Cisco : Laying the Foundation to Secure Critical Infrastructure

We know critical infrastructure is vulnerable to cyber-attacks. Widely discussed for more than a decade, the risk is well known to both the public and to risk management and cybersecurity experts. With the rising wave of global Digitization, Industry 4.0 and the Industrial Internet of Things (IIoT) are demanding more network connectivity and creating greater opportunity for scalable internet-based attacks. It's more critical now than ever that the foundational building blocks of Industrial and Automation Control Systems (IACS) incorporate capabilities that can withstand today's internet threats.

Fortunately, we are at a turning point. IACS-focused standards have matured, and commercial off-the-shelf security technologies can now be used to build systems that address those challenges, enhancing cyber resilience and securing critical infrastructure. It's time for industry leaders to certify against these standards. And it's time for line-of-business customers to demand their technology providers incorporate trustworthy technologies into every new product and solution, especially those focused on IIoT and Industry 4.0.

I'll highlight two recent events that have me convinced that the time is now:

First, the majority of work products developed by the ISA99 standards development organization are either published or soon-to-be published as part of international standard series ISA/IEC 62443. The participation rate at the most recent ISA99 standards committee meeting was probably twice that of the same meeting a few years ago, and this organization is now looking at where they need to revisit and update some of their oldest standards for cybersecurity of IACS. What does this all mean? It means that this mature standard has been accepted as the defacto security standard for control systems and is increasingly being adopted by industry. Why should you care? Industry standards, such as ISA/IEC 62443, play an important role in setting the cybersecurity bar for all relevant stakeholders in the critical infrastructure value chain: from product suppliers to integration providers as well as asset owners, system operators, and maintenance providers.

Second, Trustworthy Technologies that help secure the fundamental components of electronic devices can be purchased as commercial off-the-shelf solutions. These technologies add resiliency to devices and combat persistent threats deployed by sophisticated threat actors - those targeting critical infrastructure. They enable a secure-by-design architecture for the fundamental building blocks of all electronic assets, whether those assets be computers, IoT devices or embedded Real-Time Operating Systems that are part of an IACS. Cisco builds Trustworthy Technologies into all new products that we ship, enabling our portfolio to meet the more advanced technical security requirements that ISA/IEC standard 62443-4-2 demands of security capability levels 3 and 4. For those interested in learning more about the applicability of these technologies to the IIoT, I highly recommend that you check out the whitepaper the Industrial Internet Consortium published this spring on Endpoint Security Best Practices.

Like most challenges, there is no quick fix. There is no bolt-on security solution that will magically resolve the challenges and strengthen the weaknesses inherent in IACS and critical infrastructure. This is why it is imperative that we regularly discuss this topic as an industry. The only resolution will come with dedicated focus, due diligence, and significant long-term investments of both time and money, where all stakeholders work together towards a common goal.

Right now, there are multiple actions we need to take as an industry. Everyone has a role to play - including our end customers. Customers should:

1. Demand that trustworthy technologies be part of any new electronic devices that are part of the IACS system in order to meet the technical security requirements of ISA/IEC 62443-4-2.
2. Mandate security be built-in to all IIoT components deployed in your environment, e.g. by ensuring all products are made using a Secure Development Lifecycle as defined in ISA/IEC 62443-4-1.
3. Design IIoT solutions that meet your acceptable risk thresholds, as determined using the process defined in ISA/IEC 62443-3-2.
4. Re-evaluate and update the network designs of all your operational systems with the joint goals of tightly coupling your network and security architectures and simplifying operational processes for network monitoring, detection and response.

The conversation has begun and the foundation for progress has been laid. I'll be exploring topics like securing critical infrastructure and the IIoT in future blogs. Until then, stay up to date by visiting the Trust Center for the latest news and resources.