By Trip Hillman, Director of Cybersecurity Services at Weaver
More and more, industrial control systems have been the targets of malware, ransomware, and other kinds of cyberattacks. These attacks jeopardize operations that control essential service and critical functions and may result in loss of life, property damage, and disruption of essential services, such as electricity, water, and telecommunications.
Industrial enterprises that operate SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control System) devices are even more likely to be vulnerable to these cybersecurity threats. With SCADA system life cycles reaching 15 years or longer, older devices may be more sensitive or may not be compatible with newer computers and protection measures. This makes them more vulnerable to cyberattacks, which can lead to breaches of connected networks, physical plant operations, environmental controls, or even life-threatening safety failures.
The Cybersecurity and Infrastructure Security Agency (CISA) recently announced an initiative to strengthen and secure industrial control systems in response to such growing cybersecurity threats and risk management issues.
CISA was created in 2018. Part of the federal Department of Homeland Security, it is responsible for functions previously performed by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
This new initiative signals the federal agency’s intention to bring resources and focus to ICS security to drive meaningful, measurable, and sustainable change.
Typically, the SCADA system functions as an active operation’s nervous system, notifying operators of failed activities, errors, and equipment that is functioning out of tolerance. Data from a comprehensive SCADA system permeates an organization’s business processes by:
- driving maintenance and safety programs
- informing operational efficiency assessments
- providing details for capital investment decisions
- incorporating the data into the Enterprise Risk Management function
Because SCADA systems provide such foundational and pervasive data, if it is inaccurate or compromised, the impact on a business can be dramatic.
CISA’s vision is to achieve a collective approach with industry and government that will:
- Empower the ICS community to defend itself
- Inform ICS investments and proactive risk management of NCFs
- Unify capabilities and resources of the Federal Government
- Move to proactive ICS security
- Drive positive, sustainable, and measurable change to the ICS risk environment
While taking responsibility for leading the initiative, CISA calls on the private sector to participate. In the first of four pillars that will guide its efforts, CISA aims to “Ask more of the ICS community, and deliver more to them.”
The initiative places significant emphasis on developing and implementing joint ICS security capabilities, mapping and identifying the degree to which specific national critical functions (NCFs) depend on ICS, and elevating and prioritizing ICS security around a unified “One CISA” strategy.
Over the next several years, CISA will work with other government agencies at the federal, state, and local levels as well as private partners in the ICS community. Working together, the goal is to achieve sustainable ICS security and to drive wise ICS security investments in the future.
Organizations should view this is an opportunity to take a fresh look at the overall security strategy for ICS and SCADA devices and networks and ensure plans have been updated to meet current expectations.
About the Author
Trip Hillman is Director of Cybersecurity Services at Weaver, a national accounting firm. He has nearly a decade of hands-on experience evaluating IT security in a broad range of environments. He has performed and led over 200 substantial audits across hundreds of unique IT environments and is called on regularly to help organizations evaluate their overall security posture and to develop prioritized, balanced roadmaps for increasing security maturity. Trip can be reached at email@example.com and at our company website: www.weaver.com.