Availability as the First of the 3 Fundamental Pillars of Industrial Cybersecurity

On October 7 and 8, 2014, business area managers from High Availability de Logitek were present at the III Ibero-American Congress on Industrial Cybersecurity. At this event, a series of presentations were given on the trends, challenges, and future of Cybersecurity in Industrial and Infrastructure environments.

One of the fundamental messages as a conclusion of this congress is that the objective of cybersecurity is to guarantee the availability, integrity, and confidentiality of information systems as well as the infrastructures themselves that support the provision of widely used services or that handle classified or sensitive information for ‘national’ interests.

To this end, it is important to define priorities and an action plan for the so-called critical infrastructures: essential services for the functioning of society.

The Sectoral Plans

In Spain, the National Center for the Protection of Critical Infrastructures (CNPIC) has just approved the five Sectoral Plans (PES) that cover the energy (electricity, gas and oil), nuclear, and financial sectors.

With another seven Sectoral Plans in a previous phase corresponding to the Transport (air, sea, road and rail), Water and Information and Communication Technologies sectors.

What Procedures are Followed in the Sectoral Plans – PES?

1. Define the essential services of a sector
2. Define how they work
3. Study the vulnerabilities and threats to the system
4. Calculate the possible potential consequences of the inactivity of any of them

The last chapter includes the measures to be adopted from a technical and organizational point of view: they are aimed at managing the operational response capabilities aimed at prevention and reaction and mitigating the consequences in the event that the different scenarios identified could occur.

Some Sectors

The following are examples in the Gas and Oil sectors:

• Gas Sector Plan: the main objective is to guarantee the continuity of service, which is why the minimum obligation of minimum supply assistance for 20 days and diversification to opt for and get gas to the entire national territory has been determined. It is an important sector due to Spain’s strong dependence on foreign countries.
• Oil Sector Plan: emphasis on supply and storage due to Spanish dependence on foreign countries.

about the Presentations: a Real Case of an Oil Company

One of the presentations that attracted the most attention was the real case of an oil company that explained, in general, its route in the cybersecurity race, both from the starting point, the evolution and the work plan from minute zero in which Cybersecurity began to be a topic to be taken into consideration.

How Did it all Start?

It all started during a meeting of the OT (Operations Technology Department) in which one of the members asked a question: what are we doing about the security of systems at the industrial level? Are we prepared to face a cyberattack? From here and since 2009, something that for them was a totally unknown term, began to take on greater importance.

The main thing for them is always the safety and integrity of people (SAFETY) under three fundamental principles of cybersecurity: availability, integrity, and confidentiality.

How Important is Availability?

Within the objectives of a cybersecurity policy is to ensure the continuity of services and that can only be achieved with appropriate strategies, based on high availability solutions.

Where to Start?

Some of the steps they have had to take are:

• Step 1: Inventory of assets (includes devices and people)
• Step 2: Priorities
• Step 3: Definition of secure architectures.

Regarding the work plan, it highlights the importance of incident registration, a close relationship with suppliers, internal verifications of the plan, dissemination of the plan at the corporate level, creation of procedure manuals, backup strategies, etc.), detailed verifications, integration of IT-OT committees, vulnerability analysis, measurements through the use of indicators. Intruder prevention.

Some of the Key Factors in this Process:

1. Defense in depth. Minimum privilege (very important, it must be defined at the beginning).
2. IT-OT: synergies. Business vision. Learn from both worlds. Relate security to the company’s objectives. They are not the same risks and much less the same consequences. Always a unified IT-OT business vision.
3. Suppliers: always count on their support. Always have a collaborating supplier and always willing to help. The reality is with the client. Not all tools serve the end customer.

The most Important Thing of all:

• Alignment with the company’s strategy. Create awareness (people are important)
• Establish clear but flexible guidelines.
• Always be aware of the environment (always informed, trends)
• Continuous monitoring of your risks. Do annual checks.
• Traceability: in information security everything must be traceable.
• Create a security committee. The leader can be the Information Security one and OT participates in the meetings. The person in charge can be IT but OT has its representative.

Conclusion (from the Point of View of Availability)

From attending this congress, we conclude that availability is a concept that plays a fundamental role in the “industrial cybersecurity race.”

One of the great differences between IT cybersecurity and OT cybersecurity is that the priorities are different. For Cyber IT, the priorities are: CIA (Confidentiality, Integrity, Availability) on the other hand for Cyber OT the priorities are AIC (Availability, Confidentiality, Integrity).

Therefore, to comply with these priorities in our OT world, it is necessary to know the methods and strategies that you have at your disposal to ensure the availability of the systems that are part of an automated process: servers, operating stations and automation devices (PLCs, SCADAs, HMIs, Robots).

Among these methods we find:

• At the server level: fault-tolerant servers with continuous availability 99.999%
• At the level of operating stations: use of thin clients that allow a higher level of security (for example, disabling USBs) together with a management tool that allows, among others, the hiding of user credentials.
• At the backup level: use of tools that allow you to have, automatically, a secure central repository of the programs and configurations of your automation devices, (PLCs, SCADAs, HMIs, Robots, Drives, etc.) ensuring traceability and a contingency plan in case of disaster (….cyberattack).