IEN: Have strides been made in: Risk management? Integrated systems design? Emergency response? Hazard controls? Computer security? Crisis management? Please explain.
Dustin: Administrators of control systems have begun to realize that security policies and technologies that have been successfully deployed at the enterprise level are not appropriate in the control system environment. In the enterprise environment, an administrator''s first priority is to protect the confidentiality of the company''s information, then to maintain the integrity of the company''s information assets, and finally, to ensure the availability of the corporation''s network. On the other hand, a control system administrator''s first priority is to ensure the availability of the systems, then ensure the integrity of data communicated from a sensor to a control computer and back to an actuator, and finally, preserving the confidentiality of any patented processes. As a result, control system administrators have begun to search for alternative models and solutions designed to meet the unique needs of the control system environment.
Control system administrators have been able to investigate and deploy cybersecurity measures because of, and in spite of, recent advances in integrated systems design. In fact, Verano has seen that many of today''s control systems are now being developed on Microsoft technology, which promotes openness and availability, but, at the same time, may introduce inherent risks.
Over the past year, Verano has seen both an increased urgency in deploying cybersecurity measures to protect real-time control systems, as well as an increased awareness of existing perimeter protection and cybersecurity event monitoring solutions for these unique systems and networks.
IEN: What innovations can be expected in security equipment and systems, software, training, and elsewhere?
Dustin: In the past six months, a growing number of control system administrators have completed system vulnerability assessments and, using these results, have created and adopted cybersecurity policies to address these vulnerabilities. Today, there are security event monitoring systems specifically designed for the real-time control environment. Over time, these products will evolve and mature into advanced, integrated security appliances that combine antivirus filtering at the firewall level, built-in VPNs, and inline intrusion detection.
As control system administrators continue to investigate and deploy cybersecurity measures, their greatest challenges will come from adopting and modifying the security policies employed successfully by their enterprise counterparts into effective security policies for the real-time environment.
IEN: Which R & D areas are closest to commercialization?
Dustin: Specific rules for industrial control systems are being developed and integrated into security event monitoring systems that address the unique nature of the systems and the need to have, in many cases, preconfigured responses to potential threats.
It can be very difficult and dangerous to both employees and customers if access to a real-time control system or a real-time control network must be changed manually. Oftentimes, these threats may be evaluated on a case-by-case basis; by the time the threat is evaluated, it may be too late to "lock-down" access to a certain area of the system.
As an example, consider the security policies and alarms employed at an office. In the middle of the day, when the office is full of employees, a receptionist at the front desk provides the main line of defense; the doors and windows are unlocked and the alarm is off. However, if there were a day when most of the employees were at an off-site conference, the back doors and windows might be locked; in this case, the office is employing two layers of security. On these days, when the receptionist goes out for lunch, the front door would be locked; the third layer of defense to protect the employees and property. Each day, when the last employees have left, the office would be fully secure, with all the windows and doors locked and the building alarmed.
Now control system administrators can apply these policies to their systems and networks through productized technologies that allow them to set preconfigured alert levels and restrict access based on these levels. From a financial and safety perspective, these "lockdown" levels are equally effective at protecting legacy control systems, which eliminates the need for large capital expenditures on new equipment with built-in security technology, or costly and (potentially dangerous) equipment downtime.
IEN: How significant a role will the web play in security? Wireless? Why?
Dustin: Both the web and wireless continue to play a significant role in access to real-time systems, despite the inherent security issues with both. As a result, Verano has seen an increase in VPN capabilities built into perimeter protection devices and encryption technologies to protect wireless communications from remote location to real-time control systems. With continued interconnectivity with the web, and increased wireless access to both the web and control systems, developing and deploying preconfigured rules for dynamic access control becomes even more important and vital. These preconfigured rules can restrict web or wireless users from accessing the control systems if certain threat criteria are met.
In addition, increased web and wireless interconnectivity increases the importance of intrusion detection. With increased accessibility to the real-time control systems, single-layer perimeter protection technologies, like firewalls, are not sufficient to protecting the system from cyberattacks. IDS technologies add an extra layer of protection by identifying and verifying all the users who access the real-time system.
IEN: Are companies integrating security technologies with industrial operations? How?
Dustin: In many cases, deploying cybersecurity measures on existing systems is a safer and more economical solution than investing in and transitioning to new equipment.
In addition, as web and wireless access to real-time control systems increases, Verano has seen more firewalls being deployed at the network''s perimeter and an increasing adoption of VPN-protected connections.