner
partner throughout
throughout aa reasonable
reasonable lifecycle,
lifecycle, providing
providing
1 Ownership· Continuous
products,
products, of cyber
systems,
systems, and IT security
protection:
and
and services
services |asAnchor
Companies
as well asthe
well must
as responsibility
offer
guidance
guidance updates,
based on
based for
on cybersecurity
upgrades,
the
the customer’s
customer’s at
and patches
cybersecurity
cybersecurity
the highest
needs,
needs, governmental
throughout
impacts,
impacts, andand
a and
reasonable business
risks.
risks. levels
lifecycle forby designating
their products,specific
systems, ministries
and servicesand via a secure
CISOs. Establish
updateclear measures and targets as well as the right mindset throughout
mechanism.
organizations – “It is everyone’s
55 Innovation
Innovation and co-creation
and task.” || Combine
co-creation Combine domain
domain know-how
know-how and and deepen
deepen aa joint
joint
3 Security by between
understanding
understanding default |firms
between Adoptand
firms thepolicymakers
and highest appropriate
policymakers level of security
of cybersecurity
of cybersecurity and data
requirements
requirements and
and protection
rules in
rules in
2 Responsibility
and ensure
order
order to throughout
continuously the digital
that it is preconfigured
to continuously innovate
innovate andsupply
and into the
adapt
adapt chain
design| Companies
cybersecurity
cybersecurity of products, – and
measures
measures toifnew
to necessary
functionalities,
new threats;
threats; –processes,
drive and
drive and
governments
encourage
encourage musti.a.
technologies, establish
i.a. risk-based
operations,
contractual
contractual Public
Public rules
architectures, that
Private
Private ensure
and adequate
business
Partnerships.
Partnerships. protection across
models.
all IoT layers with clearly defined and mandatory requirements. Ensure confidentiality,
authenticity, integrity,
664Education
User-centricity
Education and|availability
|| Include
Include Serve
dedicated
dedicated bycybersecurity
as a trustedsetting baseline
partner
cybersecurity standards,
throughout
courses
courses in such
a reasonable
in school
school as lifecycle,
curricula
curricula –– as providing
as degree
degree
products,
courses
courses in systems, andprofessional
in universities,
universities, services as education,
professional well as guidance
education, based on
and trainings
and trainings the
–– in customer’s
in order
order leadcybersecurity
to lead
to the
the
· Identity and access management: Connected devices must have secure identities
needs, impacts,
transformation
transformation ofand
of skillsrisks.
skills and job
and job profiles
profiles needed
needed for for the
the future.
future.
and safeguarding measures that only allow authorized users and devices to use them.
· Encryption: Connected
775Certification
Innovation
Certification fordevices
and
for critical must
co-creation
critical ensure
| Combine
infrastructure
infrastructure confidentiality
and
domain
and solutions for||data
know-how
solutions storage
and deepen
Companies
Companies ––and
andaififjoint
and necessary ––
necessary
transmission purposes
understanding
governments
governments wherever
between
establish
establish appropriate.
firms
mandatory
mandatory andindependent
policymakersthird-party
independent of cybersecurity
third-party requirements
certifications
certifications (based and
(based on rules in
on
order to continuously
futureproof
futureproof definitions,innovate
definitions, where life
where lifeandand
and adaptlimbcybersecurity
limb is at
is at risk
risk in measuresfor
in particular)
particular) tocritical
for new threats;
critical drive and
infrastructure
infrastructure
· Continuous protection: Companies must offer updates, upgrades, and patches
asencourage
as well as
well i.a. contractual
as critical
critical IoT solutions.
IoT solutions. Public Private Partnerships.
throughout a reasonable lifecycle for their products, systems, and services via a secure
update mechanism.
886Transparency
Education | Include
Transparency and response
and response
dedicated || Participate
cybersecurity
Participate in an
in ancourses
industrial
industrial in school curriculanetwork
cybersecurity
cybersecurity – as degree
network in order
in order
tocourses
to share new
share in universities,
new insights, professional
insights, information
information oneducation,
on incidents et
incidents and
et al.;trainings
al.; – in order
report incidents
report incidents to leadtoday’s
beyond
beyond the
today’s
3 Security by default | Adopt the highest appropriate level of security and data protection
transformation
practice
practice which is
which isof skills and
focusing
focusing onjob
on profiles
critical
critical needed for the future.
infrastructure.
infrastructure.
and ensure that it is preconfigured into the design of products, functionalities, processes,
technologies, operations, architectures, and business models.
997Regulatory
Certification
Regulatory for critical
framework
framework infrastructure
|| Promote
Promote multilateral
multilateraland solutions
collaborations
collaborations | Companies – andand
in regulation
in regulation if necessary –
and
governments establish
standardization
standardization to set
to mandatory
set aa level
level playingindependent
playing field matching
field matching third-party
the global
the globalcertifications
reach of
reach the(based
of the on
WTO; inclusion
WTO; inclusion
4 User-centricity | Serve as a trusted partner throughout a reasonable lifecycle, providing
offutureproof
of rules for
rules definitions, into
for cybersecurity
cybersecurity where
into Free
FreelifeTrade
and limb
Trade is at risk(FTAs).
Agreements
Agreements in particular) for critical infrastructure
(FTAs).
products, systems, and services as well as guidance based on the customer’s cybersecurity
as well as critical IoT solutions.
needs, impacts, and risks.
10 Joint
10 Joint initiatives
initiatives || Drive
Drive joint
joint initiatives,
initiatives, including
including all all relevant
relevant stakeholders,
stakeholders, in in order
order
to8implement
to Transparency
implement the and
the above
above response
principles
principles | Participate
inin the
the various in anparts
various industrial
parts thecybersecurity
of the
of worldnetwork
digital world
digital without in order
without
5 Innovation and co-creation | Combine domain know-how and deepen a joint
to share
undue
undue new insights, information on incidents et al.; report incidents beyond today’s
delay.
delay.
understanding between firms and policymakers of cybersecurity requirements and rules in
practice which is focusing on critical infrastructure.
order to continuously innovate and adapt cybersecurity measures to new threats; drive and
encourage i.a. contractual Public Private Partnerships.
9 Regulatory framework | Promote multilateral collaborations in regulation and
www.charter-of-trust.com
www.charter-of-trust.com
standardization to set a level playing field matching the global reach of the WTO; inclusion
6 Education | Include dedicated cybersecurity courses in school curricula – as degree
of rules for cybersecurity into Free Trade Agreements (FTAs).
courses in universities, professional education, and trainings – in order to lead the
transformation of skills and job profiles needed for the future.
10 Joint initiatives | Drive joint initiatives, including all relevant stakeholders, in order
to implement the above principles in the various parts of the digital world without
7 Certification for critical infrastructure and solutions | Companies – and if necessary –
undue delay.
governments establish mandatory independent third-party certifications (based on
futureproof definitions, where life and limb is at risk in particular) for critical infrastructure
as well as critical IoT solutions.
www.charter-of-trust.com
8 Transparency and response | Participate in an industrial cybersecurity network in order
Industrial
to share new insights, Cybersecurity
information on incidents et al.;eBook 2019beyond today’s
report incidents PAGE 3
practice which is focusing on critical infrastructure.
The State of Cybersecurity in the Oil &
Gas Industry: United States

Sponsored by Siemens, independently conducted by In fact, just 35 percent of respondents rate their
Ponemon Institute LLC | February 2017 organization’s OT cyber readiness as high. With most
respondents describing their organization as having
Ponemon Institute is pleased to present the results of low to medium cybersecurity readiness, 68 percent of
The State of Cybersecurity in the Oil & Gas Industry: respondents say their operations have had at least one
United States sponsored by Siemens. The purpose of security compromise in the past year, resulting in the
this research is to understand how companies in the oil loss of confidential information or OT disruption.
and gas industry are addressing cybersecurity risks in
the operational technology (OT) environment. Read on to learn more about the findings of our
research, including cybersecurity challenges in the oil
According to the findings, the deployment of and gas industry with examples of specific exploits and
cybersecurity measures in the industry isn’t keeping security breaches, as well as solutions for achieving
pace with the growth of digitalization in oil and gas cyber readiness.
operations.

Industrial Cybersecurity eBook 2019 PAGE 4


8
U.S. Oil & Gas Industry Research: 8 Key Findings

1. Fifty-nine percent of respondents believe there is greater risk in the OT than the IT environment
and 67 percent of respondents believe the risk level to industrial control systems over the past
few years has substantially increased because of cyber threats.

2 Oil and gas companies are benefiting from digitalization, but it has significantly increased
cyber risks, according to 66 percent of respondents.

Sixty-eight percent of respondents say their organization experienced at least one

3. cybercompromise, yet many organizations lack awareness of the OT cyber risk criticality or
have a strategy to address it.

4.
Sixty-one percent of respondents say their organization’s industrial control systems protection
and security is not adequate.

Sixty-five percent of respondents say the top cybersecurity threat is the negligent or careless

5.
insider and 15 percent of respondents say it is the malicious or criminal insider—underscoring
the need for advanced monitoring solutions to identify atypical behavior among personnel.

Only 41 percent of respondents say they continually monitor all infrastructure to prioritize

6.
threats and attacks. In fact, an average of 46 percent of all cyber attacks in the OT
environment go undetected, suggesting the need for investments in technologies that detect
cyber threats to oil and gas operations.

Sixty-eight percent of respondents say security analytics is essential or very important to

7. achieving a strong security posture.

Security technologies deployed are not considered the most effective. Sixty-three percent of
respondents say user behavior analytics and 62 percent of respondents say hardened

8.
endpoints are very effective in mitigating cybersecurity risks. In addition, 62 percent of
respondents say encryption of data in motion is considered very effective. Yet, many
companies do not have plans to deploy these technologies. Specifically, in the next 12 months
less than half of organizations represented (48 percent of respondents) plan to use encryption
of data in motion, only 39 percent plan to deploy hardened endpoints, and only 20 percent will
adopt user behavior analytics (UBA).

Industrial Cybersecurity eBook 2019 PAGE 5


Challenges to cyber readiness
Profile of participants OT is at greater risk than the IT environment.
in this research Fifty-nine percent of respondents believe there is a
greater risk in the OT than the IT environment.
Sixty-seven percent of respondents believe the risk

19% level to industrial control systems over the past few


years has substantially increased because of cyber
Report to the head of
threats.
industrial control systems

Cyber risks, especially across the supply chain, are


15% difficult to address. Sixty-nine percent of respondents
Report to the head of quality believe their organization is at risk because of
engineering uncertainty about the cybersecurity practices of third
parties in the supply chain and 61 percent say their

14% organization has difficulty in mitigating cyber risks


across the oil and gas value chain.
Report to the OT security
leader
Many companies are not prepared for cyber
exploits and security breaches. Only 35 percent of
14% respondents rate their organization’s cyber readiness
Report to the head of process in the OT environment as high and 61 percent of
respondents say their organization’s industrial control

11%
systems protection and security is not adequate.

Report to the IT security These perceptions are based on the following findings:
leader 61 percent of respondents believe their organization
has difficulty in mitigating cyber risks across the oil
and gas value chain and less than half (48 percent)
We surveyed 377 individuals in the United States of respondents believe their organization is effective
who are responsible for securing or overseeing in achieving compliance with security standards and
cyber risk in the OT environment1. Most of these guidelines in the oil and gas industry.
individuals report to the head of industrial control
systems (19 percent), head of quality engineering Organizational challenges affect cybersecurity
(15 percent), OT security leader (14 percent), head readiness. Only 33 percent of respondents believe
of process engineering (14 percent), and IT security there is full alignment between OT and IT with respect
leader (11 percent). to cybersecurity operations. Sixty percent say they
do not have enough staff and only 45 percent of
Respondents work in the downstream (30 percent), respondents say they have the internal expertise to
upstream (24 percent), middle stream (17 percent), manage cyber threats in the OT environment.
or all of these environments in the oil and gas
industry (29 percent). Together, negligent and malicious or criminal
insiders pose the most serious threat to critical
operations. Sixty-five percent of respondents say the
top cybersecurity threat is the negligent or careless
insider and 15 percent of respondents say it is the
malicious or criminal insider.

1 This US sample is part of a larger global study involving 1,092 qualified


respondents in Europe, Middle East, Asia-Pacific, and the Americas.

Industrial Cybersecurity eBook 2019 PAGE 6


Exploits & security breaches

Cyber attacks in the OT environment go undetected.


Sixty-eight percent of organizations have suffered
a security compromise that resulted in the loss of
confidential information or disruption to operations in
the OT environment over the past 12 months. However,
on average, 46 percent of cyber attacks are believed by
respondents to go undetected.

Many organizations seem to lack awareness about


the cyber risks to their organization. While 68 percent
of respondents say their organization experienced a
cyber compromise, only 20 percent of respondents say
it is very likely or likely their organization will experience
a successful cyber exploit over the next 12 months.
Only 20 percent of respondents say their organization
experienced the DUOU, DUOU 2.0, or Flame virus/worm
over the past 12 months.

Tasks intended to secure OT infrastructure are


not completed. Only 41 percent of respondents
say they continually monitor the OT infrastructure to
prioritize threats and attacks. Fewer respondents say
their organization is able to assess risks to determine
resources necessary to address the risks or pinpoint
sources of attacks and mobilize the right set of
technologies and resources to remediate the attack,
according to 38 percent and 37 percent of respondents,
respectively.

Exploratory information is the area most vulnerable


in the oil and gas value chain to a cyber attack. When
asked to identify the top seven areas of greatest risk, 72
percent of respondents say it is exploratory information
and 60 percent of respondents say it is production
information. Also vulnerable are: potential partners and
acquisition targets (56 percent of respondents), financial
and organizational reports (53 percent of respondents),
operational information (50 percent of respondents),
details on drilling sites (47 percent of respondents), and
field production information from sensors (46 percent
of respondents). Only 18 percent of respondents say
their organization conducts comprehensive audits every
month (7 percent of respondents) and every six months
(11 percent of respondents).

Industrial Cybersecurity eBook 2019 PAGE 7


Digitization in the oil & gas industry Solutions to achieve cyber readiness

Migration to the digital oil field has benefits and Security technologies deployed are not considered
risks. Oil and gas companies are benefiting the most effective. Sixty-three percent of respondents
from digitization. However, 66 percent of respondents say user behavior analytics and 62 percent of
are concerned that it has made them more vulnerable respondents say hardened endpoints are very effective
to security compromises. These increases have made in mitigating cybersecurity risks. In addition, 62 percent
organizations more aware of the need to have security of respondents say encryption of data in motion is
analytics. Sixty-eight percent of respondents say this considered very effective. Yet, many companies do not
technology is essential or very important. have plans to deploy these technologies. Specifically,
in the next 12 months less than half of organizations
The biggest vulnerability to organizations is represented (48 percent of respondents) plan to use
outdated and aging control systems in facilities. encryption of data in motion, only 39 percent plan to
Sixty-three percent of respondents say outdated and deploy hardened endpoints, and only 20 percent will
aging control systems in facilities put organizations at adopt user behavior analytics (UBA).
risk. Also vulnerable are using standard IT products with
known vulnerabilities in the production environment (61 Sharing of threat intelligence is considered valuable
percent of respondents). in reducing cyber threats. Critical to reducing cyber
risks in the OT environment is the sharing of threat
Most organizations are in the early to middle stages intelligence, according to 71 percent of respondents.
of OT cybersecurity maturity. Forty-one percent of However, only 43 percent of respondents say they
respondents say their organizations are in the early to participate in the Oil & Natural Gas Information
middle stage of maturity with respect to their cyber Sharing and Analysis Center. The primary reasons for
readiness. This means many OT cybersecurity program not sharing are concerns about the quality of threat
activities have not as yet been planned or deployed or information (56 percent of respondents) and insufficient
they have been planned and defined but only partially resources (53 percent of respondents).
deployed.
Operational solutions should focus on alignment
Many organizations are outsourcing OT security between OT and IT and in-house expertise. As
operations. To support their efforts in addressing the shown in this research, organizational challenges create
heightened risk created by digitization, 52 percent of difficulty in enhancing OT security. Only 33 percent of
respondents say their organization currently outsources respondents say there is full alignment between OT and
(16 percent of respondents) or would consider IT with respect to cybersecurity operations and only 45
outsourcing its OT security operations (36 percent of percent of respondents say their organization has
respondents). the internal expertise to manage cyber threats.
Cybersecurity training and awareness of employees is
critical because 60 percent of respondents say their
organizations do not have such initiatives in place.

Industrial Cybersecurity eBook 2019 PAGE 8


Caveats to this study

There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a
representative sample of individuals, resulting in a large number of usable returned responses. Despite non-
response tests, it is always possible that individuals who did not participate are substantially different in terms
of underlying beliefs from those who completed the instrument
• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of OT and IT security practitioners who are familiar with their organization’s use of security
analytics. We also acknowledge that the results may be biased by external events such as media coverage.
Finally, because we used a web-based collection method, it is possible that non-web responses by mailed
survey or telephone call would result in a different pattern of findings
• Self-reported results: The quality of survey research is based on the integrity of confidential responses received
from subjects. While certain checks and balances can be incorporated into the survey process, there is always
the possibility that a subject did not provide accurate or truthful responses

Ponemon Institute
Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information
and privacy management practices within business and government. Our mission is to conduct high quality,
empirical studies on critical issues affecting the management and security of sensitive information about people
and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold
strict data confidentiality, privacy, and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we have
strict quality standards to ensure that subjects are not asked extraneous, irrelevant, or improper questions.

Please contact research@ponemon.org or call us at 800.877.3118 if you have any questions.

Industrial Cybersecurity eBook 2019 PAGE 9


Industrial Cybersecurity for
Small- and Medium-Sized Businesses
A Practical Guide

Smaller companies may not be fully aware of the risks they face or that they can contract for
cybersecurity-related services.

Effective cybersecurity management is essential for all SMBs need to understand their cybersecurity risk and
organizations, regardless of size. There are many to take action to reduce this risk, just as they do
standards and guidance documents available to help with other business risks. The absence of previous
organizations determine a way forward. incidents, or the belief that the organization is not a
likely target, is not sufficient justification for ignoring
This document is intended to provide a starting point this issue.
for small- and medium-businesses (SMBs), particularly
those that manage industrial processes and employ SMBs can be at risk from a wide variety of threats,
some level of automation. Specific examples include including amateur and professional hackers,
SMBs in the chemical and water and wastewater environmental activists, disgruntled employees or
treatment sectors. contractors, and even nation states or terrorists. In
addition, many cybersecurity incidents are a result of
While it is generally accepted that Operational accidents or unintentional actions. A company
Technology (OT) system security requires different or does not have to be a specific target to be affected.
additional measures than general-purpose Information
Technology (IT) system security, it is also true that The consequence to an SMB can vary tremendously
smaller companies might have difficulty implementing based on the nature of operations and the
much of the available guidance. vulnerabilities of each. It is essential that the
underlying vulnerabilities are recognized and that these
Standards and practices are often based on the vulnerabilities be mitigated to minimize the likelihood of
assumption that engineering and operations resources potentially dire events.
are available to define, implement, and monitor the
technology, business processes, and associated This document provides guidance based on well-
controls. Unfortunately, this is often not the case. established frameworks and standards. Further
Smaller operations are typically not staffed to include reference should be made to these frameworks and
such roles. It is more common to have broadly defined standards, focusing on the recommendations in this
staff roles, with support and operation of IT systems as document.
only part of an individual’s responsibilities.
Cybersecurity management is not a one-time activity.
Smaller companies may not even be fully aware Like quality and safety management, cybersecurity
of the risks they face or that they can contract for management is an ongoing activity where continuous
cybersecurity-related services. This guide is intended improvement must be made in order to manage
to identify the essential controls that need to be the risks.
established.

Industrial Cybersecurity eBook 2019 PAGE 10


Why Cybersecurity Management is Important
Protecting businesses from the impact of a cybersecurity incident

Very few, if any, businesses today operate without some dependence on systems and equipment that are vulnerable
to a cybersecurity incident. The impact to the business of such an incident will vary. However, this impact needs to
be understood and managed accordingly if businesses are to be able to operate as expected.

There are two broad categories of systems and equipment: Information Technology (IT) and Operational Technology
(OT), each with their own characteristics, as shown in the table below.

Information Technology (IT) Operational Technology (OT)

Definition Used in a business or office environment Used to monitor and control processes in
to support day-to-day activities, such as industrial environments, such as factory
accounting, ordering, human resources, floors, refineries, oil and gas platforms, and
and data analysis. water treatment operations.

Examples of • User workstations or laptops • Programmable Logic Controllers (PLCs)


systems • File-, email-, or web-servers • Distributed Control Systems (DCSs)
• Databases • Supervisory Control And Data
or equipment • Network devices (routers, firewalls, Acquisition
switches) • (SCADA) systems
• Historian databases
• Protocol and media converters

Cybersecurity Data confidentiality is the primary System availability is the primary concern,
concerns concern, followed by integrity of the data followed by integrity of the data, and finally,
and system availability. data confidentiality. In OT, data integrity and
confidentiality are particularly important for
device logic or configuration files used in
control applications.

Management of Change-control processes are largely Technological changes are part of the overall
Change self-contained within the IT function. Management of Change process. It can be
difficult to take equipment out of service to
update.

Other factors • It is becoming more common for Equipment and communications protocols
employees to use their own devices, tend to be proprietary, and it can be difficult
especially mobile technology, to to implement typical cybersecurity controls.
access business systems • Underlying technology can be
• New technologies are being adopted antiquated and, therefore, more
with insufficient concern for security vulnerable to basic cybersecurity
incidents
• The equipment environment is almost
always heterogeneous, with devices of
various ages and sources

Industrial Cybersecurity eBook 2019 PAGE 11


Risk Assessment
Cybersecurity-related risks are evaluated using a process that: systematically identifies potential vulnerabilities to
valuable system resources and threats to those resources; quantifies loss exposures and consequences based on
probability of occurrence; and (optionally) recommends how to allocate resources to countermeasures to minimize
total exposure.

In simple terms, risk can be defined as a function of threat, vulnerability, and consequence. Each of these elements
must be assessed in order to gain a full understanding of the situation.

Common threats
When considering cybersecurity threats, many consider only deliberate, targeted attacks from professional hackers.
As a result, some dismiss the risk to their facilities.

The table below shows that SMBs are subject to numerous types of threats, both deliberate and otherwise.
Cybersecurity incidents can arise as a result of accidents or unintentional actions by authorized individuals
(employees, vendors, or contractors). Many threats are often non-targeted and SMBs can be impacted as collateral
damage.

In all of the examples below, SMBs could be impacted indirectly, simply because they have equipment similar to the
primary target.
Table 1: Threat Examples

Threat Description Example

Amateur With access to many online tools and The online community HackForums.net is a popular
hackers resources, anyone can find systems forum for amateur hackers, and is believed to be
connected to the Internet and behind the PlayStation network attack on Christmas Day
interfere with their operation, often 2014, as well as the attack on the Internet Name
for the challenge or prestige. Servers in the Eastern USA in October 2016.

Professional Hackers with more skills and In 2016, the Lansing Board of Water & Light was
hackers resources target organizations with forced to pay a $25,000 ransom to unlock its internal
ransomware and other disruptive communications systems, which were hit as part of a
techniques and tools larger attack. The utility estimated the total cost of
for profit. responding to the attack and strengthening its defenses
against future attacks was $2.4M.

Environmental Groups can work with hackers In 2011, the group Anonymous posted confidential
activists to disrupt the operations of information on 2,500 Monsanto employees and
organizations whose business associates and shut down the company’s international
practices they oppose or are websites for nearly three days.
contrary to their beliefs.

Disgruntled Using inside knowledge or privileged In 2012, a male programmer—passed over


employees or access, to gain revenge by disrupting for promotions at a Long Island power supply
operations or to steal confidential manufacturer—created an unauthorized program to
contractors information to be sold to harvest employees’ logins and passwords.
competitors.
After leaving the company, the person used his
credentials to get into the network and disrupt business
and inflict damage on the company’s operations.

Industrial Cybersecurity eBook 2019 PAGE 12


Threat Description Example

Nation states Organizations with very large In 2010, a virus known as Stuxnet compromised
or terrorists resources target critical infrastructure Iran’s nuclear enrichment facility. The virus targeted
organizations to create instability or the control system for the centrifuges in the facility
to influence their will. and, while providing pre-recorded data to operators,
would cause the centrifuges to operate outside of
their normal envelope. Analysts suggest the enrichment
program was set back several years as a result
of the attack.

Accidents or The actions of employees or In 1999, an explosion in a gasoline pipeline in


unintentional contractors can inadvertently result Bellingham, WA, USA, killed three people, injured
in a cybersecurity incident. eight, and caused $45M in property damage. The
actions company was fined $112M. One of the two primary
causes of the incident was found to be developers
making changes to a live control system.

Common vulnerabilities and key mitigations


A vulnerability is a deficiency that can be exploited by a threat to create an incident. The deficiency can arise from
technical (such as a software error), procedural (a lack of policy or standard), or people (lack of training) issues.

A mitigation is an action or solution that is implemented to reduce the likelihood of a vulnerability being exploited or
offset the adverse effects of an incident should that vulnerability be exploited.

There are many cybersecurity vulnerabilities, and each organization possesses different ones depending on the
equipment they use and the policies and procedures they have in place. As noted previously in this white paper,
SMBs can be impacted by a non-targeted attack, simply because they utilize equipment similar to that used by the
primary target. The table on the following page provides a list of common vulnerabilities found in all organizations to
some degree, along with key mitigations that should be implemented to control these vulnerabilities.

These key mitigations are essential for all SMBs to provide a basic level of cybersecurity management. It is highly
recommended for SMBs to consider additional mitigations. Further guidance is available from several sources,
including:
• International Society of Automation (ISA). The ISA/IEC 62443 standards (Security for Industrial Automation
and Control Systems) provide detailed guidance on how to create a cybersecurity management system for OT
environments. These standards are also available internationally as IEC 62443
• The US Chamber of Commerce [6], Department of Homeland Security (DHS) [7], US Small Business
Administration (SBA) [9], National Institute of Standards and Technology (NIST) [10], as well as many business
and technology websites [5], [8]
• The Center for Internet Security (CIS). CIS produces the Critical Security Controls [2], which identify the top
20 mitigations that reduce the likelihood and/or consequence of a cybersecurity incident. These controls are
referenced in the Key Mitigations table below as CSCxx where “xx” is 1 to 20 (for example, CSC17)

Industrial Cybersecurity eBook 2019 PAGE 13


Table 2: Vulnerabilities and Mitigations

Vulnerability Description Key Mitigations

Inadequately Employees who have received little or no training Provide (internally or using external
trained in the risks of cyber incidents are more likely to: parties) a variety of training resources
for employees, including classroom-
employees • Be victims of social engineering, such as based, computer-based training courses/
phishing (the use of faked email messages assessments, informational videos,
to extract confidential information or to gain posters, and email newsletters (CSC17)
unauthorized access to equipment)
• Use removable media without performing
virus checks
• Fail to observe the signs of a cyber incident

This is common in SMBs, where resources for


training are limited.

Inadequately Networks that are inadequately secured can: Use standards to define and implement
secured effective network security. In particular,
• Allow external users unauthorized access to avoid direct connection with external
network systems and equipment networks, control traffic in and out of the
• Increase the chances of a cybersecurity internal network, and between different
incident extending throughout an areas of the internal network
organization (CSC1,2,6,12,13,15,20)

SMBs may not have the expertise to adequately


secure their network.

Inadequately Equipment that is inadequately secured can: • Where possible, keep equipment in
secured • Lack appropriate physical security, allowing locked cabinets or rooms to avoid
ease of access to unauthorized users and unnecessary contact
equipment increase the likelihood of accidental actions • Where not possible, use locks
• Lack appropriate protection on physical (physical and electronic) to secure
inputs, such as USB ports and DVD drives, access to physical inputs
making it easier for malware to be transferred • Remove unnecessary applications
• Contain unnecessary applications or and disable unnecessary services on
run unnecessary services, increasing the equipment (CSC1,2,3,6,7,11,13,18)
possibilities of a cyber incident

Inadequate Equipment running without anti-virus protection • Ensure anti-virus is operational and
anti-virus is vulnerable to malware attack. With some maintained on all equipment, where
malware, the infection may not be obvious possible
management and this can lead to a spread of the malware • Where not possible, ensure
throughout the organization. equipment is adequately secured to
remove opportunity for introduction
A failure to maintain anti-virus protection (with of viruses
the latest security patches or with the latest • Use standalone machine to perform
malware signatures) makes equipment much virus checking on incoming machines
more vulnerable to newer malware threats. and media (CSC8)

Industrial Cybersecurity eBook 2019 PAGE 14


Vulnerability Description Key Mitigations

Inadequate There are two important considerations for change • All changes must be reviewed
change management: before implementation. The review
• Making changes to system software or must assess the potential impact
management hardware can introduce new vulnerabilities on system operation (reliability,
that, if not considered, could be exploited performance, etc.) as well as any
• Inadequate change procedures can create changes to cybersecurity risks
cybersecurity incidents. For example, a failure • A change procedure must be in
to implement a backup before updating place that ensures that all changes
software could result in system unavailability if are implemented with a step-by-step
the update fails plan and a means to restore any
equipment to its previous state, if
required (CSC4,20)

Inadequate Equipment running without the latest security Ensure equipment is kept up to date with
security patch patches is much more vulnerable to newer latest security patches from vendor(s)
malware threats. The more security patches that (CSC3,11,18)
management are missed, the more vulnerable
the equipment becomes.

Inadequate Backups are essential to the restoration of failed • Determine what needs to be backed
backup hardware or equipment infected with malware. up and how often
• Maintain backups to defined regime
management In order to be effective, backups must occur • Periodically test backups using a test
frequently to avoid the loss of significant environment (CSC10,13)
amounts of data. In addition, unless backups are
periodically tested, they can prove to
be useless when required.

Inadequate There are two key issues: • Avoid use of shared accounts, where
password • Weak passwords are easy to guess (e.g. possible
‘password’) or use only letters or numbers. • If not possible, ensure shared
management A weak password can be determined using accounts have limited privileges
‘brute force’ techniques, within 1-2 minutes • Enforce a policy to change account
• Passwords that are never changed, or changed details when someone leaves
infrequently, are much more vulnerable to or moves to a new role in the
exploitation organization (CSC5,14,15,16)

Use of default Many devices or systems have manufacturers’ • Remove or change default account
accounts default accounts. If these accounts are not details (username and/or password),
changed, anyone with knowledge of the default where possible
details can gain unauthorized access much more • If not possible (e.g. hard-coded
easily. In some cases, default account information by vendor), enforce strict physical
is freely published on the Internet. access control on equipment
(CSC5,14,15,16)

Industrial Cybersecurity eBook 2019 PAGE 15


Vulnerability Description Key Mitigations

Inadequate Many organizations have no plans in place to deal • Create an incident response plan
incident with a cybersecurity incident. that identifies the possible incidents
and the appropriate response to
response Organizations that have plans in place may not each, as well as the key internal and
exercise those plans sufficiently, to validate that external contacts
they are effective. • Exercise the incident response
plan periodically to verify that it is
Without an effective incident response plan in effective (CSC20)
place, organizations can be exposed to major
consequences should a cybersecurity incident
occur.

Potential consequences of inadequate cybersecurity management


The potential consequences of a cyber incident will depend on the organization, but the following table outlines the
most common consequences for IT and OT equipment and systems.
Table 3: Potential Consequences

Consequence IT/OT Description Example

Theft of IT/OT Hackers use social engineering techniques In 2014, payment card data for
confidential to obtain confidential information, such as 70 million customers was stolen
usernames and passwords that can be used to gain from Target, after hackers
information unauthorized access to systems. gained access using the
credentials of a supplier, stolen
Hackers with unauthorized access to systems can in a separate phishing attack.
extract confidential information, such as customer
names, credit card numbers, trade secrets,
drawings, or plans.

In OT environments, the theft of control logic,


recipes, production records, and other such
information can yield valuable intellectual property.

System IT Computer viruses can be downloaded onto IT In 2012, a virus called Shamoon
unavailability workstations, laptops, and servers remotely (using infected more than 30,000
unauthorized access or through the use of social office workstations belonging
engineering), or using removable media, such as to Saudi Aramco. Business
USB drives, CDs, and DVDs. operations were slowed and,
in some cases, paused as
Viruses can propagate across a network to infect employees were forced to
other machines. Viruses may be used to: resort to manual/offline
• Obtain confidential information (such as activities and the use of
usernames and passwords) personal emails for several
• Cause excessive network traffic that disrupts weeks.
normal operation
• Wipe an entire hard disk clean
• Lock a disk until a ransom is paid

Industrial Cybersecurity eBook 2019 PAGE 16


Consequence IT/OT Description Example

Operations or OT Since operations or production are heavily In 2013, a virus infected the
production dependent on the OT systems that monitor and operational network of the
control them, a failure of these systems can result in Cook County Department
shutdown a shutdown of the plant or process. of Transportation and Highways
in Chicago, affecting 200
Typical cybersecurity causes are: computers. The department
• Viruses was shut down for nine days
• Unauthorized access until normal service could be
• Lack of backup of system data, program, or restored.
settings

Service outage OT In a specific instance of operations or production In 2015, hackers infiltrated


shutdown, the result can have serious ramifications the control system of a
for others. For example, the loss of water or Ukrainian power company
wastewater services, the loss of communications, and took control of the
etc. electricity distribution network.
Approximately 80,000
Typical cybersecurity causes are: homes were left without
• Viruses electricity for up to six hours.
• Unauthorized access
• Lack of backup of system data, program, or
settings

Equipment OT Production or operational plants are connected In 2014, hackers gained access
damage to the monitoring and control systems that can to a steel mill in Germany and
be impacted by a cybersecurity incident. Without disrupted the operation of the
adequate mechanical or independent shutdown safety system, causing massive
systems, physical damage is possible. damage to the blast furnace.

Typical cybersecurity causes are:


• Viruses
• Unauthorized access

Environmental OT Many OT control systems monitor or control In 2000, a disgruntled former


damage processes that, in the event of failure or incorrect contractor used stolen
operation, can cause harm to the environment. equipment to deliberately
Examples include oil and gas production and manipulate a wastewater
wastewater treatment. control system, causing a
release of 750,000 gallons
Typical cybersecurity causes are: of raw sewage into the
• Viruses environment in Queensland,
• Unauthorized access Australia.

Injury or death OT Many OT control systems monitor or control In 2008, a 14-year-old boy
processes that, in the event of failure or incorrect modified a TV remote to
operation, can cause harm to personnel or change the points on a train
members of the public. Examples include oil and network in Lodz, Poland. Twelve
gas production, transportation, and wastewater people were injured and four
treatment. trains derailed.

Typical cybersecurity causes are:


• Viruses
• Unauthorized access

Industrial Cybersecurity eBook 2019 PAGE 17


Essential cybersecurity activities
Numerous standards and guidance documents are available to help SMBs implement proper cybersecurity
management.

The US Cybersecurity Framework, produced by the National Institute of Standards and Technology (NIST) [1], is an
excellent starting point for SMBs. The Framework identifies five core functions that encapsulate cybersecurity
management. The Framework then further defines all the activities that may need to be undertaken for each function
and identifies relevant standards to help identify how to implement these activities.

The table below identifies the essential cybersecurity activities that should be undertaken by all SMBs. These are
described in more detail below the table.
Table 4: Essential Cybersecurity Activities

Framework Activities
Functions

Identify Create an inventory Assess the risk of Define a cybersecurity


of all IT and OT cyber incident management policy
assets

Protect Secure network and Protect sensitive Manage access to


equipment information systems and equipment

Detect Define methods for Define Identify improvements Awareness and


monitoring responsibilities for Training
monitoring

Respond Maintain an Practice response Identify improvements


incident-response processes
plan

Recover Maintain backups Practice recovery Identify improvements


of all systems and processes
equipment

Identify
The identify function focuses on understanding the nature of the systems inventory owned by the SMB and what
risks are associated with this inventory.

Create an inventory of all IT and OT assets


This step is essential for all SMBs. Proper cybersecurity management is impossible without a definitive
understanding of the assets involved. Organizations that fail to identify equipment or systems leave themselves
vulnerable to cyber incidents due to a lack of protection or monitoring.

The inventory of assets should include, as a minimum:


• Make and model of hardware
• Version number of all operating system and application software

Additionally, some organizations identify equipment location, owner, and other useful information.

Industrial Cybersecurity eBook 2019 PAGE 18


Assess the risk of a cyber incident
Once an SMB understands what it is protecting from a cyber incident, it must conduct a risk
assessment to identify what risks exist.

Risk assessments require the involvement of all key stakeholders (to ensure accuracy) and
should identify the likely threats and the vulnerabilities in the asset base. From this, the
organization should identify the potential consequences, e.g. loss of confidential information,
loss of revenue, environmental impact, injury or death, and so on.

SMBs should rank their risks using a common methodology to allow the identification of risks in
priority order.

Define a cybersecurity management policy


Every SMB should have a cybersecurity management policy to define:

• Those responsible for cybersecurity management activities


• The processes and procedures required for operational activities and to reduce
cybersecurity risks
• The expectations of employees (e.g. appropriate use of IT equipment, use of personal
devices, etc.)

Protect
The protect function is a core cybersecurity management activity that an organization must
undertake on an ongoing basis.

Secure network and equipment


Securing a network and equipment involves such actions as:

• Physically locking or disabling all equipment inputs to prevent unauthorized use, including
smart device charging
• Using only dedicated devices that are kept secure, with anti-virus software scanning before
and after use
• Using a quarantine area to check incoming removable devices of unknown provenance and
transfer files to dedicated, known devices
• Only allowing a transfer of files from removable devices under strict supervision and in
compliance with anti-virus checks
• Applying recommended patches to operating system and application software in a timely
manner
• Testing patches before applying to live equipment
• Keeping anti-virus software up to date
• Performing an anti-virus scan regularly and frequently (e.g. monthly)
• Maintaining a record of all updates applied to allow for identification of issues
• Limiting external access to equipment and networks to only those authorized to access
them

Industrial Cybersecurity eBook 2019 PAGE 19


Protect sensitive information
Protecting sensitive information involves such actions as:

• Keeping confidential information secure (e.g. in locked cabinet or safe) and disposing
confidential information in a secure manner (e.g. shredding)
• Being aware of who is around you and taking care to avoid disclosing sensitive information
• Being suspicious of emails if you do not recognize the sender
• Making sure you don’t click on links or open attachments unless you are certain the sender
is trustworthy
• Making sure you do not download or install anything after following a link in a suspicious
email
• Making sure you do not provide confidential information via email unless you are certain the
recipient is appropriate/authorized
• Making sure a supervisor or trained expert is available for advice before individuals take
any action

Manage access to systems and equipment


Managing access to systems and equipment involves such actions as:

• Maintaining physical and electronic security to ensure that only authorized persons have
access to the equipment they require in performing their role
• Securing equipment in locked rooms or cabinets and monitoring access
• Performing background checks on all users before approving access
• Maintaining a register of approved users
• Preventing sharing of login credentials between users
• Removing or changing credentials when a user moves to a new role or leaves
• Removing or changing default accounts
• Enforcing strong passwords and changing regularly
• Providing temporary external access as required, supervise during use, and remove once
complete

Detect
Having established an understanding of its asset base and the risks to it, the SMB must then
have methods to monitor for incidents, so that it is able to respond promptly and effectively to
minimize the impact.

Define methods for monitoring


Monitoring methods will vary from organization to organization, based on the particular asset
base and risk assessment. In some cases, manual methods, such as checking log and system
files, will suffice. For larger organizations with more electronic activity, this may be impractical
and automated tools may be needed.

Define responsibilities for monitoring


Having defined the methods for monitoring, the SMB must assign responsibilities for these
activities. In addition, all employees should receive awareness training, be instructed to be
vigilant for signs of a cyber incident, and be trained to report any type of cyber incident.

Identify improvements
Cybersecurity is an ever-changing situation. Threats, vulnerabilities, and risks change and
SMBs need to be able to adapt. In the detect function, SMBs must regularly review their
monitoring methods and adjust them to suit changing circumstances and according to incident
experiences.

Industrial Cybersecurity eBook 2019 PAGE 20


Respond
The respond function comes into effect when an incident occurs. However, preparation is
essential to a successful response, and so an organization must take actions well in advance of
any incident.

Maintain incident response plan


Key to a successful response, with minimal impact, is an effective cybersecurity incident
management plan. The plan needs to identify the possible cybersecurity incidents that may
occur within the organization and document the step-by-step procedures that should be
followed in the event of each one. All employees should be aware of the risks of cybersecurity
incidents and their role in avoiding them.

Practice response processes


SMBs must test their cybersecurity incident management plan on a periodic basis. The test
must be realistic and exercise as many of the elements as possible, so as to be certain that
established procedures will work when required.

Identify improvements
SMBs will need to update their incident management plans in response to changes in the
cybersecurity landscape, and also as a result of their incident response tests.

Recover
While the respond function comes into effect when an incident occurs, the recover function
comes into effect once the respond function is completed. As with the respond function,
preparation is essential to a successful recovery, and so an SMB must take actions well in
advance of any incident.

Maintain backups of all systems and equipment


Key to a successful recovery from a cybersecurity incident is having the right backups in place.
Having the right backups in place requires an SMB to:

• Identify what needs to be backed up


• Determine backup frequency based on operational requirements (e.g. How long can you
operate without a working system? How much data can you afford to lose?)
• Store clearly labeled backups securely on-site and off-site, preferably in a fireproof safe

Practice recovery processes


SMBs must test their cybersecurity incident recovery processes on a periodic basis. The test
must be realistic and exercise as many of the elements as possible, so as to be certain that
established procedures will work when required.

Identify improvements
SMBs will need to update their recovery processes in response to changes in the cybersecurity
landscape, and also as a result of their incident recovery tests.

Industrial Cybersecurity eBook 2019 PAGE 21


Awareness and training
The importance of awareness and training for employees cannot be understated. No amount of technical and
procedural mitigations will help if an employee takes an insecure action (e.g., inserting a removable drive without
performing an anti-virus scan) due to lack of training or awareness.

External classroom and online training courses are recommended for SMBs to give their employees a clear
understanding. Internal resources, such as assessment (surveys, tests) and awareness (videos, posters, emails)
tools, should be used to complement external courses and provide a constant reminder to employees.

Effective cybersecurity management should be a high-profile business objective that is reported on by management
so that employees are constantly reminded of its importance.

The International Society of Automation (ISA) provides training courses and certificate programs based on the ISA/
IEC 62443 (Security of Industrial Automation and Control Systems) standard [4].

Assessment and continuous improvement


Self-assessment
The International Society of Automation (ISA) has produced a survey that SMBs can take to self-assess their current
cybersecurity posture (as well as re-assess it after making changes).

To obtain a copy of the survey, contact ISA at info@isa.org.

Third-party assessment
For a nominal fee, ISA can review an SMB’s survey responses. ISA utilizes a pool of international cybersecurity
Subject Matter Experts (SMEs) to provide this service. This third-party assessment will provide a more
comprehensive and independent review of the SMB’s cybersecurity posture with advice on how to proceed.

Continuous improvement
Effective cybersecurity management requires continuous improvement. The essential activities outlined above are
only the beginning.

For each of the five core functions of the Cybersecurity Framework, there are many degrees to which SMBs can go.
For example:
• Network and equipment monitoring can be a manual activity in its simplest form, but SMBs can purchase
speciality software to assist
• Third-party organizations can provide assessment services, including penetration testing, to validate the
effectiveness of cybersecurity mitigations

The degree to which SMBs should go will depend on the level of risk they perceive, and this may vary with time.

In addition, cybersecurity is continuously evolving, with new vulnerabilities, exploits, and threats arising all the time.
SMBs must continuously review their risk and adapt their mitigations to suit this changing landscape.

Industrial Cybersecurity eBook 2019 PAGE 22


References and further reading
[1] The Cybersecurity Framework, National Institute of Standards and Technology (NIST),
https://www.nist.gov/cyberframework

[2] Critical Security Controls, Center for Internet Security (CIS),


https://www.cisecurity.org/critical-controls.cfm

[3] ISA-62443 Series, Security for Industrial Automation and Control Systems, International Society of Automation
(ISA), https://www.isa.org/isa99/#diagram

[4] ISA/IEC 62443 Training Courses and Certificates, International Society of Automation (ISA),
https://www.isa.org/templates/two-column.aspx?pageid=124579

[5] 5 Reasons Why Small Businesses Need Cybersecurity, Tech.Co,


http://tech.co/should-small-businesses-be-paying-more-attention-to-cyber-security-2016-10

[6] Ten Cybersecurity Strategies for Small Businesses, US Chamber of Commerce,


https://www.uschamber.com/sites/default/files/legacy/issues/defense/files/10_CYBER_Strategies_for_Small_Biz.pdf

[7] Cybersecurity Resources for Small Businesses, Department of Homeland Security (DHS),
https://www.dhs.gov/publication/stopthinkconnect-small-business-resources

[8] Cybersecurity: A Small Business Guide, Business News Daily,


http://www.businessnewsdaily.com/8231-small-business-cybersecurity-guide.html

[9] Cybersecurity For Small Businesses course, US Small Business Administration (SBA),
https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses

[10] Small Business Information Security: The Fundamentals, National Institute of Standards and Technology (NIST),
http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

[11] Top Ten Cybersecurity Tips, US Small Business Administration (SBA),


https://www.sba.gov/managing-business/cybersecurity/top-ten-cybersecurity-tips

[12] Cybersecurity for Small Business, Federal Communications Commission (FCC),


https://www.fcc.gov/general/cybersecurity-small-business

Industrial Cybersecurity eBook 2019 PAGE 23


What Executives Need to Know About
Industrial Control Systems
By Joseph Weiss, Managing Director ISA99, Applied • Offer some additional information on incidents that
Control Solutions, LLC have already taken place

In order to create and maintain secure systems, we


As more and more significant security breaches are have to first ensure that our processes and the com-
discovered, the protection of information and control munication between them is secure; Industrial Control
systems is becoming an important executive Systems need to be targeted for more detailed review
management and insurance issue. A company’s on a consistent basis. Second, we need to make sure
Board of Directors and executive management must that our operations staff have expertise in Industrial
continuously and meticulously identify, categorize, and Control Systems Cybersecurity and are closely
mitigate risks to the organization’s success resulting coordinating with our IT staff to protect our systems
from cyber attacks. In many cases the largest risk to and processes. Third, we need to make sure our
the well-being of your company, your people, your equipment is inherently secure and addresses known
processes, and your profits may be the compromise of vulnerabilities by leveraging industry standards and
your Industrial Control System—not a data breach. conformance programs.

This white paper addresses questions in the context of Introduction


the following objectives:
Industrial control system (ICS) is a general term that
• Introduce the unique characteristics and encompasses several types of control systems used in
vulnerabilities of Industrial Control Systems industrial production. Several of these terms are often
• Explore the key differences between an IT and an used interchangeably, or generalized as SCADA:
operations perspective on cybersecurity
• Detail potential impacts of attack on critical • Distributed Control Systems (DCS) that monitor and
infrastructure and manufacturing processes control large centralized facilities such as power
• Identify standards, training, and compliance plants and refineries
programs to aid companies in their approach to • Supervisory Control and Data Acquisition (SCADA)
these challenges systems that monitor and control dispersed assets
such as electric grids, pipelines, and water systems

Ask yourself the following questions about your company’s exposure to Industrial Control Systems
Cybersecurity vulnerabilities:

• What opportunities exist for breach?


• What risk exposure does my company have and what are the consequences of that exposure?
• What is the maximum damage that might be done if one of these breaches occur?
• What specific security deployments protect each of our assets?
• If our systems have cybersecurity vulnerabilities, how do those vulnerabilities impact our safety-related
goals and initiatives?
• Who in our organization is responsible for these security measures? Are our IT and Operations teams
coordinated and working together to secure our systems?
• Have we allocated the right resources, implemented the right standards, and sourced the right equipment
to give us the best possible outcome?

Industrial Cybersecurity eBook 2019 PAGE 24


• Programmable Logic Controllers (PLCs) that
control individual processes
Attribute IT ICS
• Remote Terminal Units (RTUs) that act as data
concentrators Confidentiality High Low
• Field devices—such as sensors that measure (Privacy)
the process (pressure, temperature, flow, etc.); Message Integrity Low- Very High
analyzers that monitor chemical constituents; Medium
drives that open and close valves; etc.
System Availability Low- Very High
Medium
Essentially, an Industrial Control System is a system
made up of other systems, designed to monitor and Authentication Medium- High
control physical processes and ensure safe operations High
within specific known engineered states. It carefully Non-Repudiation High Low-Medium
manages transitions to control risk between operational (Proof of the
states. These controlled states and transitions are integrity
defined to protect against random occurring failures of and origin of data)
a component or a few components. However, focused Time Criticality Days Critical
logical attacks to push a system into known dangerous Tolerated
states are not commonly expected or compensated
for in the normal operational parameters of Industrial System Downtime Tolerated Not Acceptable
Control Systems. Security Skills/ Usually Usually Poor
Awareness Good
Differentiating between IT Cybersecurity System Life Cycle 3–5 Years 15-25 Years
and ICS Cybersecurity
Interoperability Not Critical Critical
Malicious cyber-related incidents are occurring, or Computing “Unlimited” Very Limited with
being identified, on what seems like a weekly basis. Resources Older Processors
Almost all of these are data breaches, compromising Software Changes Frequent Rare
the confidentiality of supposedly private information.
However, the consequences are not confined to data Worst Case Frequent Equipment
breaches and compromises of personal data. Impacts Loss of Data Destruction,
Inquiries
Industrial Control Systems that are used in the critical
infrastructures of electric power, nuclear plants,
Focusing on the Challenge
chemical plants, oil/gas, manufacturing, pipelines,
Cyber incidents have been defined by the US National
transportation, and building controls also use computer Institute of Standards and Technology (NIST) as
controls. Often referred to as the “SCADA” systems, occurrences that jeopardize the confidentiality,
many are attached to very critical processes that integrity, or availability (CIA) of an information system.
modern society depends on and cannot continue to The NIST definition is a conservative approach to
function without. They typically don’t look or act like judging cybersecurity effectiveness. According to NIST,
those used in the conventional business IT environment an incident doesn’t need to be malicious to be
and are not being monitored for cyber threats like those significant and to carry risk to the process and the
in the business IT environment. people involved in the process.

It’s important to recognize and understand the However, because IT is so prevalent in the
cybersecurity field, cybersecurity is effectively being
differences between IT cybersecurity and ICS
viewed as a malicious attack via the Internet against
cybersecurity, and the table below highlights some of
a Windows-based system with the intent of stealing
the most significant factors to consider. information. Unfortunately, this paradigm does not
apply to ICSs and does not address the most important
aspect of ICSs—safety.

Industrial Cybersecurity eBook 2019 PAGE 25


“If malicious code can affect a Programmable Logic Controller the way
that it did in the Stuxnet incident, that same process can be used to
attack a PLC that operates a pipeline, a power plant, a water
wastewater treatment facility, a building’s security system, and more.”

Generally, IT approaches cybersecurity as an end to itself—IT works to


identify cyber vulnerabilities without evaluating the consequences.

It is the consequences that are of the most interest when considering the
security of critical control systems. Many of these are installed in facilities
with an expected life expectancy of 10–25 years. The nature of their design
and the close connection to the underlying process means that they often
cannot be upgraded to the latest cyber technologies easily, or even patched
on an expedited basis.

Many professionals working in industry report a lack of senior management


attention and consequent funding to address control system cybersecurity.

Why aren’t we paying closer attention and working to solve this imminent
challenge facing our infrastructure? One of the biggest reasons given for this
lack of attention on arguably the most critical system in a modern economy
is that there have been few reported control system cyber incidents affecting
these systems.

One exception to this was the Stuxnet in Iran. Unfortunately, a common


response to this incident has been “Stuxnet doesn’t affect us—we don’t
have uranium centrifuges.” Nothing could be further from the truth—if
malicious code can affect a Programmable Logic Controller the way that it
did in the Stuxnet incident, that same process can be used to attack a PLC
that operates a pipeline, a power plant, a water or wastewater treatment
facility, a building’s security system, and more.

The most important aspects of Industrial Control Systems are reliability


and safety. Consequently, ICS personnel have different concerns; they
are focused on cyber threats (malicious or unintentional) only if they
affect reliability or safety. This means that the issues involved with ICS
cybersecurity are not denial of service issues, but rather:

• Loss of process visibility—if I’m driving a car, are all of my displays


working, and can I trust the information they’re conveying?

• Loss of control—as I’m driving, do I have control of the gas pedal, the
brake pedal, and the steering wheel?

Both of these issues were key factors in Stuxnet—the centrifuges were


spinning out of control, and the displays told the operator there were no
problems.

ICS Vulnerabilities: An Attacker’s Dream and Our Worst


Nightmare

Some attackers view exploits where you can damage physical processes as
the holy grail of cyber attacks—imagine the devastation, and the resulting
terror, that would be caused by the damage or compromise of the power
grid, or the water supply.

Industrial Cybersecurity eBook 2019 PAGE 26


Devices that can cause catastrophic damage through Developing the Industrial Control Systems
remote operation of cyber components are an ideal
Cybersecurity Expert: Why it Matters
target for compromise.
IT personnel generally have Computer Science
“The more components that can be compromised backgrounds with minimal engineering backgrounds,
in an ICS, the greater the risk to the operator and value whereas Operations personnel come from engineering
to the attacker. Industrial Control Systems are not backgrounds with minimal security training. There is a
designed to ensure resilience against concerted gulf between the IT and Operations organizations—and
attacks that intend to place components in dangerous it is the responsibility of senior executives and boards to
operating states.” break down these organizational divides.

An Industrial Control System includes a Human-


Consequently, we should make these devices a
Machine Interface (HMI), a software application that
“target” of more detailed review to a) protect them from
presents information to an operator or user about the
malicious attacks and b) ensure that non-malicious
state of a process, and allows the system to accept and
actions by an insider (facility staff or contractors) do not
implement the operator’s control instructions. HMIs are
cause unintentional cyber incidents.
generally designed to operate on common commercial
operation systems (e.g., Windows) that are understood
The more components that can be compromised in an
by IT. However, the proper support of these devices also
ICS, the greater the risk to the operator and value to the
requires Operations expertise.
attacker. Industrial Control Systems are not designed to
ensure resilience against concerted attacks that intend
Traditional cyber attacks often focus on the general
to place components in dangerous operating states.
purpose information systems—using zero-day
This is expected to be a growing area of cyber-attack
vulnerabilities, buffer overflows, cross-site scripting,
and engineering research.
or other vulnerabilities. These attacks generally pursue
the capture of valuable data or aim to create denial-of-
An Industrial Control Systems Cybersecurity Expert
service incidents. Attacks targeting Industrial Control
looks at a facility and its systems in a holistic way,
Systems can be built on top of these—but take aim at
identifying physical vulnerabilities of the controllers
the physical process, exploiting legitimate product or
and the process and discovering ways to exploit
system design features.
vulnerabilities by cyber manipulations. There are
very few people with the expertise to understand
the physical process being controlled, the control “There is a gulf between the IT and Operations
system domain with its unique design features, and organizations—and it is the responsibility of
the exploitation of IT vulnerabilities. ICS Cybersecurity senior executives and boards to break down these
Experts bridge the gaps between these traditional areas organizational divides.”
of expertise.
The typical IT security function is focused on Advanced
Persistent Threats (APT) and traditional insider threats,
while threats such as Stuxnet and Aurora are Persistent
Design Vulnerabilities (PDV) that exploit features
inherent in the systems’ design. We use the term
“infinite day vulnerabilities” instead of “zero day
vulnerabilities” when referring to ICS systems, because
the vulnerabilities are a combination of new and inherent
vulnerabilities of the systems.

IT security experts understand Windows and Internet


Protocol (IP) communications and have numerous types
of technologies to look for cyber threats at the Windows
and IP layers, but very little understanding and very few
tools “below the IP layer.” Control systems personnel
are typically focused on operational reliability and
safety—not cybersecurity.

Industrial Cybersecurity eBook 2019 PAGE 27


Consequently, there are few computer forensics Without the perspective of an Industrial Control
and minimal training to identify ICS cyber incidents. Systems cybersecurity expert, it can be difficult to
Organizations such as Computer Emergency Response determine if a cyber breach is the cause of a failure
Teams (CERT) have databases of hundreds of incident.
thousands of cyber probes and attacks, but very few,
if any, recorded ICS incidents. This is partially due Industrial Control Systems Cybersecurity Experts meet
to the lack of training and education about Industrial the following criteria:
Control Systems; and conversely, the lack of training of
Operations personnel regarding security considerations. • They understand the physical process being
Moreover, there are few, if any, regulations to ensure controlled
ICS cyber incidents are forensically examined to identify • They understand the control system domain with its
possible pathways to failure. The lack of appropriate unique design features
forensics can call official findings on verification and • They understand the risks and mitigations of
attribution into question; these factors are important exploitable IT vulnerabilities
details for insurance and compliance purposes, and • They are well versed in industry standards and
critical information as cyber technologies evolve into understand how they apply to people, processes,
cyber weapons. and products
• They can bridge the gap between the IT
“Stuxnet was successful, in large part, because it organization and the Operations organization
was arguably the only instance where IT, Operations,
and Physical Security teams tightly coordinated to plan
and implement the attack. It is an unfortunate fact The culture gap that exists between the IT organization
that this coordination does not happen (with very rare and the Operations organization exacerbates the
exceptions) when trying to protect Industrial Control physical threats and makes it very difficult to secure
Systems.” Industrial Control Systems. Stuxnet was successful, in
large part, because it was arguably the only instance
where IT, Operations, and Physical Security teams
In the IT environment, technology is available to monitor tightly coordinated to plan and implement the attack.
and identify cyber attacks, although there have been It is an unfortunate fact that this coordination does
many cases where IT cyber compromised systems have not happen (with very rare exceptions) when trying to
gone unseen for months. With critical infrastructure, it protect Industrial Control Systems.
is very different. When an event occurs in critical
infrastructure, such as an electric blackout or a pipe
break, the results are immediate and the impact can’t be
hidden.

Industrial Cybersecurity eBook 2019 PAGE 28


Industry Standards and Compliance bridging the gap between operations and information
Programs: A Solid Foundation to Build a technology, and between process safety and
cybersecurity.
Secure Future
Given the interconnectivity of today’s advanced
ICS cybersecurity is a global issue—and the challenge computer and control networks—where vulnerabilities
spans across processes, people, and equipment. In exploited in one sector can impact and damage multiple
order to create and maintain secure systems, we have sectors—it’s essential that cybersecurity standards be
to ensure that our processes and the communication broadly applicable across industries or sectors. The ISA/
between them is secure, we have to make sure our IEC 62443 Industrial Automation and Control Systems
people are trained and we have expertise in Industrial Security series of standards is a multi-industry initiative
Control Systems Cybersecurity, and we have to make applicable to all key industry sectors and critical
sure our equipment is inherently secure and addresses infrastructure.
known vulnerabilities. That’s a tall order, and when you
multiply those challenges with the number of industries In order to help industry solve the “people” part of the
and world regions impacted, it can be overwhelming to challenge, ISA has also developed a series of courses
consider how we will coordinate our response. and certificate programs based on the standards,
culminating in the Industrial Control Systems
For hundreds of years, industries have relied on global Cybersecurity Expert designation for professionals who
standards to help solve difficult technical problems and can successfully complete the courses and exams.
ensure harmonization and consistency in process and
product design. Standards Developing Organizations The final piece of the industrial cybersecurity puzzle
(SDOs) have led the charge in the consensus involves the actual equipment that makes up the
development of industry standards in areas like alarm Industrial Control System—after all, a secure control
management, safety, batch processing, wireless system requires that each system, communication
communication, and others. The International Society of protocol, and communication media be secure.
Automation (ISA) is the SDO for automation and control Unfortunately, many ICS devices, including new
professionals in many different industries, including oil devices, are still insecure by design and many legacy
and gas, petrochemicals, utilities, food and beverage, Industrial Control Systems cannot implement IT security
pharmaceutical, and many more. technologies yet won’t be replaced because they still
work.
ISA is the developer and applications-focused thought
leader behind the world’s only consensus-based In response, the Automation Standards Compliance
industrial cybersecurity standard. The ISA99 standards Institute created the ISASecure® ISA/IEC 62443
development committee brings together worldwide conformity assessment program for commercial-off-the-
Industrial Control Systems Cybersecurity Experts shelf (COTS) Industrial Control System products. The
from industry, governments, and academia to develop certification program evaluates the product
the ISA/IEC 62443 series of standards on industrial development practices of the supplier, along with
automation and control systems security, guided by detailed product security characteristics, with the
the accredited processes of the American National ultimate objective of securing the Industrial Control
Standards Institute. The committee addresses Systems supply chain. The ISASecure® certification
industrial automation and control systems whose program is an ISO/IEC 17065 conformity assessment
compromise could result in endangerment of the public scheme that ensures that control systems conform to
or a company’s employees, violation of regulatory relevant ISA/IEC 62443 cybersecurity standards and
requirements, loss of proprietary or confidential it is applied using the security lifecycle concept that
information, economic loss, or adverse impacts on forms the basis of the standards. Asset owners and
national security. integrators who include the ISASecure® designation
as a procurement requirement for control systems
The ISA/IEC 62443 standards define requirements projects have confidence that the selected products are
and procedures for implementing electronically secure robust against network attacks and free from known
automation and Industrial Control Systems and security vulnerabilities.
practices, and assessing electronic security
performance. The ISA/IEC 62443 standards approach
the cybersecurity challenge in a holistic way,

Industrial Cybersecurity eBook 2019 PAGE 29


Viewpoint: An Industrial Control Systems
Cybersecurity Expert Explores ICS My goal in the analysis of the data is to identify
previously unrecognizable single factor risks, unusual
Cybersecurity Incidents and previously unpredicted failures, or the as-yet-
unsimulated combinations of factors causing unusual
There have been nearly 750 actual Industrial Control perturbations. The database identifies:
Systems cyber incidents, with impacts ranging from
trivial to significant equipment damage, significant • More than 50 cases that resulted in more than 1,000
environmental damage, non-compliance with regulatory deaths combined
requirements, and deaths of people involved in • More than 10 major cyber-related electric outages
the affected processes. Remember, an ICS cyber • More than 60 nuclear plant cyber incidents with
incident does not need to be malicious to create a more than 15 resulting in reactor shutdowns
risk to the organization with potentially catastrophic • More than 50 cases involving significant
consequences. environmental releases
• More than 100 cases involving physical equipment
The information from the incidents is not classified but damage (not servers or other IT equipment)
neither is it public. I have been studying these incidents • Impacts conservatively totaling more than $30
for years, and I’ve created a database covering control billion (this comes from economic estimates from
system cyber incidents in Asia, Europe, North America, major cyber-related events such electric outages,
South America, and the Middle East. Following 9/11, pipeline failures, dam failures, plane crashes, and
there was supposed to be a focus on “connecting the train crashes) and bankruptcy of several companies
dots,” but that certainly has not happened with ICS as a result of these failures
cybersecurity. ICS incidents keep occurring, many with
common threads, across multiple industries with little Three incidents in particular come to mind when
guidance or training. considering the potential risk to the financial well-being
of organizations whose systems are compromised:
The incident case histories that I’ve compiled provide an
understanding of: • The 2010 non-malicious natural gas pipeline
rupture of a major investor-owned utility resulting in
• What can actually happen during an incident more than a $1.5 billion fine and possible criminal
• The difficulty in recognizing an incident as cyber- violations
related • The 2014 sophisticated malicious “spear-phishing”
• The need for appropriate policies and/or cyberattack at a German steel mill that caused
technologies to effectively mitigate the incidents physical damage to the furnace
• The lack of existing regulations and appropriate • The on-going Volkswagen emissions scandal
guidance to prevent or mitigate the incidents demonstrating that ICS cyber-issues can come
• The lack of design resiliency for systems that cannot from within an organization and target business
be protected from cyber threats considerations with billion dollar ramifications
• How companies have recovered and can recover
from breaches These incidents showcase ICS cybersecurity
vulnerabilities. In some cases, incidents led to the
The data could also help to provide an understanding of resignation of the CEO and several billion dollars
a breadth of human factors, nation state actions, and of damage. Many times, incidents are caused by
processes being used in hostile acts against critical intentional activities but not often considered malicious
infrastructure such as: in the traditional sense, and in both cases, IT has no
knowledge of the relevant issues. In the case of the
• Reconnaissance and testing gas and electric company, the public utility commission
• Experimental use of destructive tools to test generic is now investigating a potential splitting up of the
attacks company’s assets because of the systemic safety issues
• Failures from design faults of control systems stemming from the rupture. In Volkswagen’s case, the
at different stages of the life cycle of industrial company may have lost their entire diesel car market,
equipment as well as taken a serious hit to their reputation as a
• Combined factors, based on analysis of how manufacturer of well-designed vehicles.
different factors interact and lead to incidents
initiated by failures in control systems

Industrial Cybersecurity eBook 2019 PAGE 30


Recommendations and Conclusions

Industrial Control Systems cybersecurity is an issue with multiple facets, spanning technology, processes,
equipment, and people—and it crosses traditional barriers of geography, industry, and application. Vulnerabilities
and associated attacks, whether malicious or unintentional, can bring devastating financial, safety, and brand
reputation consequences—and executive management should be carefully considering their exposure to these
risks.

Culture, knowledge, and experience gaps exist between IT and Operations personnel in most companies, and the
coordination of these functions with guidance from a team of Industrial Control Systems Cybersecurity Experts
is critical to the success of a comprehensive cybersecurity program. Global consensus standards focused on
Industrial Control Systems cybersecurity can help to bridge the gaps between IT and Operations and between
safety and cybersecurity. These standards can be applied to processes, the associated training and certificate
programs can be leveraged to train people, and the associated compliance programs can be utilized to test and
certify equipment.

By using data from known incidents and vulnerabilities, and leveraging standards, training, and compliance
programs, systems engineers and Industrial Control Systems Cybersecurity Experts can reduce the risks to critical
infrastructure from hostile actors, human mistakes, and design flaws. We can make our systems more reliable,
less sensitive to malicious or unintentional breaches, and secure the safety of our people and processes in industry
and critical infrastructure.

Additional Resources

Download a brochure detailing ISA’s resources for Control Systems Cybersecurity, including the ISA/IEC
62443 standards and associated training, certificate programs, books, technical papers, and more:
www.isa.org/cybersecurityresources

Visit Applied Control Solutions at http://realtimeacs.com/ to learn more about Joe Weiss, the author of this
white paper.

Industrial Cybersecurity eBook 2019 PAGE 31


Assessing the Cyber Readiness
of the Middle East’s Oil and Gas Sector

By Siemens and the Ponemon Institute LLC led Siemens, in conjunction with the Ponemon Institute,
to delve more deeply into the cyber readiness of the oil
and gas industry in the Middle East.

Foreword
The impact of these cyber intrusions against OT
assets in the Middle East, especially in the oil and gas
sector, the target of 50 percent of all cyber attacks
in the region, is more significant than in other parts
Until recently, most cyber attacks have targeted the
of the world: greater frequency relative to return on
Information Technology (IT) environments, comprised
investment (ROI), more expensive relative to ROI, and
of PCs, work stations, and mobile devices. As the
with greater downtime.
process of digitalization has accelerated, so too has
the convergence of IT and operational technology (OT)
To their credit, organizations in the region have been
connectivity. This provides a wide range of benefits that
early enthusiasts for digitalization, ahead of many
enable organizations to optimize processes, capture
others in the world in recognizing the unprecedented
cost savings, and turn data into value. At the same
business value. They have also recognized the greater
time, connectivity has also created a larger cyber
cyber risk associated with greater connectivity. Oil and
“attack surface” that is harder than ever to secure.
gas companies in the region are beginning to invest in
protecting their assets from cyber intrusions, while
Attackers have identified this convergence of IT and OT
lagging behind in terms of awareness and the rate of
as a key opportunity to penetrate an organization. As a
deploying technology that can protect their operating
result, an emerging trend of cyber attacks is designed
environment. In the government sphere, regulations
to disrupt physical devices or processes used in
intended to address the OT cyber threat are being
operations.
rolled out, though, admittedly, these are mostly at an
early stage.

Throughout this report, we seek to shed light on the


state of cyber readiness of oil and gas companies in
the region and hope you will find the insights
drawn from this report illuminating.

The disruption of critical infrastructure in industries


can have catastrophic security, economic, and
environmental implications. In the Middle East, we
have recently seen the Triton malware targeting
industrial control systems in the energy sector by
exploiting a previously unknown zero-day vulnerability.
This OT-specific malware was designed to impact
safety control systems, and underscores the potential
OT cyber risk to health, safety, and the environment.

These trends—accelerating digitalization, the


convergence of IT and OT, more frequent, sophisticated
cyber attacks, and an energy sector in the crosshairs—

Industrial Cybersecurity eBook 2019 PAGE 32


EXECUTIVE SUMMARY
This report is the result of the second collaboration
between Siemens and the Ponemon Institute. It of respondents say the top cyber security
consists of a survey of 176 individuals in the Middle threat is the negligent or careless insider.
East responsible for securing or overseeing cyber risk.
of Middle East respondents said that
Among the findings from these respondents in the outdated and ageing control systems pose a
Middle East and discussed in this report: serious risk to their organizations.

of respondents believe they face a greater of respondents say their organization’s


risk in the OT than in the IT environment. industrial control systems’ protection and
security are adequate.
of respondents believe the risk level to
industrial control systems over the past few of respondents say they continually monitor
years has substantially increased because of all infrastructures to prioritize threats and
cyber threats. attacks.

of organizations have suffered at least one


security compromise that resulted in the loss
of confidential information or disruption to
operations in the OT environment over the
43% thought they had the internal expertise necessary
to manage cyber threats in the OT environment.
past 12 months.

The process of digitalization is creating benefits for


oil and gas companies (e.g., greater efficiencies, The objective of this research presented here is to gain
operational insights) but also generating significantly insight into how the oil and gas industry in the Middle
increased cyber risks, according to 62 percent of East region understands the OT cyber risk it is facing,
respondents. and how ready it is to meet this challenge.

Industrial Cybersecurity eBook 2019 PAGE 33


Introduction
Siemens and the Ponemon Institute are pleased to present
the results of ‘Assessing the Cyber Readiness of the Middle
East’s Oil and Gas Sector’ report. This survey provides a
first-of-its-kind assessment of the readiness of Middle East
oil and gas companies to deal with the emerging cyber
threat to Operational Technology (OT).

The OT cyber risk is particularly acute in the Middle East.


Given the critical importance of oil and gas to the region’s
economies, OT cybersecurity is an especially pressing
topic. We have already seen sophisticated cyber attacks
targeting oil and gas organizations (Aramco in 2012) and
OT specifically (Triton in 2017). The financial impacts of
these attacks in the Gulf last year were estimated to be
more than USD $1 billion. In addition to these financial
costs, OT cyber-attacks raise significant health, safety,
and environmental risks to the industry. This potent
combination of substantial costs and heightened risk will
keep OT cybersecurity top of mind for Middle East oil and
gas companies.

TO INCREASE OUR UNDERSTANDING OF THE OT


CYBER LANDSCAPE, THIS REPORT FOCUSES ON:

OT CYBER RISK TODAY


First, we will look at the current OT cyber risk landscape for oil
and gas companies in the Middle East. This section will provide
insights into the types of risks companies face, where they are
most vulnerable, and the impacts associated with OT cyber risk.

READINESS TO ADDRESS THE OT CYBER CHALLENGE


Second, we will evaluate these organizations’ readiness to
secure their operating environments and capture the full benefits
of digitalization.

SOLUTIONS TO THE OT CYBER CHALLENGE


Lastly, we will analyze the survey results to identify the best path
forward for oil and gas companies. Specifically, we will delve into
the strategies, technologies, and policies best-suited to help
secure the entire operating environment.

OT cybersecurity presents unique challenges to oil and gas


organizations that are different from traditional IT security
concerns.

Cybersecurity challenges arise, in part, from the extended


lifecycle of OT technologies.

of Middle East respondents said that outdated


and ageing control systems pose a serious risk
to their organizations.

Industrial Cybersecurity eBook 2019 PAGE 34


The OT Cyber Risk Today
Systems running older technologies are hard to patch
due to their continual utilization and integration into
wider production chains. The unique features
of OT underscore the importance of purpose-built, Oil and Gas OT environments face significant and
multi-vendor solutions in the operating environment. mounting cybersecurity risk.

The operating model of some oil and gas organizations Sixty percent of respondents believe they face a
in the region often serves to introduce additional greater risk in the OT than in the IT environment. Sixty-
OT cyber risk. We have seen joint ventures between seven percent of respondents believe the risk level to
national and international oil companies with an industrial control systems over the past few years has
absence of clear ownership of OT cyber risk. This substantially increased because of cyber threats.
disconnect – between operations and OT cyber – can
expose dangerous gaps in cyber asset management These perceptions are, in fact, borne out in reality. A
and detection, and severely hamper cyber teams heightened risk environment is being driven by:
attempting to secure the environment.

Exploratory information is the area most vulnerable in


the oil and gas value chain to a cyber attack.

When asked to identify the areas of greatest risk,

Other areas of vulnerability include:

There are critical differences between Operational


Technology (OT) and Information Technology (IT)

There is an absence of clear ownership of OT cyber


risk in joint ventures.

Industrial Cybersecurity eBook 2019 PAGE 35


CYBER BREACHES IN THE OT ENVIRONMENT ARE WIDESPREAD AND REGULARLY GO UNDETECTED

of organizations have suffered at least one


security compromise that resulted in the loss
of confidential information or disruption to
operations in the OT environment over the
past 12 months.

reported that they had experienced more than


10 cyber breaches in the OT environment in
the preceding 12 months, a rate nearly three
times the global average.

These numbers, moreover, likely under-report the true


figures: forty-six percent of cyber attacks are believed
by respondents to go undetected. This data
underscores that the OT cyber risk is not just
theoretical, and that companies across the region are
already being impacted.

The process of digitalization is creating benefits for


oil and gas companies (e.g. greater efficiencies,
operational insights) but also generating significantly
increased cyber risk, according to 62 percent of
respondents.

This survey highlights the close linkage between digitalization and cybersecurity for the oil and gas sector. In order
for organizations to capture the full benefits of digitalization, it is essential that they rigorously address the OT cyber
risk.

Insider threat is viewed as the top threat to OT cybersecurity.

of respondents say the top cybersecurity threat is the


negligent or careless insider

of respondents say it is the malicious or criminal insider,


underscoring the need for advanced monitoring solutions to identify atypical behavior among personnel.

Industrial Cybersecurity eBook 2019 PAGE 36


INSIDER THREAT RISK

The prevalence of insider threat risk shows that


traditional strategies of “air-gapping” networks are not
an adequate security measure.

This approach cannot, for example, prevent the


introduction of compromised transient assets like
USB sticks. Instead of attempting to air gap networks
that cannot ever be truly isolated, organizations can
strengthen their cyber defences by looking to gain
visibility into their entire operating environment. This
asset transparency is especially critical with remote
sites like offshore platforms and wellheads.

Industrial Cybersecurity eBook 2019 PAGE 37


Readiness to
INDUSTRY NEEDS TO KEEP UP

Despite awareness of rising OT cyber risk, budgets for

address the OT OT cyber services and solutions have not kept up with
the threat. Oil and gas organizations in the Middle East

cyber challenge
are today dedicating only a third, on average, of their
total cybersecurity budget to securing the OT
environment. Given the risk shift we are witnessing in
oil and gas – from the IT to the OT – this suggests that
Best Practice in Cybersecurity Middle Eastern organizations are not aligning their cyber
investments with where they are most vulnerable. This
OT investment shortfall is all the more alarming as
Our study finds that oil and gas organizations in the Middle Eastern oil and gas organizations reported
Middle East recognize the growing OT cyber threat smaller average total (IT + OT) cyber budgets
as well as the imperative to strengthen their cyber than their global peers.
readiness. In fact, Middle Eastern organizations have
already begun to take critical steps to improve their
OT cybersecurity preparedness. Specifically, oil and CYBERSECURITY JOURNEY
gas companies in the Middle East have undertaken
crucial steps such as: Most organizations are only at the early stage of their
OT cybersecurity journey. Just under two-thirds of
respondents considered their OT cybersecurity
programs at an early or middle maturity, with nearly
a quarter saying they had the lowest level of OT
cybersecurity maturity. In these lower maturity
organizations, we see recurring traits that undermine
effective OT security:

CHALLENGES TO CYBER READINESS

of respondents say their organizations’


industrial control systems’ protection and
security are adequate.

Oil and gas organizations in the Middle East face a


similar set of challenges in maturing their OT security
programs. First, companies often lack the internal
expertise and trained personnel to build strong OT
security programs. Second, many organizations do
not have visibility into the assets in their operating
environment and cannot protect what they have not
identified. This lack of visibility is compounded by the
reality of multi-vendor environments, full of legacy
assets, that have often grown over time without a clear
plan to secure them.

Industrial Cybersecurity eBook 2019 PAGE 38


COMPLETING CRITICAL TASKS supporting capacity building.
SUPPORT FROM OT CYBER EXPERTS
Many tasks critical to OT security have not been
completed. Companies need experts that understand both
cybersecurity and industrial control systems, a
Fourty-seven percent of respondents say they combination that is hard to find. Fewer than half of
continually monitor all infrastructures to prioritize threats respondents (43 percent) thought they had the internal
and attacks. expertise necessary to manage cyber threats in the OT
environment and, as a result, are increasingly seeking
Fifty percent of all cyberattacks in the OT environment out external support. In particular, significant talent gaps
go undetected, suggesting the need for investment in exist for:
a solution that can detect cyber threats to oil and
gas operations.

Fewer respondents say their organizations have the


ability to assess risks to determine resources necessary
to address the risks or pinpoint sources of attacks
and mobilize to remediate the attack, according to 27
percent and 42 percent of respondents, respectively.

Oil and gas companies often struggle


to address the fundamentals of OT
cybersecurity.

For example, only 27 percent of respondents expressed


confidence in their ability to, first, assess cybersecurity
risks, and second, allocate the resources necessary to
address those risks. This limitation is exacerbated by a
widespread shortage of OT cyber talent. In order to
address this acute talent shortage, governments and Middle Eastern governments recognize this challenge, and
the private sector have important roles to play in have clearly prioritized developing domestic high-tech
expertise through such efforts as Saudi’s Vision 2030 plan.

Industrial Cybersecurity eBook 2019 PAGE 39


Solutions to the OT
cyber challenge
CYBER RISKS TO YOUR ORGANIZATION

Many organizations seem to lack awareness around the


cyber risks to their organization.

While 75 percent of respondents say their organization


experienced a cyber compromise, only 17 percent say it
is very likely or likely their organization will experience a
successful cyber exploit over the next 12 months. This
gap, between awareness and detection, underscores
the lack of internal OT cyber know-how and the
limitations of deploying even the most cutting-edge
technology without the relevant OT expertise.

SOLUTIONS TO ACHIEVE CYBER


READINESS

While our study indicates that oil and gas organizations


in the Middle East increasingly recognize the OT cyber
challenge, there are fewer signs that they are adopting
the most effective measures to address OT risk. Many
have not moved past approaches that no longer work
in an era of digitalization. For example, too many
organizations are still attempting to “air gap” their
operating environment, rather than using smart, secure
connectivity to gain transparency. Moving from the
mentality of “dig a deeper moat” to continuous asset
visibility and intelligence is a foundational step in
building a robust OT security program. More broadly, we
see six, key principles underlying the most effective OT
cyber programs:

Industrial Cybersecurity eBook 2019 PAGE 40


MANY COMPANIES ARE NOT INVESTING IN Security analytics are widely considered to be the most
THE MOST EFFECTIVE OT CYBER TOOLS effective technology in managing OT cyber risk.

Only 39 percent plan to ensure hardened endpoints The survey data shows the importance of addressing
in the next 12 months, and only 20 percent will adopt the fundamentals (e.g., hardening endpoints), as well
analytics. The disconnect between establishing priorities as leveraging advanced technologies (e.g., analytics) to
and placing investments against those priorities secure the OT environment. Oil and gas companies can
highlights the importance for having a rigorous, long- also build on security analytics data to safeguard and
term OT cybersecurity strategy. optimize operational processes. By combining data from
the network, controls, and asset layer, organizations are
enabled to reap important benefits around, for example,
process safety in refining.
MOST EFFECTIVE SECURITY
TECHNOLOGIES Organizations need to develop integrated OT cyber
strategies that are adopted across the organization.
Respondents recognize and call for solutions to address
insider threat, aging control systems, and secure As shown in this research, organizational challenges
connectivity. create difficulty in strengthening OT security. Only
9 percent of respondents say there is full alignment
Very effective and effective responses combined between OT and IT with respect to cybersecurity.
Though employee training and awareness is critical to
developing a robust internal cyber culture, 65 percent
of respondents say their organizations do not have
initiatives in place that would build such a “cyber-
safety” culture.

The majority of respondents believe security analytics


technology is essential or very important.

How important is security analytics technology to


achieving a strong security?

THE IMPORTANCE OF SECURITY


ANALYTICS

Industrial Cybersecurity eBook 2019 PAGE 41


Conclusion
Our study reveals that oil and gas companies in the
Middle East are aware of the growing OT cyber risk
they face. They also increasingly recognize the actions
they must take to strengthen their defences. They are
investing more resources to develop the capabilities
required, including qualified staff, to close this OT cyber
readiness gap. These signs of leadership are welcome.
Taking the next step in this OT cybersecurity journey
will require a more holistic strategy. Organizations
that adopt both a risk-based and compliance-based
approach to their OT security programs will be those
who close the cyber readiness gap soonest. Those who
show leadership in this challenge will look to leverage
security analytics backed by deep domain expertise.
Mature OT cyber programs will prioritize continuous
visibility into their assets and vulnerabilities, so that
they can intelligently, effectively prioritize. By ensuring
asset transparency and rapid detection, organizations
can best manage OT cyber risk and unlock the broader
benefits of digitalization in the oil and gas industry.

Methodology
In creating this report, we surveyed

who are responsible for securing or overseeing cyber


risk in the OT environment. To ensure a knowledgeable
respondent:

Industrial Cybersecurity eBook 2019 PAGE 42


PONEMON SIEMENS
INSTITUTE CYBERSECURITY
The Ponemon Institute conducts independent
research on privacy, data protection, and information PRACTICE
security policy. Our goal is to enable organizations in
both the private and public sectors to have a clearer Given that the probability of a cyber attack for any
understanding of the trends in practices, perceptions, company is nearly 100 percent, the question
and potential threats that will affect the collection, becomes not whether to act, but how? Holistic
management, and safeguarding of personal and cybersecurity emphasizes not only how to prevent but
confidential information about individuals and also respond to an attack.
organizations. Ponemon Institute research informs
organizations on how to improve upon their data At Siemens, we take our customers on a cybersecurity
protection initiatives and enhance their brand and journey that brings maturity to their cyber enterprise.
reputation as a trusted enterprise. This means starting with a risk-based strategy that
deals in fundamentals, transforms an organization’s
In addition to our research, Ponemon Institute provides response to the environment, and most importantly,
strategic consulting to private and public sector builds their capacity to monitor and respond, from the
organizations interested in establishing or enhancing oilfields to the control centers to the enterprise
their privacy, data protection, and security practices. networks.
To ensure that their goals are achieved, organizations
engage us to assess their practices and conduct This agility is essential to dealing effectively with the
workshops and training programs. growing cyber threat. Those organizations that move
proactively to build their capability to detect and
Ponemon Institute is the parent organization of the respond will be best positioned to meet this challenge.
Responsible Information Management (RIM) Council. For Siemens, cybersecurity is an essential component
The RIM Council draws its name from the practice of our vision for digitalization and intelligent
of Responsible Information Management, an ethics- infrastructure.
based framework and long-term strategy for managing
personal and sensitive employee, customer, and Over the last ten years, we have invested over $10
business information. billion to make digitalization a core part of our
own business transformation. Now we are making this
internal cyber capability and its complementary external
offering available to our customers.

Industrial Cybersecurity eBook 2019 PAGE 43