Efficient Plant January 2018 - 21

feature | operational strategies
with security in mind. They note, however, that
increased awareness in the importance of and
threats to BMS/BAS systems is finally boosting
interest in protecting them from cyber incidents.
Adoption of industrial cybersecurity frameworks will increase. Though most industrial
cybersecurity frameworks aren't mandatory,
Gandelsman and Lenchner described a significant
uptick in organizations looking to implement
them during 2017. They expect this trend to continue in 2018. While cybersecurity compliance is
an important goal, they wrote that it's even more
imperative to implement measures that provide
much-needed visibility into industrial network
activity to detect incidents and conduct the right
incident response. Such frameworks include:
NIST Cybersecurity Framework: The National Institute of Standards and Technology,
(nist.gov, Gaithersburg, MD) published the first
version of the Cybersecurity Framework (CSF)
for operators of critical infrastructure in 2014.
In 2017, NIST released an update titled "Framework for Improving Critical Infrastructure Cybersecurity Version 1.1." that incorporates feedback and comments from the agency's Dec. 2015
Request for Information. NIST also published
the "manufacturing profile" of the cybersecurity framework, which enhances (but does not
replace) current cyber-security standards and
industry guidelines. It can be used as a roadmap
for reducing manufacturer cybersecurity risk.
NERC CIP: The North American Electric
Reliability Corp. (nerc.com, Atlanta) introduces Critical Infrastructure Protection (CIP)
standards to ensure reliability of the nation's
Bulk Electric System (BES). The current version
of NERC CIP includes 11 critical infrastructure-protection cybersecurity standards that
specify a minimum set of controls and processes
power-generation and -transmission companies
should follow to ensure the reliability and security of North America's power grid. Deploying
traditional IT security controls, such as firewalls
and antivirus software, is not sufficient for CIP
compliance. To meet NERC's CIP standards,
electric-utility owners and operators must also

JANUARY 2018

have complete visibility into all ICS assets and
network activities.
Pharmaceuticals Manufacturing Guidelines: The current good manufacturing practice
(cGMP) regulations for validating pharmaceutical manufacturing require drug products to
be produced with a high degree of assurance
that they meet all attributes they are intended to
possess. The U.S. Food and Drug Administration (fda.gov, Washington) issued guidance that
requires manufacturers to maintain processes
in a state of control over their entire lifecycle, even as materials, equipment, production
environment, personnel, and manufacturing
procedures change.
Secure and encrypted industrial protocols
will be introduced. In 2018, Gandelsman and
Lenchner expect industrial technology vendors
will introduce devices that support encryption
and other embedded security controls. Although
this is a positive trend and a crucial step toward
making industrial control systems and critical
infrastructure more secure than in the past, they
predict it will take decades before all legacy technologies are replaced. Even then, they believe no
single product, technology, or methodology can
fully secure ICS environments.
The solution? A defense-in-depth approach,
they wrote, one that addresses internal and external security threats, is what's needed. As they put
it, this begins with consolidated OT-network-activity monitoring and integrity validation for
critical devices such as industrial controllers.

BOTTOM LINE
Cyberthreats are everywhere. And they're not
going away.
The bottom line, according to Gandelsman
and Lencher, is clear: Referencing past, current,
and future industrial realities, they conclude
that significant increases in ICS network threats
demonstrate the need for organizations to take
cybersecurity far more seriously in the coming
year. That is, if those organizations really want
to reduce the risk of successful cyberattacks on
critical infrastructure. EP

Organizations
must take
cybersecurity
far more
seriously than
in the past.

+
To read the full
two-part series on
which this article
is based, as well
as download
various resources
associated with
the discussion,
go to blog.indegy.
com.

EFFICIENTPLANTMAG.COM |

http://www.fda.gov http://www.nist.gov http://www.nerc.com http://blog.indegy.com http://www.EFFICIENTPLANTMAG.COM

Table of Contents for the Digital Edition of Efficient Plant January 2018