Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

The Open Secret—A Shared Legacy

Everyone knows that security starts simple—patch your machines. But what about the ocean of un-patchable technology that run the daily operations of so much of our critical infrastructure? Industrial Controls don’t live in the world of Patch Tuesday—equipment is amortized over 30-year mortgages and the operating systems can be just that vintage. Not to mention the sheer insanity of bringing down a whole line to patch a system that may or may not come back up with the same efficiency or run-time. Don’t expect simple or unicorn-dust solutions—this is going to hurt.

Start with Suppliers

You wouldn’t buy a ladder whose maker shrugged about safety. Demand better of your suppliers, because in this world safety relies on security. Write it into the contracts starting now. If they want repeat business, they’ll start doing things like offering patching support and testing anti-malware solutions on their own products. Suppliers need to start ensuring their own products include standard security settings—closing dangerous ports, using encryption rationally, etc. Demand that they set security as a default and document it thoroughly—we want to know when we’re choosing to make ourselves more vulnerable to make something a tiny bit faster or more accessible. And you bet they better be reporting vulnerabilities and providing fixes, pronto.

Rank Your Risk

No, you cannot eat the entire ocean or boil the whole elephant at once. So, get yourself acquainted with a way to understand how risky each sort of thing is, why it’s that kind of risky, and then decide what to tackle first. If you’ve got a bunch of XP systems chatting with the public internet and connected to anything on your plant floor, you might want to look at them first. If you’ve been acquiring equipment for 10-15 years, chances are there’s a stratification of technology that you can use to prioritize your actions based on risk. Get yourself a Risk Management Framework!

Have a Plan

We know how to build out new capacity, launch a new program, tear down a line, etc. So, we know how to make a list and check it off. Put cybersecurity in the maintenance queue, add it to safety buy-off; whatever it takes to instantiate it in the hearts and minds of the folks on the floor. Identify the most vulnerable of your systems (Risk Ranking FTW!) and get them scheduled for remediation; leverage the same systems you use to plan any other activity on your floor. Even if you’re only able to patch three systems each week, those are three systems that ransomware won’t brick.

So why even do it? Because if you don’t, a simple bit of ransomware from 2013 that would never even burp your enterprise systems will lock you out of all your controls systems one afternoon, and you’ll be stuck paying or screaming to your suppliers for replacement HMIs for a whole plant. Because if you don’t, you’ll find your enterprise digital forensics team on the phone with the FBI trying to untangle how some PLC got re-programmed to make a machine move when it shouldn’t have.

Legacy systems exist everywhere, even pristine enterprise data centers have a relic bumping away in the corner, because some antiquated process requires it. In the industrial controls space, our air gaps, our badging security, our physical controls—all of it is defeated by the tiniest thumb drive or “cost saving (!)” remote access connections. The long game is our only path to sustained security. Hold our suppliers accountable for In-Box Security, security by default. Know what you’ve got and what it’s going to take to secure it. Grind. It’s not a 6-month plan. If you’re average in scope and resources, it’s going to be a 5, 10, 15-year plan to get yourself clear of most of what’s inherently insecure out there. Commit to it. Keep your leadership a little scared, and get it done. We can’t afford not to.

Rebecca Faerber
Rebecca Faerber
Rebecca Faerber is the Manufacturing Cyber Security Program Manager, GICSP, and IT/OT Auto-ISAC Workgroup Chair for Ford Motor Company. She has been leading Ford Motor Company’s Manufacturing Cyber Security Program since it’s inception in 2017, Rebecca has built a rationalized cyber security framework, operationally tailored to the Industrial Controls Systems environment. Her 28 year career in IT has spanned technical education, software lifecycle management, database administration, security audit and compliance assessment. Over the past 17 years with Ford, she has focused on the unique challenge of protecting the manufacturing environment from cyber security threats.

Related Posts

Experience Centers Teach Cybersecurity Best Practices

The adoption of Industry 4.0 technologies is increasing efficiency and profitability across industrial co...
Luis Narvaez May 24, 2022 5:30:00 AM

Why Network Discovery is Critical in the ICS/IACS Environment

Securing operational technology (OT) networks requires a great deal of thought when designing and impleme...
Achal Lekhi May 17, 2022 5:30:00 AM

Securing Industry 4.0

As we head into the Industry 4.0 era—where connected Internet of Things (IoT) devices and automation will...
David Nosibor May 10, 2022 5:30:00 AM