By Quade Nettles, Rockwell Automation
Critical infrastructure is what fuels modern civilization. Water, electricity, sewer and water treatment, pipelines and even the internet itself are critical to economic and military defense infrastructures and supply chains – and today this infrastructure is an obvious target for cyber criminals.
In 2021 we have already seen the ripple effects of what happens when natural disasters take down a power grid, water treatment plants and sanitation during the winter storms that hit Texas and overloaded the systems, but also when the Colonial Pipeline was hit with a ransomware attack. Cybersecurity is evolving and providers of critical infrastructure must be especially vigilant when it comes to understanding evolving cybersecurity threats. It is imperative that these services keep current on the latest processes and solutions that can be implemented to combat these threats.
Simultaneously, power plant and grid operators are looking to update their systems and technologies to meet new regulatory standards or replace obsolete or aging systems.
For many long-standing facilities, it may not make sense to perform a complete plant overhaul – instead, hybrid solutions may be more financially feasible to help improve production and achieve regulatory compliance.
But piecing together the right combination of technology and processes presents its own challenge. Few plants have staff with the knowledge and skills required to understand not only what new systems are needed, but also how to design, deploy and maintain more secure and connected systems. In addition, such systems must be designed and deployed with a holistic view of cybersecurity.
Holistic industrial security is enterprise-wide, starting at the plant level and encompassing every individual end device. It addresses risk from all sides: people, processes and technologies. And, it brings together IT and OT teams, both of which are indispensable in securing network architectures.
In this complicated landscape, how can we better protect critical infrastructure? I recommend starting with these three steps:
Understand risks and vulnerabilities: Perform a security assessment and thorough review of site infrastructure nuances, software, networks, control systems, policies, procedures and even employee behaviors. It’s the foundation for a successful security policy and with an assessment in hand, implementation can begin.
Key deliverables for any security assessment include:
- Inventory of authorized and unauthorized devices and software
- Detailed observation and documentation of system performance
- Identification of tolerance thresholds and risk/vulnerability indications
- Prioritization of each vulnerability based on impact and exploitation potential
- Mitigation techniques required to bring an operation to an acceptable risk state
Create Resilient Systems: Defense-in-depth (DiD) security is based on the idea that if any one point of protection is defeated, additional layers will subsequently need to be defeated. DiD security establishes a resilient system through multiple layers of protection and a combination of physical, electronic and procedural safeguards. A defense-in-depth security approach consists of six main components: policies and procedures, physical, network, computer, application and device.
Vendor and Supply Chain Hygiene: Your plant’s automation system is likely a small part of capital assets or costs. However, it can have a disproportionately large impact on helping you meet your security goals – similar to the impact it has on your production, quality and safety goals. Before selecting vendors for any system that will be connected to your network, request that they disclose their security policies and practices. At Rockwell Automation, we’ve formed a strategic partnership with Cisco to better understand evolving cybersecurity best practices. We’ve defined five core security principles for designing products used in a control system:
- Secure network infrastructure
- Authentication and policy management
- Content protection
- Tamper detection
Operators of critical infrastructure should look for a structured and tailored approach to meet physical and cybersecurity requirements. Multiple layers of protection, a highly integrated cybersecurity suite and other upgrades can help producers get ahead of risks already running throughout the industry.
About the Author
Quade Nettles manages for services associated with cybersecurity at Rockwell Automation. Quade’s primary responsibility is to develop the strategic roadmap for industrial cybersecurity services including consultative services such as risk assessments and penetration testing, as well as managed security services such as threat detection and incident response.
Since joining Rockwell Automation in 2012, Quade has held various positions with increasing responsibility in both technical and project management roles. Prior to his current position Quade served as a Global Program Manager of a cybersecurity program. Quade holds a Bachelor of Business degree in Computer Information Systems from the University of Toledo and a Master of Business Administration degree from Cleveland State University.