Because ransomware is so prevalent on the IT side, it’s also spilling over to the OT side, which means greater cooperation is needed from everyone, according to Chris McLoughlin, vice chair of the ISA Global Cybersecurity Alliance’s advisory board, and CISO at Johns Mansville.
“The core of cybersecurity is still network segmentation, advanced monitoring, and adhering to the IEC/ISA 62443 standard. However, we also need to build better relations between our engineering and IT departments,” says McLaughlin. “IT needs to recruit control engineers into a special group, so we’ll have more people to bridge the communications gap between OT and IT priorities.”
McLaughlin reports it’s also useful for all players to do tabletop exercises, walkthroughs, and what-if scenarios to prepare for cybersecurity issues, such as how to respond when a ransomware event occurs. “Engineers are good at looking for upsets and failures, but they’re often less experienced in dealing with malicious intent,” explains McLaughlin. “What do you do when production is lost, or when a plant needs to be shut down? This is why users need cybersecurity backups just as they need responses to physical issues. IT can provide input on what types of protection are the most suitable.
“For example, some ransomware tries to delete backup systems, but many users may not realize this if IT isn’t involved. It’s also important to know how and where crucial information is backed up, such as if it’s on physical tape, isolated in some other way, or if it’s immutably configured like firmware that can’t be deleted. There are also simple backup programs that can help with recovery, even if historian data is lost. This can give users confidence that the access levels they’ve implemented are sufficient.”
Before implementing backup programs or anomaly detection software, McLaughlin adds that basic cybersecurity tasks must be completed first. These include network segmentation, multi-factor authentication for administrators, protecting and backing up critical data, and establishing managed layers and role-based access levels.
“It’s also important to maintain all these functions and adjustments in one place to manage priorities as they change. This prevents contractors or other third-parties from plugging directly into networks where they shouldn’t, and possibly allow malware to get in,” says McLaughlin. “Other people you work with may be able to compromise you. Big companies usually have the cybersecurity required to deal with this, but many small companies may not.”
McLaughlin adds it’s crucial to follow the IEC/ISA 62443 standard and ISAGCA’s recommendations because the fundamentals of cybersecurity haven’t changed, such as performing threat assessments and protecting backups. It also helps if IT and OT engineers talk about cybersecurity because they can jointly review safety control systems from a hacker’s malicious perspective.
“Many engineers still allow access to both, which shouldn’t be done,” adds McLaughlin. “They mainly need to ask, if someone hacks the controls, is the safety system protected? This is important because we also see a lot of controls left in program or run modes, and they shouldn’t be left in states where changes can be made.”
McLaughlin concludes that cybersecurity is becoming more automated and intelligent, and gaining machine learning (ML) and artificial intelligence (AI) capabilities, just as they’re integrating into many technological areas. “Cybersecurity monitoring, is becoming more behavior based,” says McLaughlin. “There are more tools for investigating threats using simulations to determine if situations are good or bad.”