Security incidents pose a real threat to industrial networks. In 2014 alone, organizations in the energy, utilities, industrial, and oil and gas sectors encountered 245 unique industrial control system (ICS) incidents, with more than 800 security advisories published that same year. To make matters even more daunting, only a fraction of those events were intentional. In October of 2015, David Meltzer, chief research officer at Tripwire, and Jeff Caldwell, chief architect of cyber security at Belden, delivered a presentation at the Belden Industrial Ethernet Infrastructure Design Seminar. The two experts discussed, among other things, how 80 percent of security incidents that occur on industrial networks are unintentional and result from a variety of causes, including human error (such as misconfiguration errors), software/device flaws, and the accidental introduction of malware (such as BlackEnergy or Stuxnet) via an infected laptop or USB. One significant example of an unintentional industrial network security incident was the failure of two circulation pumps at Unit 3 of the Browns Ferry Power Plant back in 2007. Inspectors determined that excessive traffic on the control system, which was possibly caused by another control system device's failure, had caused the pumps to fail. The event forced on-site controllers to manually shut the Unit down. Ultimately, both the SPDS and the PPC were down for five to six hours. Events such as the Browns Ferry Power Plant failure make up the bulk of security incidents on industrial networks. Indeed, just one in five ICS incidents were intentional, though according to the United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), more than half (55 percent) of those events were attributable to advanced persistent threats (APT), suggesting an increased level of sophistication among external attackers. The security duo went on to explain how a 1-2-3 solution-based approach to security involving industrial networks, industrial PCs, endpoints and critical assets, and industrial controllers can help defend against ICS incidents. However, it is important to note that products are not the only means by which controls engineers and security professionals can protect industrial networks. This point has not been lost on Meltzer, who feels that cooperation between IT and operation technology (OT) is key to enhanced security and reliability.
"IT Security could have ignored the OT network as it being disconnected, air-gapped, proprietary, and not subject to the same sort of threats and attacks in the past, but this mindset is no longer effective," Meltzer observes in an article on the Industrial Internet of Things (IIoT).
"Cooperation on a consistent security strategy across both IT and OT is essential for the future," he adds. But how do IT and OT begin to bridge their cultural differences?
At this RSA Conference USA 2016, one of Tripwire's top information security conferences for 2016, Meltzer and Caldwell reunite to deliver a talk entitled "Converging IT and OT for Secure, Reliable, Resilient Industrial Networks." For their presentation, they will dispel myths and misconceptions relating to the IT and OT divide, and they will address how IT and OT can come together in order to improve security and reliability for industrial networks. To learn more about Meltzer and Caldwell's upcoming talk, please click here. To learn more about and register for RSA Conference USA 2016, click here. If you are interested in learning more about Industrial Cyber Security you can download our new e-book, “Industrial Cyber Security For Dummies” here.