The SANS 2016 State of ICS Security Survey Report indicates that many of the ICS professionals who responded to the survey have new job titles such as ICS cyber security program manager, ICS security project manager, IT/OT architect and director of cyber security for building and facilities systems.
This trend indicates that industrial cyber and cyber-physical security is a rising priority and industrial companies are beginning to assign staff with ICS security responsibility. While attending the recent EnergySec 12th annual security summit held in Anaheim, California on August 22-24, I spoke to many ICS operations attendees with new job titles and security responsibilities reflecting this priority. They had come to EnergySec for information sharing and practical guidance on the security challenges they’re facing.
EnergySec is a 501(c )(3) organization dedicated to securing critical energy infrastructure, workforce education, and information sharing.
While there I had a chance to ask EnergySec’s new president Steve Parker a few questions about EnergySec, trends, concerns and the state of ICS security within power and energy critical infrastructures.
For those of you who may not be familiar with this non-profit organization they are approaching 1500 members and 470 member organizations, have achieved SANS Institute awards, and a good history of their grass-roots founding over a decade ago is posted on their website:
Katherine: EnergySec’s mission is to strengthen the security posture of critical energy infrastructures. In your role past role as auditor for regional entities, a Certified Information Systems Security Professional (CISSP) and now as EnergySec’s president, how has this critical infrastructure sector been evolving? Particularly in the past few years as cyber security has become a constant news topic.
Steve: The industry has come a long way since I first began in 2001. 15 years ago cyber security was a very new concept and most organizations had few controls. For example, it was common to see control systems directly connected to corporate networks. That is very unusual today.
That said, I’ve noticed a conceptual shift – the dual realization that cyber security risks are significant, real and must be addressed, and that the related compliance obligations are here to stay and will only grow over time. Recognition of those two related concepts are driving serious effort towards the maturity of both security and compliance programs.
Katherine: The power and energy sector in many ways is a much more strategic and valuable target for all sorts of bad actors than mere credit cards or personally identifying information (PII). What do you believe are this year’s top 3 challenges facing your operator attendees who are trying to protect their assets?
Steve: It’s tough to pick just three, but I’ll give it a shot.
First, security for Industrial Control Systems is a relatively new effort. As a result, the technologies, processes and approaches are not as well-established as within the traditional IT space. Great progress is being made there though, and the challenges can be overcome. IT and operations teams should try to work together more effectively.
Second, the scarcity of security professionals with the right balance of technical expertise, soft skills and industry experience. There is tremendous work to be done here to build and mature the security workforce. EnergySec has been doing a lot of work here and it’s also an area that further underscores the need to collaborate between IT security professionals and ICS Operations teams.
And third is the culture. It is a massive cultural shift in many operational technology areas to build a culture where security requirements are understood, accepted and consistently and properly executed.
EnergySec’s mission is to strengthen the cyber security posture of critical energy infrastructures.
Katherine: How do you think boards of directors, company officers or managers of asset operators understand their security posture?
Steve: This is a major challenge for industrial boards and the C-suite because security, particularly the technical aspects of the topic, is such an unfamiliar subject to most ICS operations teams, and both have very different communication needs and styles. For example, corporate directors will understand the fundamental concepts of finance, law, regulation, insurance, human resources and perhaps a bit of technology.
However, few are familiar with even the most basic security concepts and how to prioritize and align cyber security to the business risks since it is a relatively new and less mature discipline. Education of board members is critical to security. Leadership cannot and will not appropriately oversee (or fund) things that they do not understand.
Katherine: Now that NERC CIPv5 audits are in force for US electric utilities, how ready would you say most are for those audits?
Steve: Most utilities are as ready as can be reasonably expected given the massive change that occurred in CIPv5. There will continue to be lots of work to clear or mitigate findings of non-compliance. However, there is also still some significant uncertainty in the compliance specifics of some requirements. This means that many surprises are probably waiting for the industry over the first couple years of CIPv5 audits. Additionally, the FERC will be leading some audits this year. FERC may have different opinions on how the standards apply to various specific scenarios. In short, it will be interesting to watch things play out.
Katherine: I’ve talked to a number of operations engineers at this year’s event that have been newly tasked with cyber security for their industrial networks, endpoints and control systems. As these folks are trying to get started, what advice might you offer in their early learning stages?
Steve: Well, there are a lot of silos within every organization, and operations engineers have traditionally not allowed their IT organizations access or control over production environments. As odd as this might sound to some, I recommend they reach out to their counterparts in IT and other areas of their organization that have some experience with CIP and or other security controls.
While it is true that IT personnel may be unfamiliar with operational systems and their unique priorities, there are many practices that translate well, so both sides should seek to learn from each other.