The global cybersecurity framework could significantly benefit from the harmonization of standards for OT (operational technology) and ICS (industrial control systems) cybersecurity across the organizational environment. The move will bring more control over the risks, with the possibility to enforce homogeneous security measures complying with regulations, which makes the application of good practice easier and generally improves protection from cyber threats.
In such critical sectors of OT/ICS, where systems are part of national infrastructure, the impact of cyber-incidents can be quite deep. Standardized protocols enhance communication and collaboration among stakeholders, enhance incident response efforts, and reduce operational disruptions. These standards help bridge the gap between IT and OT security in driving a unified approach. However, in the harmonization process, it should be ensured that it does not lead to any operational interference or non-accountability for OT/ICS systems.
An increasing trend of regulatory bodies forcing compliance underlines the necessity to protect critical services. The currently existing approach to cybersecurity regulation is, however, fragmented, and this causes important difficulties, in particular within OT/ICS settings. Organizations are lost in a jungle of conflicting regulations, which could bring chaos, inefficiency, and higher costs since they might need to comply with several standards and pass several audits assessing different aspects of their cybersecurity posture.
Most importantly, these national infrastructure security standards need to be streamlined concerning technical controls in particular. This is necessary in terms of giving clear and consistent guidance. Much more significant difficulties relate to audit processes and incident reporting. Reciprocity in terms of cybersecurity audits between the different standards frameworks has to be implemented to avoid redundancies of multiple evaluations and consequently reduce the relevant costs so that organizational efforts are focused on security rather than compliance.
Centralized reporting of these cyber incidents would be standardized, thus improving the coordination between regulators, vendors, and other stakeholders in incident response, analysis, and situational awareness to ensure a better security posture within OT/ICS environments.
Challenges in harmonizing global cybersecurity standards
Industrial Cyber consulted with industrial cybersecurity experts to explore the main barriers to international harmonization of cybersecurity standards, as well as the technical hurdles that industrial and operational organizations encounter when attempting to merge various existing standards into a cohesive framework.
“Harmonizing standards at the level of a framework or high-level objectives is not where the largest obstacles exist,” Jason Holcomb, a managing director in Accenture’s cyber-physical security practice, told Industrial Cyber. “For example, it is not difficult to agree on basic tenants such as system reliability, monitoring and response, and secure backup and recovery.”
He added, “Where I have seen obstacles in these efforts is when there is a ‘lift and shift’ of technical security controls that are generally accepted in IT networks but may work against reliability or have a different, unintended consequence in the industrial context. There is a delicate balance needed between prescription of controls that will genuinely move the needle for security with the flexibility and adaptability needed to prevent unintended consequences.”
“The most obvious obstacle is the achievement of a consensus that would lead to the acceptance of a standard,” Vytautas Butrimas, industrial cybersecurity consultant, and member of the International Society of Automation (ISA) told Industrial Cyber. “This requires some compromise that can come from thinking less about marketing and more about what makes good engineering sense. However, nations have an interest in promoting their home-made products as well as those of manufacturers that can override the arguments of common sense.”
He added that those who work in the field may be used to working with one kind of technical solution and may resist applying something new which will not be easy to do where there is already an ongoing operation. “For example, the operations of a pipeline or power grid cannot just be stopped to install a new technical solution. This must be planned for at the risk of significant cost which may include disruption to the provision of services vital to the well-being of society. There is also the unwillingness to change something when things are working fine as they are. Something that is not mentioned is that technology changes much faster than a standards organization can accommodate.”
“One of the ISA/IEC 62443 standards approved in 2007 is about to undergo a revision in recognition of the changes that have taken place since then,” Butrimas noted. “The process is quite slow and there is the risk that the updated standard will come too late, for the current technology may have moved on. The main effort is still the responsibility of the asset owner who must develop a cybersecurity program for their enterprise. In that process, the business process will be understood, and an appropriate standard will be chosen. ISA has published a White Paper on the topic of implementing an industrial cybersecurity program,” he added.
Paul Veeneman, an IT|OT|ICS|cybersecurity and risk management professional, told Industrial Cyber that typical challenges cited in bringing global consistency to security frameworks, collaboration, and information sharing are concerns regarding regulatory landscape, national security, and varied levels of technology maturity. “However, organizations, entities, and agencies should focus on foundational requirements such as asset management, assessing risk, and developing response and recovery plans.”
He added that the Department of Energy ‘Supply Chain Cybersecurity Principles’ identifies that existing standards are written ‘from the perspective of a single entity,’ with the DoE’s intent to capture the relationships between suppliers and end users. The DoE Principles identify lifecycle management, risk management, incident response, and continual improvement, bringing attention to foundational practices that can benefit suppliers, end users, and the global supply chain as a whole.
“One significant obstacle to any cybersecurity framework is whether or not the framework and governance is followed in consistent practice. The Crowdstrike event identified that non-production testing of updates and patches did not take place for a vast majority of systems and applications, specifically impacting areas of transportation critical infrastructure,” Veeneman observed. “Interestingly, a small select group of airlines did not have the widespread loss of services due in part to the outdated nature of some of the systems. This reflects OT environment asset management practices that must be taken into account.”
He further added that if a critical asset cannot be updated, what is the risk mitigation when patches and updates don’t exist? “Is this going to be taken into account by a new cybersecurity framework? Most frameworks are IT-centric, and fall short of the nuance for OT systems and environment dependencies and ramifications for safety, productivity, and reliability of process control systems.”
Veeneman observed that the impact of the Crowdstrike event would indicate that this is not taking place to a large degree. “A vast majority of the organizations affected already have frameworks in place, and many of those frameworks have change and asset management controls to safeguard against updates and patches that can negatively affect production environments.”
Assessing initiative to standardize cybersecurity protocols and enhance national infrastructure security
The executives evaluate the national infrastructure security factors that led to the initiative to standardize cybersecurity protocols worldwide and explore how such an initiative bolsters cybersecurity resilience worldwide in OT and ICS environments.
Butrimas said he did not know what exactly prompted the move toward harmonization. “It has been going on for some time. I think it was more common sense and a recognition that the technologies used are similar and that there were advantages to not choosing to do things in a proprietary way. It also gave some certainty for manufacturers that new products based on a single standard will be adopted by a wider audience.”
He added that harmonization makes sense as well for it allows a wider distribution of products. “The classic examples are GSM and GPS. You can use a mobile phone almost anywhere in the world and feel confident in making a connection and knowing where one is standing.”
On how such a move enhances global cybersecurity resilience across OT and ICS environments, Butrimas said that is a ‘more complicated issue.’
“Part of the complication comes from a poor definition of what OT is. OT has become a popular term propagated by media and IT professionals to describe what they think is happening in an environment that uses technologies to monitor and control processes governed by the laws of physics and chemistry,” Butrimas evaluated. “The IT-centric bias leads to a focus on data which leads many astray, especially those who make policy and regulations. If we do not know what we are trying to protect, policymakers will continue to miss the target.”
One example from last year that Butrimas provided is the U.S. National Cybersecurity Strategy which mentions the need to protect baby monitors and personal fitness devices but fails to address the industrial automation and control system (IACS) environment where control devices like Programmable Logic Controllers (PLCs) and Protection Devices found in power grids play a crucial role in critical infrastructure protection. “There is also a growing risk of putting some of the control systems in the cloud which will certainly affect cybersecurity resilience. In essence, digital-based systems are fragile or ‘cyber fragile’ as one opinion leader has expressed. The lesson of the recent Crowdstrike/Windows IT failures should be considered,” he added.
Veeneman identified that consistency increases the capacity for security across all nations. “The ability to reduce risk, vulnerabilities, and streamline compliance from shore to shore. Global supply chains further accentuate the need and requirement for resilience due to the vast connectivity, communications, and interdependencies. Threat actors can target weak links and collaboration and information sharing can potentially mitigate risks to critical assets and process control environments,” he added.
Impact of G7 Cybersecurity Framework
The executives how the development of a unified cybersecurity framework by G7 nations affects operational technologies in energy systems, focusing on both manufacturers and operators.
Butrimas expects the efforts to mostly impact the billing and accounting departments of the utilities and administrative offices of manufacturers. “The ones making the policy and many of those offering the solutions are mired in an office IT mindset. The efforts motivated by the fear of ransomware will continue to be focused on network security, protecting privacy and data from cybercriminals. The many wake-up calls pointing to the activity of state-supported advanced persistent threat actors seeking to disrupt or hijack the view and control of a physical process from the operators, sadly will continue to be missed,” he added.
“The G7’s efforts are to be commended, but the initiative seems redundant given the existing ISA 62443 standard. The ISA 99 Working Group designed the 62443 for control systems, but it can also be used horizontally across both OT and IT environments alike,” Veeneman said. “Following US National Security Advisor Jake Sullivan’s announcement on June 18th, I would advocate and promote the adoption and use of ISA 62443 for expediency and efficiency toward strengthening and safeguarding the global supply chain in key energy industries.”
He added that in the wake of the Crowdstrike event, it became clear that there was a global deficiency in change and asset management governance. “Almost all existing compliance frameworks have requirements for testing patches and updates in non-production environments prior to releasing to production environments. This is true for both IT and OT environments alike. But the impact can be far more serious for OT environments.”
“The results of the Crowdstrike event would indicate the opposite, updates are applied as they are released to the public, without an intermediate testing and validation,” according to Veeneman. “While Crowdstrike quality assurance played a part, we can all reflect on our own internal patch, change, and asset management processes that could have identified the error conditions in non-production testing prior to release to production systems and environments.”
Path for collaborative cybersecurity standards across industrial landscapes and national infrastructure security
The executives explore ways in which nations at different stages of cybersecurity development can collaborate effectively to standardize their industrial and operational infrastructures.
“A key to this is answering the three fundamental security policy questions. Nations first need to determine what it is they must protect. Although I am sure that if you ask a policy or regulator if they take PLCs under consideration some would nod their heads while not knowing what a PLC does,” Butrimas said. “Once they determine what they want to protect then they need to determine what are the threats. Too often cybercrime and ransomware are the quick choices. If countries don’t reach out to the experts for advice on answering the first two questions, they will fail in answering the last ‘How to protect identified assets from identified threats’ question,” he added.
Butrimas said that so far it seems that countries no matter how much they are concerned with critical infrastructure protection are still locked into measures that work best for office IT and software. “The rest they call ‘OT’ which, according to what their policies and documents show, they do not understand. This applies to N. American and European efforts. To be fair, the Cyber Informed Engineering effort of Idaho National Labs and the U.S. Department of Energy is a big step in the right direction and a much-appreciated exception,” he added.
Veeneman said that maturity levels are all over the map, partly attributable to a lack of foundational requirements for any safeguarding efforts, sound asset management, accurate assessing risk, establishing access control, determining event responses, and ensuring reliability, all of which are very different in process control systems compared with traditional information technology. “Applying ‘cybersecurity’ without the former can lead to potential misalignment of safeguarding objectives. Organizations, agencies, and countries should look to cybersecurity as a risk treatment and output, as opposed to a starting point,” he added.
Evaluating cybersecurity standardization amidst rising geopolitical strains
The executives examine the impact of geopolitical tensions on the process and progress of harmonizing cybersecurity standards.
Butrimas thinks it is counterproductive. “If the tension generates anxiety it will also make many fear the risk of changing anything. Conflicts as we currently see in the Russian invasion of Ukraine and in the Middle East have tended to put cybersecurity a bit lower on the list of priorities. Developing better bombs and defenses against them is taking up a lot of the attention. The issue will later return in a big way later, especially with the introduction of A.I. based weapon and defense systems,” he added.
“Deliberation among countries on any topic will have possible geopolitical implications. Looking at existing standards already available for security and safeguarding control systems, ISA 62443, while primarily a technical standard, is not entirely immune to geopolitical tensions,” Veeneman said. “Differences in national regulatory environments, economic interests, and strategic priorities can influence the adoption and implementation of ISA 62443. But, it is a globally recognized standard developed by an international body, it is somewhat insulated from direct geopolitical conflicts, focusing more on technical consensus and industry needs.”
Role of AI and IoT in shaping future cybersecurity standards
The executives explore how emerging technologies like AI and IoT could shape the future of harmonizing cybersecurity standards and identifying anticipated trends in national infrastructure security and global cybersecurity collaboration over the next decade.
Holcomb pointed out that emerging technology will drive the need for faster and more flexible responses to the changing technology landscape, reinforcing that standards need to be flexible and adaptable. “Generative AI is creating new possibilities for both offensive and defensive cybersecurity tactics. IoT, while driving business value, is also increasing the attack surface for many organizations and comes with a slightly different set of security control needs than other control system devices. Emerging technology has a history of pushing the boundary of existing security controls and defensive measures, particularly in industrial systems.”
He discussed expected trends, noting that global collaboration will only increase as awareness increases regarding the supply chain dependencies in the software and hardware that run our industrial control systems. He also mentioned that cybersecurity will be inextricably linked to the practice of engineering, which should help alleviate at least the kinetic or cyber-physical impact of cyber incidents moving into the future.
Butrimas identified that AI seems to be treated as an acceptable technology that makes sense to implement. “It is here to stay and will soon be coming to a neighborhood near you.”
However, he recognized that some assumptions need to be explored first, while some are starting to look deeper into the implications of AI in a process control environment. He also focused on how it will be determined that an AI-caused change is authorized and how it will determine that the AI change does make good engineering sense. There are some serious implications to consider here before jumping onto the AI bandwagon.
Returning to the other term used ‘IoT,’ Butrimas said that missing is a more significant term ‘Industrial IoT’ or IIoT. “The former concerns the home and small offices while the latter concerns the safety of people, property, and the environment. Again in these deliberations, we need to understand WHAT it is that we are concerned about and need to protect,” he added.
On the anticipated trends in global cybersecurity collaboration, Butrimas said that global cybersecurity collaboration will continue as it has been for decades. “One example is the International Society of Automation which has recently celebrated its 75th Anniversary. It represents field engineers, operators, manufacturers and integrators and some policymakers devoted to finding ways to make the vital technologies society depends on to function safe, reliable and resilient.”
He also pointed to the ISA 99 Committee that developed the Industrial Automation and Control System cybersecurity standard 62443. “It has recently intensified its close collaboration with another standards organization, the International Electrotechnical Commission (IEC). This effort to harmonize and collaborate is evident from the title of the 62443 standard. It is preceded by the prefixes ISA/IEC 62443 and is considered a joint standard which has been enhanced by the recent creation of joint teams from each organization that meet to further develop and harmonize the standard. ISA/IEC 62443 Industrial Automation and Control System standard is ‘The World’s Only Consensus-Based Automation and Control Systems Cybersecurity Standards’ which has been endorsed by the United Nations,” he added.
Veeneman said that the widespread use of IoT devices, growing in proportion with expanding cellular data capacity and availability, has already sparked the discussion of standards and requirements to promote safe and reliable operations within process control environments.
“Proliferation of IoT can come at the cost of considerable resources to monitor, manage, and maintain. AI, if governed appropriately, has the potential to play a significant role in taking on the resource bandwidth from human counterparts in enhancing threat detection and automated response,” according to Veeneman. “Focusing specifically on AI as a tool for automation and optimization of threat detection and response for IoT and process control systems alike, there are opportunities for success utilizing AI to reduce workloads involving considerable data mining, anomaly detection, alerting, and reporting where time is a serious factor, whether for cost savings or ensuring safety,” he concluded.