Peter A Clarke

The papers, standards and guidelines published by the National Institute of Science and Technology (“NIST”) are in many ways more practical and effective than the guidelines issued by privacy regulators which must of necessity be more general. The NIST has published a very useful standard on methods to help manufacturers restore operations after a cyber attack.

The summary provides:

Industrial control systems (ICS) and devices that run manufacturing environments play a critical role in our nation’s economy. Manufacturers rely on ICS to monitor and control physical processes that produce goods for public consumption. These same systems face an increasing number of cyber attacks, presenting a real threat to manufacturing safety and production. Though defense-in-depth security architecture can help mitigate cyber risk, it may not entirely eliminate it. Organizations should have a plan to recover and restore manufacturing operations should a cyber event impact plant operations. The NCCoE, together with the NIST Communications Technology Laboratory and industry collaborators, will demonstrate an approach for responding to and recovering from an ICS attack within the manufacturing sector by leveraging the following cybersecurity capabilities: event reporting, log review, event analysis, and incident handling and response. The NCCoE will implement each of these capabilities in a discrete-based manufacturing work-cell that emulates a typical manufacturing process. The project will result in a freely available NIST Cybersecurity Practice Guide.

The Abstract provides:

Industrial Control Systems (ICS) that operate manufacturing environments play a critical role in the supply Manufacturing organizations rely on control systems to monitor and control physical processes that produce goods for public These same systems are facing an increasing number of cyber incidents, posing a real threat to safety and production, and impacting the economic performance of manufacturing Though defense-in-depth security architecture helps mitigate cyber risks, it cannot eliminate all cyber risks; therefore, manufacturing organizations should also have a plan to recover and restore operations should a cyber incident impact This practice guide showcases various cyber attack scenarios developed with industry collaborators to produce a methodology that enables the adoption and implementation of response and recovery measures in manufacturing environments to strengthen operational resilience

The Executive Summary provides:

Manufacturing systems play a critical role in the supply chain and are essential to the nation’s economic  security. Manufacturing organizations rely on Industrial Control Systems (ICS) to monitor and control physical processes to improve business agility and operational efficiencies. These same systems are facing an increasing number of cyber incidents from destructive malware, malicious insider activity, hardware failures, or unintended human error. Potential outages can be significant in scope and downtime, and may result in a loss of production, affecting safety controls for personnel, or the loss of millions of dollars to the organization. While defense-in-depth security architecture can help mitigate these risks, it cannot guarantee the elimination of cyber incidents. Therefore, manufacturing organizations should have a plan in place to maintain a resilient infrastructure in the event of cyber incidents that impact operations. To help with these challenges, this practice guide was developed using the NIST Cybersecurity Framework (CSF) 2.0 [1] as the basis for a response and recovery effort. The CSF defines standardized outcomes upon which organizations can base response and recovery objectives.

For organizations without established cybersecurity controls, establishing and implementing response and recovery procedures can be a daunting task. In addition, guidelines and frameworks alone can be difficult to follow without practical applications. In response, the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) worked with stakeholders and industry collaborators specializing in response and recovery to demonstrate the practical application of cybersecurity technologies in a discrete-based manufacturing system that emulates a typical manufacturing environment. The effort resulted in this Practice Guide, providing three functional scenarios that demonstrate implementation of response and recovery procedures using commercially available technologies. The aim is to illustrate effective execution of response and recovery fundamentals, as well as highlight the benefits that result from the deployment of technologies that improve operational resilience.

Key takeaways from the development of this Practice Guide are as follows:

• • Planning and preparation are critical in responding to and recovering from cyber incidents, since  risks still exist despite efforts to implement defense-in-depth protections against known threats.

• • Logging and visibility across assets and the supporting ecosystem improve investigation, diagnostics, and protection, and shorten the time between detection and containment.

• • Robust monitoring goes beyond simple event logging and should include behavioral analysis and ongoing coordination between the OT engineering and the Security Operations Center (SOC) team.

• • Human factors, such as employee training on the stages of response and recovery, communicating between IT and ICS administrators, and working with OT product vendors, will allow for effective plan implementation in addition to technical solutions.

The standard is 186 pages long.  Some of the key points are:

• Establishing effective response activities in OT environments requires capabilities such as rapid identification of threats and incidents, coordination across subsystems and differing vendor equipment, and visibility into networks and operational components. However, many ICS systems have correspondingly limited logging and telemetry into legacy assets, constraints on managing third-party vendor subsystems, the use of a wide range of hardware and associated network protocols, and inconsistent approaches to coordinating information across business units and operations. Unless addressed, these conditions create a challenging environment to accomplish response objectives.
• a mature strategies, ongoing employee training and awareness, established methods such as playbooks for types of incidents, and trusted / known-good configurations and files. Despite this, many manufacturing organizations may not prioritize these practices in their environments, possibly due to tight production schedules, downtime management, supply chain issues with a wide variety of ICS components, dependencies on specialized vendor equipment, and gaps in training and awareness. With these conditions, recovery practices may remain ineffective and lead to longer outages.
• AWS’s cloud infrastructure enables off-premise redundancy of the Inductive Automation Ignition data historian. Data historians are large databases and user interfaces that allow someone to view historical trends for maintenance, operational improvements, and investigations. Redundancy is desirable for many critical systems in an operational environment, including the data historian. In this architecture, the Ignition data historian software is configured on the AWS infrastructure to serve as a backup for the on-premise data historian.
• The Ignition Tag Historian Module is used to receive, store, and display historical tag data from the robot controller, conveyor PLC, and supervisory PLC. A redundant data historian architecture is implemented using an Edge server installed in the Operation/Supervisory Control network to collect real-time ICS data. This data is sent to a Local Gateway and a Cloud Gateway. Redundant databases are also used to store historical tag data.
• Siemens SIBERprotect technology is used to enable isolation of the Conveyor, Robot, and Supervisory systems from the Manufacturing Applications and Security Syslog alerts are configured within the Dragos and Tenable platforms based on high-risk detections and are forwarded to the Siemens Security PLC for visualization on the Security When the Security HMI displays an alert, operators can choose to either acknowledge the notification or initiate network isolation by selecting the appropriate action.  If network isolation is selected, the Siemens Security PLC sends a digital signal to the SCALANCE, which responds by segmenting the protected network from external connections, effectively acting as a firewall

• A comprehensive security architecture should be designed to detect cyber incidents prior to impact, including detection of initial access, discovery, and lateral movement. However, a thorough defense should also be prepared to restore and recover if an adversary goes undetected and operations are impacted.