With this issues in mind, and as cybersecurity incidents like SolarWinds and smart device source code breaches become more common, Jablanski says it’s time to get serious about securing ICS.
“Piecemeal approaches to vulnerability patching and compliance box checking won’t prevent sabotage by a threat actor,” she said. “Critical sectors need to take note and plan inquiry and action to perform bottom-up assessments of critical operations, systems, and information.”
To build real momentum, she added, organizations need to do reconnaissance on their operations and begin testing their assumptions. Jablanski noted two new standards that may help:
The ISA/IEC 62443-3-2: Security Risk Assessment for System Design standard defines a set of engineering measures to guide organizations through the process of assessing the risk of a new or existing ICS or Industrial IoT system. It also establishes how to identify and apply security countermeasures to reduce that risk to tolerable levels.
The Idaho National Laboratory’s Consequence-Driven, Cyber-Informed Engineering (CCE) standard focuses on worst-case access and exploitation scenario planning. CCE proceeds from the assumption that the only way to understand attacks before they occur is to think like an attacker and stress-test your network and security policies.