Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

14.1 Introduction

In spite of decision support technologies, such as experimentation and simulation discussed in the previous chapter, it remains challenging for ICS stakeholders (leaders, managers, operators, etc.) to make informed decisions regarding formulating guidance, assigning responsibilities, balancing security and efficiency, allocating funding, determining return on investment, and measuring performance. Formulating and establishing an overarching plan that supports and guides such decisions is often called governance. This is the subject of the present chapter.

While definitions of governance vary, some of such definitions are better suited to ICS. This chapter will discuss them in detail, but generally governance refers to processes of interaction and decision-making among the actors who are collectively solve the problem such as ensuring and maintaining security of an ICS. Governance includes actions and processes that engender and support stable practices and organizations. In the context of ICS, such processes ensure that benefits of ICS are delivered in a well controlled and are aligned with long-term goals and success of the enterprise.

Governance processes are reflected in, and guided by appropriate documents. The totality of such governance documents can be classified into four types: policies, standards, guidelines and procedures. Policies are the highest level of written governing documents that outline which standards, guidelines and procedures the organization is to follow. Standards offer a frame of reference for compliance and performance. Guidelines are typically not a mandatory governing document, but rather are designed to be dynamic and flexible, updated to reflect relevant processes and adapt best practices and changes to the organizational situation. Finally, procedures represent a step-by-step process to achieve a specified result.

There are multiple benefits to establishing governance processes and the corresponding documents. They specify which organizational components are responsible for procurement, sustainment, and technical refresh of an ICS. They stipulate authorization roles, risk management process and performance accountability. They also standardize process and metrics for conducting security assessments.

This chapter begins with an illustrative story, inspired by real-life experiences of the author, that help the reader to appreciate some of the practical reasons for good governance of ICS. Then the chapter describes the definitions, purposes and sources of governance. Because governance is particularly important for the purposes of ICS security assessments, the chapter continues by focusing on frameworks and methodologies that govern ICS assessments.

14.2 Overview

14.2.1 A Motivating Story

On a not particularly noteworthy day, my boss approached and directed, “investigate why those information technology (IT) folks wont’ approve thousands of smart meters recently purchased by the facility engineers to run on the network” (Smart meters are electronic devices that records energy consumption and enable two-way communication between the meter and a central system [Wikipedia]). At the time it did not seem there should be any issues—aren’t all networked devices the same? Is the value of the investment to secure the smart meters greater than the risk not to secure them? What technical issues could the IT folks possibly have?

If there was an obvious concern regarding the smart meters, why didn’t the facility engineers coordinate with the IT team in deciding which smart meters to purchase? There are a couple reasons why. First, the facility engineers have been managing their networks for decades. Typically they were not interconnected to an enterprise network or the Internet. There were several decentralized or independent facility–related networked systems that were managed by manually observing analog gauges. Some were electronically connected and centrally managed within the building containing the ICS.

Many of these ICSs did not connect to the Internet, although some did. There are instances where a vendor may have established a connection to verify ICS performance and warranty conditions or to install upgrades or patches. But even under these circumstances, the IT department was not informed or integrated into network purchasing decisions. Since it was not part of the email network, why would it be considered IT? The IT SMEs were not consulted for most all ICS network decisions, hardware, software, governance, security procedures, training, etc.

The facility or civil works budget for their network and any corresponding security controls would stand independently and compete among all other resource requests. If ICS networks were considered part of the IT department’s purview, then the IT budget, which is often under budgeted according to the IT SMEs, would have even more competing hardware and software security requirements. Now, as the ICS networks are being exploited due to a lack of integrated security, there is an increased need for the IT and engineering communities and departments to collaborate and cooperate in performance, risk, security, resourcing and procurement discussions and decisions. Those conversations and partnering are critical to justify an ICS for authorization to operate or establish proof of net-worthiness on the corporate network or via the Internet.

If worrying about a smart meter being exploited was not on the organization’s radar, then chances are that other exploitable devices connected to controls system are not either. For example, in December 2011, the Chamber of Commerce discovered that one of their digital thermostats was configured to communicate back to a location in China. [http://abcnews.go.com/International/chinese-hack-us-chamber-commerce-authorities/story?id=15207642] While technically intriguing, it brings to bear a fundamental question: who in your organization would be responsible for monitoring and cybersecuring controls systems networks and devices? Subsequent questions follow: Would the IT folks know the thermostat is able to connect to the Internet? Would the facility engineers know? Would the IT folks be trained in control systems? How about the facility engineers, would they recognize a fault from a cyber source? What are the governing documents that outline how this should be handled? How have those governing documents demonstrated reasonable measures to ensure the organization’s intellectual capital (and the shareholders) were adequately protected?

Although hope and luck can be integral for short-term success, long-term success requires a more structured approach. That begs the question: Where to start? In increasingly connected environments, it can be extremely challenging for executives, leaders, managers, operators to make informed decisions regarding formulating guidance, assigning responsibilities, balancing security and efficiency, allocating funding, determining return on investment, and measuring performance.

Overwhelmingly significant emphasis on interconnectedness and associated security concerns has been evident in the IT community over the past decade; the same concern has recently gathered momentum regarding ICS. Despite the prolific, continuous threats and concerns emanating from every direction, the interconnected benefits and efficiencies gained continue to inspire thoughts of opportunities and growth. A daunting task, specific exploitation risk to ICS was extremely difficult to calculate and seemed impossibly rare to occur on “my network,” hopefully exploitation would occur on “someone else’s network.” Therefore many refrained from implementing security in ICS environments.

But exactly where to start? Westby (2003) offers that in increasingly connected environments, it can be extremely challenging for stakeholders (leaders, managers, operators etc.) to make informed decisions regarding formulating guidance, assigning responsibilities, balancing security and efficiency, allocating funding, determining return on investment, and measuring performance. What should be included in formulating an overarching plan for those interconnected or isolated environments? Many refer to establishing such a plan as “governance.”

14.2.2 Some Definitions

Enter “governance.” In the Wikipedia entry of governance, subject matter expert Hufty (2011) provides specific definitions that can be aligned to ICS: “processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions,” and “…governance is a theoretical concept referring to the actions and processes by which stable practices and organizations arise and persist. These actions and processes may operate in formal and informal organizations of any size; and they may function for any purpose.”

In the context of IT and ICS, Howe (2009) describes governance referring to “the structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.” Those processes yield a simple governance construct that can be applied within organizations. The construct may be divided into the following four subcomponents: policies, standards, guidelines and procedures. This construct is especially useful for those in large or geographically separated organizations:.

Policies are regarded as the highest level of written governing document, outlining which standards, guidelines and procedures to follow. Effective polices must be realistic, identify achievable goals, and focus on elements. Alternately, they may comprise a number of related standards, guidelines and procedures. Policies should receive input from all aspects of the organization with the key stakeholders having the most influence. They can broadly or specifically reflect leadership direction, goals, objectives or mission, leaving execution details to the referenced documents. With few exceptions, these overarching documents routinely apply to all employees and supporting contractors; non-adherence consequences should be clearly articulated to include specified disciplinary action.

Standards offer a frame of reference for compliance and performance. They can span an entire range of options, from minimal to maximum, as well as local, national and international. Often aligned to a statutory law or consequence, the organization determines the most appropriate that apply. Additionally, within an organization there may be different requirements or tolerances and different standards or exceptions that should be detailed, approval and documented. For example, the same NIST ICS security control standard could be applied for two systems but there would be fewer security controls necessary for a building escalator compared to the critical infrastructure supporting a data center. Standards are adapted or internally developed to satisfy compliance or respond to industry competition/rivalry, then organizational leadership would select which to “mandate.”

Guidelines are routinely developed by those while trying to meet the requirements outlined by the standards within a specific environment or context. Typically not a mandatory governing document, guidelines are designed to be dynamic and flexible, updated to reflect relevant processes and adapt best practices and changes to the organizational situation. As an example relating to baselining the configuration of an ICS, one may generate an organizational specific guide or adapt what’s outlined in the NIST Special Publications. The two NIST special publications offer guidance for controls that can apply to ICS: NIST SP 800–53 “Recommended Security Controls for Federal Information Systems and Organizations,” and even more specifically, NIST SP 800–82 “Guide to Industrial Control Systems (ICS) Security.”

Examining excerpts from each publication in Tables 14.1 and 14.2, the Configuration Management (CM) family provides the following guidance that IT or ICS managers can employ:

Table 14.1 Excerpt from NIST SP 800–53 CM-2 baseline configuration
Full size table
Table 14.2 Excerpt from NIST SP 800–53 CM-2 Baseline Configuration
Full size table

As shown, there are multiple options for the ICS owner/operator/manager to choose. Tailoring the guidance to a specific ICS environment is encouraged. The most important aspect is to document the guidance and obtain leadership approval.

Procedures represent a step-by-step process to complete a specified result. Each step should be clearly articulated, simple to follow even when the subject matter expert is not available. A simple example procedure is “press red button when centrifuge is exceeding operating tolerance of 5000 to 7500 RPM.” In the configuration example above, procedures would be the “how” outlined for each tool, control and device in the proper order of sequence and or precedence.

In an example guidance, a policy may require all networks to be secured. The referenced standards would list which security controls could apply to the different types of networks (e-mail, cell phone, control systems, wired and wireless, etc.). Guidance documents could identify applicable processes, best practices and lessons learned when applying the security controls to each network type. Procedures could outline the individual steps required in each particular process to implement individual security controls.

  • Policy: Secure control system network

  • Standard: Routinely change administrator level passwords

  • Guidance: Change passwords every 90 days consisting of a minimum of 16 characters, upper/lower case, including special characters

  • Procedure: Send email reminder on 15th of each month to change passwords; verify status of changes by logging in to terminal named “Skyrunner,” folder located x://ICS polices/monthly reminders; document compliance; lockout/disconnect those non-compliant

If there is no procedure for verifying changing passwords, or if that procedure is not followed properly, then the best practice guidance is not implemented, standards are not followed, and the network may not be secure.

14.2.3 Purpose of Governance

Setting the tone from the top is a critical enabler for the success of ICS security. One must publish policies that promote compliance and performance, incorporate relevant standards, and generate guidelines to facilitate consistent application of procedures. It is critically important to outline the specific expectation as well as the consequences of not adhering to policy. If it cannot be clearly demonstrated that the appropriate standards are in compliance, the ICS may be deemed exploitable and lose its accreditation or permission to operate on the corporate network.

A common concern with ICS stakeholders is the resourcing decisions to secure IT-related or automated assets in another part of the organization. As reflected by Allen (2005), “Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business. To achieve a sustainable capability, organizations must make the protection and security of digital assets the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance.”

Tangible benefits to establishing governing documents include:

  • Specify organizational resource responsibility for procurement, sustainment, and technical refresh

  • Stipulate authorization roles, risk management process and performance accountability

  • Provide compliance evidence to regulators, shareholders, insurers, etc.

  • Enable continuity of operations despite unpredictable environments and skilled personnel turnover

  • Justify certificate of net-worthiness/authority to operate

  • Standardize process and metrics for conducting security assessments

14.2.4 Groups Issuing ICS Governance

Various global entities have written many relevant standard documents for assisting with risk management and cybersecurity within ICS environments. Fabro (2012, p. 125) relays a simple, overarching purpose, “Understanding these standards will allow asset owners to create and manage a program to mitigate cyber security risks in their control systems environments. When an asset owner is without formal direction to adhere to a certain security standard or practice, these standards allow for great flexibility to accommodate for the unique challenges presented by control system environments.”

Below is a list of the organizations routinely developing authoritative and internationally recognized standards and specific ICS guidance (not all inclusive, see Table 14.3 for more details):

Table 14.3 List of many standards and guidance documents applicable to ICS (not all inclusive)
Full size table

  • IEC—International Electrotechnical Commission

  • IET—Institution of Engineering and Technology

  • ISA—International Standards of Automation

  • ISO—International Organization for Standardization

  • NIST—National Institute of Standards and Technology

  • NRC—Nuclear Regulatory Commission

  • U.S. DoD—Department of Defense

14.2.5 ICS Assessments

Unless specifically dictated, the standards listed above can be used as prescribed or modified to apply to unique ICS environments. While no ICS configuration may be exactly the same, the standards can be applied consistently across an enterprise of multiple assets, systems and or networks. Even if the ICS configuration fully complies with all the regulations, standards, guidelines, etc., disruption, exploitation and manipulation may occur. Targeted by undeniably persistent and complex vectors of cyber threats, ICS owners and operators must endeavor to remain proactively vigilant in their security perspective. Therefore, it is critically important to conduct routine evaluations to ascertain operational and security performance.

The assessment process is essential. Among all the governing documents within an organization, assessments are the most powerful for enabling resource decisions, revealing vulnerabilities, and making security modifications. Assessments are applied at the design, construction and completion phases. They establish the baseline and consider modifications when they occur. When regular assessments are completed the organization understands the precise ICS hardware and software configuration. When all is operating well, assessments verify system communications are all according to expectations and plans. On the other hand, assessments can reveal existence of unexpected communications illuminating the extent of malware or exploitation, and/or the lack of updates, patches, and adherence to best security practices.

Despite assessment benefits, due to a general lack of oversight from an IT security context, many ICS assessments were never conducted and, consequently, security was not integrated into the design. When assessments do occur, the following are common negative findings:

  • Existence of undocumented network connections (wired and wireless)

  • Presence of known or unknown connection to Internet or vendor (for maintenance/warranty)

  • Incorrect configurations (modified from initial installation or adapted to customer environment)

  • Incomplete patches and upgrades (HW/SW)

  • Non-secure configuration

  • Owners/operators not familiar with configuration, appropriate cyber/security practices

14.3 Examples of ICS Assessment Processes

One significant concern is that with many ICSs, taking the system off-line for software upgrades or patches may have operational impacts. For example, if the HVAC system were to come offline, the server room temperature may increase to the point where computers overheat and shut down. In another example, applying a patch to a critical life-support medical device during an operation may cause it to fail. If clear governance exists, all system operators and network administrators would cooperate on specific procedures, would routinely review the systems and devices using network communications, and would work together on implementing upgrades and patches. This would reduce the risk of avoiding lapse in normal operations or initiating catastrophic results.

There exist several documented processes to complete ICS security assessments. They can be performed independently or in concert with the IT assessments. The following list is not comprehensive but reveals varying approaches with underlying common themes. Inclusion does not represent or imply endorsement of any commercial product or government process. A brief overview is provided with the recommendation to further investigate these and others to determine the most relevant, repeatable assessment process for your organization.

  1. 1.

    NIST Cyber security framework

  2. 2.

    Department of Energy (DoE) & DHS Cyber Capability Maturity Model (C2M2)

  3. 3.

    Robust ICS Planning & Evaluation (RIPE) Framework

  4. 4.

    DHS ICS Cyber Emergency Response Team (CERT) Cyber Security Evaluation Tool (CSET)

In the next four subsections, we describe aspects of these assessment processes in more detail.

14.3.1 NIST Cybersecurity Framework

The NIST Cybersecurity Framework (NCF) is a “risk-based” methodology for managing cybersecurity risk, consisting of: Framework Core, Framework Implementation Tiers, and Framework Profiles (http://www.nist.gov/cyberframework/). Each Framework component emphasizes interactions among business drivers and cybersecurity activities.

The NCF systematic process can be used to establish a new cybersecurity program or advance an existing one. Working through each step, the organization can evaluate current capabilities and gaps to attain desired performance. Essentially the NCF (2014, p. 15) can provide “a roadmap to improvement” and ability to “prioritize expenditures to maximize the impact of the investment.”

The Framework Core in the NCF (2014, p. 6) is designed to enable “communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.” In Fig. 14.1, there are five functions on the left side: Identify, Protect, Detect, Respond, and Recover; and four elements across the top: Functions, Categories, Subcategories, and Informative References. The Core (p. 6) is not a simple task-list, it “provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. It presents key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk.”

Fig. 14.1
figure 1

NCF core elements

Full size image

The NCF (2014, p. 7) describes Framework Implementation Tiers (“Tiers”) to facilitate self-evaluation of cybersecurity risk and associated processes. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).” When selecting the appropriate Tier, “an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.”

Further, the NCF (2014, p. 7) specifies the next level, Framework Profile. “Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important; they can add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.”

Figure 14.2 provides the next stage in establishing a relevant framenwork template, an organization may include additional “Category” and “Category Unique Identier” to optimally align with the functions.

Fig. 14.2
figure 2

Example of NCF functions, category unique identifier and category

Full size image

As the example depicts, it may appear the “intended outcomes” listed in the Functions, Categories, and Subcategories are similar for IT and ICS. However, the operational environments and considerations for IT and ICS differ. The NCF (2014, p. 20) surmises “ICS have a direct effect on the physical world, including potential risks to the health and safety of individuals, and impact on the environment. Additionally, ICS have unique performance and reliability requirements compared with IT, and the goals of safety and efficiency must be considered when implementing cybersecurity measures.”

The NCF prescribes separate representative “Profiles” and a separate characterize of an organization’s practices or “Tiers.” Below is an adoption of all the concepts into one table. It includes only one example for each Function, Category and Subcategory, and integrates the Tier evaluation under a “current” Profile measured against attaining the task outlined in the subcategory column. This is not precisely prescribed by the Framework but offers a means to view all the concepts integrated together. As noted in the NCF, the Tiers are not “maturity levels” and an organization may decide not to invest in resources to progress from a lower Tier to a higher one. Leadership may decide to assume a level of risk commensurate with one or more Tiers.

The NCF provides a template along five functional areas common to IT and ICS: Identify, Protect, Detect, Respond, Recover (see Fig. 14.3). It aligns informative references overarching view of current cybersecurity practice, but it does not identify which specific security controls should be in place to protect ICS networks. It certainly emphasizes collaboration and cooperation among and across all lines of business/operations within an organization to determine the appropriate categories for evaluation. On its own, however, generating a “current state profile” and “to-be state profile” it will not serve as a justification for authorization to operate on the corporate network or proof of net-worthiness. It will undoubtedly serve as another management resource investment decision aid and/or capability oversight tool.

Fig. 14.3
figure 3

Integration of all NCF concepts into single table

Full size image

14.3.2 Department of Energy (DoE) and DHS Cyber Capability Maturity Model (C2M2)

The C2M2 evaluation can enable organizations to assess and bolster their cybersecurity program, prioritize cybersecurity actions and investments, and maintain the desired level of security throughout the IT systems life cycle (http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program/cybersecurity). Stemming from a diverse set of cybersecurity standards, frameworks, programs, and initiatives, it outlines implementable steps applicable to almost any organization (see Fig. 14.4).

Fig. 14.4
figure 4

Table illustrating how the C2M2 can contribute to an overall prioritized implementation plan (2014, p. 19)

Full size image

The DoE (2014, p. 1) claims the resulting scores from the C2MC model can reflect the “implementation and management of cybersecurity practices” integrating traditional information technology systems and ICSs, as well as the overall security culture of the organization:

  • Strengthen organizations’ cybersecurity capabilities

  • Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities

  • Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities

  • Enable organizations to prioritize actions and investments to improve cybersecurity

Within the C2M2, there exist ten domains comprised of cybersecurity practices, corresponding objectives, and practices identified by Maturity Indicator Levels (MIL). See Fig. 14.5 for a sample score result. The C2M2 Self Evaluation Toolkit (excel spreadsheet) contains over 600 questions which are graded at a four-point scale using: Fully Implemented (FI), Largely Implemented (LI), Partially Implemented (PI), and Not Implemented (NI).

Fig. 14.5
figure 5

Sample summary scores after completing the C2M2 questions (2014, p. 15)

Full size image

The process is fairly simple to repeat as “plans are implemented, business objectives change, and the risk environment evolves” (DOE (2014, p.15). The DoE defines two energy sector specific models: Electricity Subsector C2M2 (ES-C2M2) and Oil and Natural Gas Subsector C2M2 (ONG-C2M2).

While the C2MC provides an overarching view of current cybersecurity practice, it does not identify which specific security controls should be in place to protect ICS networks. It does reiterate the need for collaboration and cooperation among and across all aspects of business/operations within an organization to determine the appropriate practices, objectives and corresponding MILs. As a stand-alone product however, it will not serve as a justification for authorization to operate on the corporate network or proof of net-worthiness. It does serve as a resource investment and capability oversight tool.

14.3.3 Robust ICS Planning & Evaluation (RIPE) Framework

Mr. Ralph Langner, founder and director of Langner Communications GmbH, the cyber-security consulting firm focused on ICS security, has developed the Robust ICS Planning & Evaluation (RIPE) Framework (http://www.langner.com/en/solutions/). The specific details are proprietary information, but some insightful information is publically available from a whitepaper accessible on the company’s website (see Tables 14.4 and 14.5). Langer (2013, p. 1) explains that RIPE consists of evaluating “eight different domains, establishing benchmarks and scorecards enabling measurable cyber security capability and identifying weak spots. Such a framework-based approach to ICS security provides economies of scale that can result in significantly improved efficiency compared to risk management exercises that approach every single plant as a completely unique universe.”

Table 14.4 Captures the whitepaper attributes used to measure cybersecurity capability and indicates these can be routinely “blurred” (2013, p. 4)
Full size table
Table 14.5 Reveals an example of how the performance characteristics would be measured (2013, p. 7)
Full size table

Unlike the other assessment processes described in this chapter, RIPE requires that an organization purchase RIPE materials to ascertain its cyber security effectiveness (see http://www.langner.com). One option is to purchase licensed guidelines and templates for an organization and to simply self-populate those guidelines and documents. A much more robust on-site process is also offered, consisting of an audit lasting 30 days, resulting in a RIPE Framework implementation certification.

The RIPE (2013, p. 5–6) focuses on “eight domains of the plant ecosystem” and measures the effectiveness of each as a percentage of the optimal performance:

  • System Population Characteristics

  • Network Architecture

  • Component Interaction

  • Workforce Roles and Responsibilities

  • Workforce Skills and Competence Development

  • Procedural Guidance

  • Deliberate Design and configuration Change

  • System Acquisition

Once each of the eight domains is scored, the results can be plotted in a spider web diagram as in Fig. 14.6, which is a fictitious comparison of the Atlanta and Birmingham plants, clearly revealing differences in performance.

Fig. 14.6
figure 6

RIPE comparison of the Atlanta and Birmingham plants (2013, p. 7)

Full size image

As with most assessment processes based on metrics or measures of effectiveness, the results can be used by leadership to make logical, non-subjective risked-based investment decisions. Per the whitepaper (2013, p. 10), “Based on the RIPE Framework documentation, it is also feasible to determine which security controls yield the best mitigation for the cost—if implemented properly (as specified in mitigation advice). Mitigation advice will usually involve multiple security domains.”

However, a common problem seen in many organizations is a lack of insight to the actual problems and relevant mitigating solutions. Moreover, even after a solution is purchased, it is critical to ensure the controls are implemented properly. For example, everyone has a lock on their front door to keep out intruders but sometimes the lock is not engaged. Within the context of cybersecurity, Mr. Langer (2013, p. 9) notes “It is discouraging to see how many asset owners (from management down to control system engineers) are satisfied with the idea to “have addressed the problem” of ICS insecurity by having invested in firewalls, anti-virus solutions, security patching regimes etc. without ever bothering to check their effectiveness.”

The RIPE Framework can provide an overarching view of current cybersecurity practices, risk management tolerance and measures of effectiveness of eight domains common to plant operations. Once a product license is procured, independently or with the RIPE team, a holistic view based on performance metrics can be implemented to protect ICS networks. It reinforces the need for an understanding across all aspects of business/operations within an organization. It may provide relevant artifacts to help justify authorization to operate on the corporate network or proof of net-worthiness. However, the specifics are not detailed in the whitepaper. Similarly to the other methodologies, it can serve as a resource investment and capability oversight tool.

14.3.4 DHS ICS Cyber Emergency Response Team (CERT) Cyber Security Evaluation Tool (CSET)

The Department of Homeland Security (DHS) National Cyber Security Division (NCSD) developed CSET for control systems asset owners (https://ics-cert.us-cert.gov/Assessments). Their primary objective was to assist organizations identified as parts of nation’s critical infrastructure and reduce their cyber risk. However, since its initial release in August of 2009, it has become a useful tool suitable for almost all systems that control a physical process, from expansive power utilities, sewage treatment plants, to manufacturing plants, logistical or medical facilities as well as individual buildings. The most recent CSET version as of this chapter’s printing is 7.0, released in August, 2015.

CSET (2015, p. 15) can be basically described as CSET implements a simple, transparent process that can be used effectively by all sectors to perform an evaluation of any network.” One can order a free CD or download the file directly from the DHS ICS CERT website. The software tool includes a step-by-step guide to assist user’s enter their organizational-specific control system information (hardware, software, administrative policies, etc.) into predefined parameters based on relevant security standards and regulations (see Figs. 14.7 and 14.8):

Fig. 14.7
figure 7

CSET Step 1—select relevant assessment mode (2015, p. 44)

Full size image
Fig. 14.8
figure 8

From selected standards stem appropriate questions in CSET (2015, p.47)

Full size image

  • NIST Cybersecurity Framework

  • NIST SPs: 800–39; 800–53 Rev 4; 800–82 Rev 2

  • NISTR 7628

  • NERC CIP

  • ISA 99/IEC 62443

  • ISO/IEC 15408; 27001—27005

  • ISO 31000 and ISO 50001

  • NRC 5.71

  • U.S. DoDI 8500.01 and 8510.01

  • Others

As with the other assessment methodologies listed in this chapter, CSET should be completed by a cross-functional team consisting of subject matter experts spanning administrative, business, information technology, maintenance, operational and security functional areas. There are hundreds of questions to be answered and while the software is simple to install and use, the breadth and depth of answers required to effectively respond to the questions necessitates knowledgeable and proficient personnel. Those personnel will be routinely located in various parts of the organization. Answering the series of diverse and technical questions is a forcing function to bring them together, potentially enabling unprecedented collaboration among entities that seldom otherwise communicate, if at all.

CSET assessments (see Fig. 14.9) cannot be successfully completed by any one individual as no single person maintains sufficient enterprise knowledge to provide effectual responses to all of the questions. To be truly effective and efficient, completing a CSET (2015, p. 20) assessment requires a cross-functional team consisting of representatives from the following areas:

Fig. 14.9
figure 9

CSET depiction of general security assessment level (SAL) (2015, p. 70)

Full size image

  • ICSs (knowledge of ICS architecture and operations),

  • System Configuration (knowledge of systems management),

  • System Operations (knowledge of system operation),

  • Information Technology (IT) Network/Topology (knowledge of IT infrastructure),

  • IT Security/Control System Security (knowledge of policies, procedures, and technical implementation),

  • Risk Management (knowledge of the organization’s risk management processes and procedures),

  • Business (knowledge of budgetary issues and insurance postures), and

  • Management (a senior executive sponsor/decision maker).

Conveniently, CSET can generate the System Security Plan and the Artifacts; adding the Security Assessment Report (SAR), CONOPS, and Incident Response Plan provides an organization with the basic analysis to understand the risks, impacts, and recovery/mitigation options. CSET includes an extensive complement of templates (see Fig. 14.10) to facilitate network, systems and device inventories and diagrams. Since proprietary design and potential vulnerability information will be revealed after completing the assessment, the corresponding reports must be handled appropriately.

Fig. 14.10
figure 10

CSET offers many templates to create inventory and network diagrams (2015, p. 111)

Full size image

CSET is a compliance verification tool rather than a risk or vulnerability assessment tool. Once the assessment is completed, CSET (2015, p. 14) “pulls its recommendations from a database of the best available cybersecurity standards, guidelines, and practices.” The resulting reports (see Fig. 14.11) outline specific mitigation actions to obtain full compliance with the selected policies, standards and corresponding security controls and thereby improving the ICS’s cybersecurity capability.

Fig. 14.11
figure 11

Sample final CSET report summary (2015, p. 153)

Full size image

CSET should be combined with other tools to fully evaluate the security posture. For example, one may use network scanning, penetration testing, and other tests on nonproduction systems that will not adversely impact mission, operations, health or safety.

CSET is a stand-alone software application that enables organizational self-assessment using national and internationally recognized standards. It can integrate ICS community cybersecurity best practices into the organizational corporate risk management strategy. Since its inception, many have posted video tutorials on-line, demonstrating its wide user community. Within CSET is a comprehensive and expansive reference library. If preferred, DHS ICS CERT has an on-site service that can assist with the assessment process. A benefit of CSET is that a system security plan can be exported as an artifact toward justification for authorization to operate on the corporate network, or proof of net-worthiness. While a CSET “all green” cybersecurity standards compliance evaluation is impressive, as for other assessments, it does not equate to an impenetrable or un-exploitable network.

14.3.5 Overview of Assessment Methodologies

Each assessment approach described is based upon extensive subject matter experience and community best practices. None offer shortcuts or exclusions from their process; the process must be followed in order to obtain an accurate, accountable inventory of all ICS systems, networks and devices. They all recommend that all stakeholders within an organization—especially IT and ICS—work together and systematically conduct self-assessments on the networked assets in order to capture dependencies and interdependencies. The results can inform leadership to help with resource decisions and management task prioritization. It’s important to understand not every asset will require robust security controls. Despite many executives stating “securing all these is an impossible task,” there are many methodologies available to achieve the security level relevant for a given organization.. When the appropriate people come together and are required to discuss issues related to protecting their assets, they are often able to recognize areas of weakness and the required improvements for their organization.

Improvements are needed in automated identification of assets on an ICS network, its topology, connectedness, adherence to rules/polices/patches, visualization, evaluation of instantaneous performance (and trend analysis) and exploitability based on continuous alerts, intelligence community inputs, 100 % verification of vendor patch authenticity, identification of potential consequences of applying new patch in real-time operational environment versus first applying to test bed. A cyber range or test laboratory can be used for replicating all vendors, all protocols, all levels of updates and patches, as well as automating responses to alerts such as updating and patching. Predictive maintenance and mitigation options incorporating associated expenses would also be very useful. There are tremendous business opportunities in this space. Beyond hardware or software advancements, additional labor and training may need to be considered to complete the job well.

Each methodology can be a catalyst change. Many hesitate to take the first step because security, especially ICS cybersecurity, is unfamiliar territory. It is overwhelming to be faced with reading through the totality of hundreds of security questions to answer in the standards documents. However, if one takes on the challenge one step at a time and embraces the opportunity to safeguard the organization, catastrophes can be avoided. There are a vast number of free resources. One will need to dedicate resources, time and effort, internally and perhaps engage external expertise. It is imperative that the technical specialists representing IT and ICS collaborate instead of compete. Assessments offer a measurable, repeatable, non-subjective process to make informed security related decisions.

It is prudent to invest in community best practices and conduct regular assessments. Security evaluations and investments are reported directly to the CEO. If a breach occurs and the media questions company officers or shareholders, one may confirm that an assessment was performed. Quarterly reports include those investment decisions in cybersecurity solutions as a differentiator. As it is commonly said but rarely implemented: Security should be “baked in” from the beginning and not “bolted on” after all the equipment is installed. If you are in the planning and or design phase, then security capability requirements can be applied now.

If the smart meters mentioned in the very beginning of this chapter are already installed but it is not known if they were securely installed, the organization could use the methods from this chapter to create a relevant governance structure and assess current security procedures via structured and repeatable processes. In the process you one may discover that the ICS networks are unknowingly connected to other networks within the organization, presenting significant risks to critical ICS processes. In the Code of Practice for the Cyber Security in the Built Environment, Boyes (2014, p.57) explains “This cascade from the strategy through policy to process and individual procedures is most important as it provides an audible trail that links specific actions and activities to the overall vision of how the cyber-security risks will be managed and mitigated.”

14.4 Summary and Conclusions

ICS networks are being exploited due to a lack of integrated security. This motivates a much stronger need for interdepartmental collaboration and cooperation in an organization. Cooperative discussions can optimize system performance and security while minimizing cost and risk. Contributors must manage procurement practices and weigh consequences of other relevant corporate decisions. Although cooperative motivation can be integral for short-term success, long-term success requires a more structured approach.

Security governance is critically important for outlining both the specific expectation of ICS operations, as well as the consequences for not adhering to specified policies. Once asset owners understand the security standards for their organization, they are able to create and manage a program to mitigate cyber security risks. In addition, it is critically important to conduct routine evaluations (assessments) to ascertain operational and security performance. Assessments are applied at the design, construction and completion phases. Among all the governing documents within an organization, assessments are the most powerful for enabling resource decisions, revealing vulnerabilities, and making security modifications.

Four sample methods of ICS security assessments are discussed in detail in this chapter: The NIST Cyber Security Framework (CSF), DoE/DHS Cyber Capability Maturity Model (C2M2), the proprietary Robust ICS Planning and Evaluation (RIPE) framework, and the DHS ICS CERT Cyber Security Evaluation Tool (CSET). Each of these approaches is based upon extensive subject matter experience and community best practices, and each can be used as a starting point for establishing security practices in an organization. A large amount of informational and tutorial documents are available for using these methods.

Although engaging governance and security assessments requires significant investment by the organization, the benefits can far outweigh the costs. Security evaluations and investments are shared directly with organization executives, who are consequently become integrated in the process. Due diligence or corporate responsibility is usually evident if a breach occurs. Documentation of security processes and well-kept security logs can be instrumental for forensics, and for overall process improvement in an organization.