Honeywell Technology Solutions
Cyber attacks are a real and growing threat to worldwide critical infrastructure. Energy firms, public and private utilities, and power grids are highly vulnerable to cyber attacks. According to leading security experts, most of these companies are unprepared to combat cyber threats, or to mitigate damage once an intrusion is discovered. Companies using the outdated “air gaps” method are no longer able to effectively protect industrial control systems. In most cases, an organization’s cyber solutions are largely ineffective on Supervisory Control and Data Acquisition (SCADA) systems. To complicate matters, the various and, in many cases, vastly different commercial, and international compliances standards make it difficult for businesses to effectively and efficiently protect their enterprise networks.
With the emergence of security recommendations and regulatory compliance requirements throughout different industries, a breadth of understanding of these controls is required to implement a solid critical infrastructure security process framework to mitigate risks and increase security. It is also important to ensure as little disruption to service as possible, or the security controls themselves will damage critical infrastructure operations. While the threat of cyber attack is driving necessary concerns about security, critical infrastructure industries are now recognizing that a secure critical infrastructure also includes safe and reliable processes that allow critical infrastructure to operate as expected.
As more and newer technologies are introduced to meet business needs, the security impacts of these technologies need to be assessed across the enterprise. Critical infrastructure enterprises may find themselves with security gaps in their staffing and policies, thus increasing their risk to various threat drivers. A Critical Infrastructure Cyber Security Architecture (CICSA) focuses on the development and management of a risk-based integration of compliance controls, balanced with business-driven technologies. A CICSA framework provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
A sound CICSA focuses on the identifying the current gaps in managing the increasing threat drivers; identifying risk scenarios; identifying appropriate security controls; and providing tools, services, best practices, and support to provide a more predictable, safe environment. Honeywell believes that to be successful, a comprehensive approach to security must include an understanding of business drivers, compliance assessments, risk management, and remediation. Companies also face the challenge of tightening the link between business and functional information systems within their critical infrastructure, which increases their ability to better manage their internal operations while providing value to end customers.
It is not enough to understand the business information technology environment when developing a comprehensive CICSA. Experience with the operations and appliances within a given critical infrastructure implementation is required to ensure security can be injected without negatively impacting overall business objectives. Taking a logical approach to managing the security risks against compliance controls is the key to securing a site’s critical infrastructure. Honeywell’s approach is to provide the organization with detailed information about current compliance gaps associated with the required regulatory standards in an easy-to-interpret assessment. This process helps the organization prioritize its remediation requirements based on available funding, remediation complexity, and business imperatives. Armed with this knowledge, an organization can further develop and refine its overall Cyber Security Program by creating a risk management framework, identifying remediation processes, and developing an overall mitigation roadmap. The organization is then able to focus its limited resources and time on high-risk areas and quick-fix, low-cost items that satisfy immediate security concerns.
Honeywell’s CICSA approach examines the three core facets of an organization’s cyber security program – people, processes, and technologies.
People
What is the cyber security awareness level in the organization?
Is the staff following existing security policies and procedures?
Have they been adequately trained to implement the security program?
Process
What are the cyber security policies and procedures in place in the organization?
Do these policies and procedures meet industry’s security and business requirements?
Technologies
What cyber security technologies are in use in the organization?
How are these technologies configured and deployed?
Faced with shrinking government budgets, competitive commercial pricing, and reduced profit margins organizations are faced with the challenge of deciding how much to spend on cyber security for critical infrastructure protection. Executives may acknowledge that a major cyber security incident to critical infrastructure can have a devastating effect on their organization, and may even add some additional physical security countermeasures or the latest networking monitoring application to pass for a state-of-the-art security system. These actions are half measures, and many companies continue to operate under the belief that “it won’t happen to us.”
The problem with this approach is the investment is misdirected toward giving the appearance of security rather than a solid, ground-up foundation that considers all aspects of critical infrastructure protection. To successfully secure critical infrastructure, companies should employ a holistic approach that enhances their people, processes, and technologies. Organizations need to train their people to ensure they have the resident knowledge to indentify, manage, report, and mitigate a cyber security attack on the organization’s critical infrastructure. Once the staff is properly trained, it’s equally important for the organization to retain and retrain the team to ensure continuous improvement to the overall security posture.
Proper documentation of an organization’s cyber security process is vital to a strong critical infrastructure security posture, yet it’s commonly the least developed. There are a number of cyber and critical infrastructure industry best practice standards (e.g. NATO, NIST, ISO, etc) that provide an excellent framework for to cyber and critical infrastructure compliance. It’s important that executive leadership invest in development and documentation of a comprehensive critical infrastructure security process and roadmap for the organization that aligns to its business goals. Adherence to those processes can then be validated through audits and assessments conducted both internally and externally.
There are a number of proven commercially available technologies that will enhance an organization’s cyber and critical infrastructure security posture. The key is to find technologies that best align to the organization’s security goals and provide the appropriate level of protection based on the perceived threats to the organization. Some industries will require solutions that support the protection of multiple-vendor industrial control systems, and some will only need to maintain security on a few key devices. Recognized cyber security experts like Honeywell can develop, integrate, and sustain customized solutions based on the organization’s security needs.
Emerging threats to critical infrastructure require new ideas, new solutions, and new cost saving technologies. Today’s security is not about hiring more guards; it’s about a proven process for implementing an integrated, layered security approach to protecting critical infrastructure.
