Industrial control systems (ICS) are everywhere. These systems play a critical role in nearly every industry around the world, including electric, water and wastewater, oil and natural gas, and transportation, as the smart technology of today and tomorrow is driven by these systems. This same widespread use and importance of ICS, especially those found in critical infrastructure, also makes them a primary target for bad actors, and the increasing use of the internet is only serving to magnify the potential for issues.
According to Industrial Control Systems Vulnerabilities Statistics from Kaspersky, there were only two ICS vulnerabilities detailed in 1997 (the first year this information was recorded); however, these vulnerabilities are now much more commonplace, with 189 reported in 2015. Primarily, these issues are the result of ICS availability over the internet and vulnerabilities in vendor products. There are nine proactive precautions manufacturers can take right now to help secure their systems and, by working with an independent third party like UL, these steps are easy to manage.
Steps Toward a More Secure System
According to Kaspersky, most of the critical vulnerabilities identified in 2015 were in vendor products. This certainly does not mean that all products are flawed, nor does it mean that vulnerabilities cannot be addressed, but it does help to illustrate the importance of vendor management and a secure supply chain. UL has extensive experience in ICS safety and performance and industrial cybersecurity. This complementary knowledge can help manufacturers assess vulnerabilities, qualify vendors, and work toward safer ongoing processes. For organizations unfamiliar with the management of software and the software supply chain, these efforts may feel a bit elusive, but moving toward increased security is critical and diligence is key.
Because it’s likely that most bad actors will come from outside of the organization, bolstering internal processes to defend against them is a great way to increase security and preparedness and it’s the perfect place to start.
- Develop Security Specifications – Establishing formal requirements and specifications for all third-party software products and components allows manufacturers to set an internal precedent early in the vendor selection process. To streamline communication with vendors and immediately demonstrate your commitment to security, all requirements and specifications should be referenced in and, provided with, every request for proposal (RFP) and vendor agreement.
- Software Due Diligence – Software suppliers should be treated the same as suppliers of actual physical products and materials. This means every software supplier should be evaluated to assess their focus on safety and to understand the systems in place. Regular follow-up audits will help to ensure that cybersecurity risks continue to be minimized.
- Independent Validation – It is always important to look for suppliers that offer product security guarantees, but requiring an independent validation of third-party software is also necessary. In addition to confirming the vendor guarantees, an independent evaluation will help ensure that the vendor is prepared to offer adequate ongoing protection against security flaws and weaknesses based on the evolving needs of the global industry.
- Regular Updates Are Critical – The best defense against a cyber-attack is often a strong offense. In many cases, the best offense comes in the way of regularly updated software. When software is routinely maintained through the timely installation of software updates and patch releases, the system can better keep pace with changes in technology.
- Establish Regular Testing Protocols – Thorough validation testing should be completed for all acquired software, and these tests should also continue throughout its use. Validations, which can often be automated to increase efficiency, help ensure continued compliance with security specifications.
- Track and Trace - A robust system to monitor the source of all software and components should be established. This can dramatically simplify the update process by easing access to updates, patches, and technical support.
- Need-to-Know Details – All critical software information should be maintained on a “need to know” basis. This will help ensure that only necessary parties, both internal employees and external software vendors have back-end access and can also help pinpoint the source of a security breach should issues arise.
- Establish Vendor Policies – Develop clear performance policies for all software vendors. These policies should establish non-compliance consequences and clearly detail security specifications, including limiting the use of unapproved software.
- Ongoing Employee Training – In most situations, employees are the first line of defense. An ongoing training program can help ensure that all employees are well-versed on effective security practices and can help prevent common missteps in the future.
When paired with internal procedures and policies intended to secure the supply chain, an experienced third-party can provided additional peace of mind and insight.
Ken Modeste is the principal technical advisor and SME for UL’s cybersecurity program. He helped develop UL’s series of cybersecurity standards that tests network-connectable devices for known vulnerabilities and software security. As part of the cybersecurity strategy for UL, Ken is responsible for strategically identifying long-term growth opportunities that align with UL’s mission to address public safety. He is responsible for creating the laboratory, hiring and training all personnel and developing programs and services to support UL’s Client’s security needs. Previous to UL, Ken served as an engineering manager for GE for 12 years. He began his career as a software engineer for GTech Corporation after completing a Bachelor of Science degree
UL CAP was developed with input from the U.S. federal government, academia and industry to assess software vulnerabilities and weaknesses, reduce the risk of exploitation, address known malware, review security controls and enhance security awareness. Through advisory, training, testing, and/or certification, the program evaluates the security of network-connectable products and systems and vendor processes for developing and maintaining products and systems with a security focus. To learn more, visit ul.com/cybersecurity.