Manufacturing Industrial Defenses
Given the increased rates of cyber attacks targeting manufacturing organizations, it still amazes me that such industries are more focused of the defense of their corporate (Business to Business (B2B) environments, to the detriment of their main profit making network and systems. Given that the intrinsic value of these systems and the business impact of the manufacturing plant being unavailable, wouldn't it make sense to encompass regular assurance audit reviews to ensure that you understand the perceived risks (Vulnerability X Threats X Impact).
Norsk Hydro said the March cyber-attack that paralysed its computer networks would cost the aluminium maker up to 450 million Norwegian crowns ($52 million) in the first quarter, as the result of a Ransomware attack taking down their industrial computer network.
Consequently, if I were an executive board member of such a business, I would be insisting on periodic status updates, against industry benchmarks and penetration testing. However, how can this be achieved without detriment to your manufacturing process?
Unlike a corporate network, Industrial Control Systems (ICS) have far greater numbers of critical systems that are difficult to take off line, in order to apply updates. However, having said that, this does not mean that this cannot be done. It just needs to be done using a more risk-managed approach, working with the site IT teams to schedule maintenance time.
What presents the greatest impact to your business, a well-planned, time-bound and scheduled period of maintenance or an unplanned, lengthy and unscheduled outage?
This is exactly the approach suggested in NIST's SP800-82 r2, Guide to Industrial Control Systems (ICS) Security, over the following 6 steps:
Categorize Information Systems.
Select Security Controls.
Implement Security Controls.
Assess Security Controls.
Authorize Information Systems.
Monitor Security Controls.
With minimal disruption to your manufacturing processing systems, you can use the US-Cert's latest free to use Cyber Security Evaluation Tool (CSET), v9.2, along with NIST's supporting NIST SP800-53A (Assessing Security and Privacy Controls in Federal Information Systems and Organizations) guidance, against the SP800-82, R2, ICS control set:
Through the utilization of the CSET, you are able carry out periodic individual, site specific, audits which enables you to create supporting inventory lists and visualize the supporting networks and connected systems:
The results of the use of these tools will both help to demonstrate the status of your manufacturing site networks and systems, whilst helping you to understand the continued status of these critical business systems and assisting in informed choices for timely maintenance scheduling.