Welcome to the first post of the ISA Global Cybersecurity Alliance blog, Building a Resilient World: Practical Automation Cybersecurity. We're glad to have you here. Stay informed on the latest updates by subscribing to our blog feed at the end of this post, or from the "Subscribe" field on our main page. Please feel free to share this post on social media as well. Thanks for reading!
The ISA Global Cybersecurity Alliance (ISAGCA) was founded on five core beliefs held and promoted by each of its member companies. These beliefs act as a driving force for making decisions about prioritization of work products, creation of internal practices, and current or future objectives for promoting standards and best practices to reduce industrial cyber risk.
Core Belief 1: Digital transformation leverages innovative technologies but often undervalues security.
The protection and security of a facility can be compromised by accessibility – greater accessibility, either locally or to other systems and locations is essential to modern operations, but this makes the facility more vulnerable to cybersecurity threats. The age of digital transformation is driving significant business changes, but many facilities are prioritizing technology functionality over security. Your company’s digital transformation strategy should not be considered separately from its security strategy; the two go together. Technology should never be added to your asset mix without considering the implications on security and process safety. If security is not priority 1 or 1A within your digital transformation plan, it isn’t high enough on the priority list.
Core Belief 2: Consequence-driven, cyber-informed engineering is a business imperative.
A facility cannot protect every asset and every communication path equally. Each asset, process, and interface must be evaluated based on business benefit, consequences, criticality of operations, your company’s appetite for risk, and other factors. A facility with no risk is a physical impossibility in today’s connected world. The only way to improve your cybersecurity posture is to design cybersecurity into process control, evaluate each process and asset, setting realistic and situationally appropriate goals, and establish resiliency and recovery plans. A comprehensive security approach is an absolute necessity to identify and prioritize risks and ensure ongoing process safety, reliability, and cyber resiliency.
Core Belief 3: Safety and cybersecurity are inseparable.
We believe safety and cybersecurity are connected in critical ways. First, accessibility is a primary enabler of cybersecurity risk. Physical safety and security are important considerations for how and when assets are accessible to employees, contractors, vendors, consultants, and the broader public. Second, operations technology is primarily concerned with integrity of processes rather than protection of information or privacy of data. The consequences of failed processes are directly related to the physical safety of employees and communities, the protection of the environment, and the safe operation of assets. The nature of these consequences means we should not consider safety and cybersecurity as separate topics. Cybersecurity and safety standards are increasingly adopting matching language referencing cybersecurity as a safety risk, requiring regulatory attention. Finally, cybersecurity advocates can learn a lot from the maturation of process safety and the benefits of standardization for broad, consistent improvement in critical areas.
Core Belief 4: Cybersecurity improvement is a discussion about organizational culture, not just technology.
The automation cybersecurity challenge spans processes, people, and technology: a company’s processes and communications must be secure; operations staff must have expertise in industrial control systems cybersecurity; and the facility’s technology must be inherently secure. It is critical that every organization engaged in industrial automation evaluates its current and future cybersecurity culture and organizational change management strategies. It is the people who are the first line of defense against cybersecurity breaches, and it is the people who are the most likely point of failure in the breakdown of processes that lead to unmitigated vulnerabilities. Information Technology, Operations, Engineering, Digitalization, and Executive Teams have different, and sometimes competing priorities and tactics. Consciously and consistently improving a facility’s cyber risk culture is the most effective way to safely operationalize your technology and process strategies.
Core Belief 5: The challenges that industries face around automation cybersecurity can only be handled by collaborating and working together in an open, inclusive environment.
The connectivity of today’s world means that almost every facility operates with dozens of vendor products, devices, and components. It is impossible for vendors to guarantee the inherent security of a product once it’s been plugged into other products and processes. Security requires a holistic approach, not limited to vendor, product, or system. This means a standards-based approach by asset owners applied consistently and correctly is a critical piece to the cybersecurity protection puzzle. It also means automation providers, cybersecurity providers, system integrators, and the entire automation ecosystem must work together to educate and advocate for cybersecurity issues. If one of us is weak, all of us are more vulnerable. This is a fact of life within our digital world and to ignore it in the hopes of working independently with your own supply chain is a fundamental miscalculation of the risks we all face.