AIT Applies ISA/IEC 62443 to ICS OT Cyber Engineering Services
Increasingly more industries and countries have recognized the need to harmonize with international standards rather than continuing to create competitive sector specific or country specific standards. The global economy and supply chains have increasingly become homogenous. The old days of many disparate choices with no integration still exist at some level in field operations but increasingly common protocols like MQTT, OPC UA, BACnet, PROFINET, Modbus, CIP ENIP, and web protocols with APIs are closing the gap between once siloed solutions.
AIT OT cyber engineers have contributed to ISA/IEC 62443 standards for several years across many sectors. We leverage part 2-1 and 3-3 to review customer policies, procedures, and system requirements. We use part 4-2 technical component requirements reviews and testing during assessments and factory/site acceptance testing. Additionally, AIT has been one of the contributors to ISA84.00.09 integrating 62443 security practices with traditional functional safety standards and practices.
AIT is happy to see now that governments, communities of vendors, asset owners, and now ISA standards conformance groups like ISA Secure and ISA Global Cyber Alliance have announced an effort for 2023 to create a conformance scheme for operational assessments. AIT OT cyber engineers have already done this in practice throughout their careers and are happy to hear that more people understand that parts of 62443 including 4-1, 4-2, and 3-3 are useful for more than just certifying vendor products. Those parts of the standard, especially the technical parts, should be leveraged, as AIT has always done, to assess, evaluate, and test that operational components, systems, and practices are properly configured, programmed, used, and maintained. Doing so closes the loop between the product lifecycle and the automation solution lifecycle from inception and design all the way to decommissioning.
AIT stands ready to help the community globally with ensuring their operations as well as their services and products conform to the requirements in the various parts of ISA/IEC 62443.
To learn more contact AIT’s CMAC ICS OT cyber engineering services group at firstname.lastname@example.org. Also see our other blog posts about security testing and reviews during factory and or site acceptance testing, continuous red teaming as a service, and binary reverse engineering and mapping services to ISA/IEC 62443.
Continuous Consequence, Hazard, & Threat-Based Red Team as-a-Service
“Train how you fight, fight how you train.” Limited annual penetration testing and occasional red team engagements will not help you against continuous attackers. It is time to do offense more frequently and comprehensively.
Reverse Engineering OT Devices with ATT&CK and ISA/IEC 62443 Part 4-2 Mapping as a Service
It’s long past time to move reverse engineering of embedded devices for the OT community towards a more actionable and scalable direction.
Construction, engineering, and system integration firms; asset owners and operators; and even product vendors have struggled under the existing CVE focused regime. The regime of reporting yet another product vulnerability and coming out with the same old “patching and network segmentation” as the panacea to mitigating everything. We all know this has not worked.
At AIT we’re constantly looking at how we in the community do things today and what gaps we believe should be addressed to move the ball forward. That’s why we believe reverse engineering should move towards an actionable analysis and mapping of vulnerabilities and weaknesses to the specific related ATT&CK tactics and techniques that could be used to exploit them. That then should be directly mapped to which ISA/IEC 62443 part 4-2 component security requirements could be securely designed into the product. Doing these things, we could mitigate those specific ATT&CK tactics and techniques for the discovered weaknesses and/or vulnerabilities.
Join AIT as we begin to address the gap we see in the status quo.
Why Fund Smaller Cybersecurity Firms to Support Co-ops
Why funding small security firms to provide nationwide support to all cooperatives and small asset owner operators makes sense for critical infrastructure security
America faces a national security challenge with its smaller critical infrastructure owners and operators such as farmers, electric cooperatives, and water or wastewater cooperatives. While their footprint, staff and number of customers individually are smaller than a larger industrial commercial company or utility, their numbers across each county and state nationwide reaches the thousands. Often, these small owners and operators are a staff of 5 full-time employees managing everything from control systems to billing and ERP systems. They have no in-house full-time security or technical trained staff to do the following:
- Ongoing security assessments
- Annual or quarterly penetration testing
- Threat and attack mapping
- Configuration, change, and vulnerability management
- Factory or site acceptance testing (FAT/SAT)
- Systems security engineering
- Threat intelligence and active continuous monitoring
- Incident response and system or equipment recovery
- Day to day systems administration
Cost is another hurdle these companies face. They usually cannot afford to pay larger security firms or Managed Service Providers (MSP)s to ensure ongoing, year-round support. Even larger owners and operators can usually only afford a security team of 1 to 3 people in most cases. Those 1 to 3 people are typically limited on specialized security experiences focused on embedded devices and control systems, along with their components, protocols, conduit types and applications. Budget to get that limited 1 to 3 person staff professionally certified and trained in specific security skills for specialized digital and electromechanical equipment is also often out of reach.
The solution then becomes allocating much of the funding from EPA, DOE, USDA, state, local and county governments to a central, small, and specialized security firm. The firm would staff well trained, certified, and sometimes lower cost staff, and tools to service all the small asset owners and operators nationwide. This enables mutual critical infrastructure cyber assistance between each of the small owners and operators. This especially applies to cooperatives because the dedicated small firm would have experienced staff who has done some of the following:
- Walkdowns and boots on the ground technical assessments
- Managed and configured devices
- Provided the regular monitoring and collaboration with government
- Offensive penetration testing
- Factory and site acceptance testing
- Systems security engineering
This work would be completed across each region using open source and lower cost, smaller footprint, tools. These could be securely linked back to a read only security operations hub that provides an interface to government (e.g. CISA JCDC, EPA, DOE, USDA), state fusion centers, and community ISACs (Water-ISAC, E-ISAC).
AIT has the national security, mission assurance, intelligence, engineering, critical infrastructure, IT, and ICS OT experienced and certified staff to take on such a mission. At AIT, we would use the funding from federal, state, and local government to:
- Customize, deploy, and maintain security testing, configuration, administration, and monitoring tools
- Provide regular quarterly and annual boots on the ground penetration testing and assessments
- Threat and attack mapping, and road maps for improving not just individual small cooperatives but entire regions across states nationwide
- Help better inform investments from a boots on the ground perspective
- Hire, train, and certify new, lower cost talent. These individuals would reside within and be willing to travel across each state to protect the farms, water cooperatives, electric cooperatives, and adjacent interdependent infrastructures within smaller rural areas throughout all 50 states of America and applicable territories.
Rather than scatter shot approaches that have yet to scale across the country we believe a new approach to the funding should be taken. Incorporating a greater leverage of lower cost, customization of existing and new open-source tools, and a heavy focus on new dedicated staffing should receive a significant investment from federal, state, and local funding programs.
AIT stands ready to provide such services to our communities nationwide for an often-underserved area of America’s critical infrastructure. We believe we are uniquely the right size and well positioned to scale to support the mission much more than larger firms or product vendors. We encourage both government and small asset owners and operators to reach out to AIT’s Cyber Mission Assurance Capabilities (CMAC) ICS OT security team at email@example.com to learn more about how AIT can help. We are always happy to share our ideas and offer our services in the fight to protect America’s most vital resources and infrastructures no matter how small they may seem. We encourage you to share these ideas with your legislators, regulators, sector administrators, peers, and other stakeholders.
Taking OT Cyber to the Next Level
For this week’s cyber tip, we recommend creating an OperationalTechnology (OT) Cybersecurity support unit within your engineering organization to oversee and be responsible for the cybersecurity of your OT infrastructure. It is typically not possible for a maintenance personnel or IT personnel to maintain cybersecurity on OT equipment and networks in medium to large scale OT infrastructures. IT personnel are not trained on cybersecurity of the backbone technologies such as the dozens of embedded operating systems, industrial protocols, and physical level interfaces. OT Technicians know the maintenance of such systems but not the cybersecurity integrations nor the industry cybersecurity policy and regulations.
Our latest whitepaper, Setting up an OT Cybersecurity Program describes the components of such a program and the people, process, and technologies needed to succeed.
AIT’s staff of engineers, analysts, and cybersecurity professionals have knowledge, experience, and skills to assist companies and organizations to mature their OT support units to full operation. We can assist with training needs, tools, and capabilities. AIT provides a strong leg up to establishing an enduring OT cybersecurity program. Contact us at OTCyber@ait-i.com.
Combating Modern Threats to Critical Infrastructure
The word “security” is derived from the 15th century word “securite”, which means “a state or condition of being safe from danger or harm.” For this week’s cyber tip, we will discuss security in terms of the state and condition of being safe from danger or harm caused by #cyberattacks. In cybersecurity, the threat surface caused by interconnectivity and interdependency can come from anywhere. Second and third order effects extend across civilizations around the globe. To cope with such modern threats to #criticalinfrastructure it requires a constant vigil. The term constant is extremely important to achieve security. This implies continuously monitoring for intrusion in the networks requiring security.
Implementing a system that continuously monitors for intrusion is essential to combat attacks that can occur in the millisecond time frames. This is beyond human ability to address and demands #automated systems to solve. There are a growing number of solutions such as Dragos, Claroty, Indegy and others that focus on detecting, securing, and controlling your networks to reduce cyber threats. Implementing automated systems to provide continuous monitoring also demands talent and skill to properly implement within networks and maximize its effectiveness. AIT CMAC can help you select the best solution and integrate them into your control networks. Contact us at OTCyber@ait-i.com for help choosing a continuous monitoring solution.
OT Cybersecurity Includes Your Supply Chain
As a part of integrating cybersecurity into the daily operations of a plant it is important to ensure that your contractors are held responsible to the same standard of cybersecurity as your employees. This starts with ensuring cybersecurity language is included in your operations and maintenance contracts. Luckily, DHS has plenty of guidance on this matter.
It may take a while to negotiate these clauses into your existing contracts, but they should absolutely be a part of any new contracts going forward. This helps to protect your control systems from attacks that might otherwise come through your supply chain.
Contact us at OTCyber@ait-i.com for help holding your contractors responsible for OT Cybersecurity.