November 20, 2018
Leading industrial cybersecurity officials from government and private industry gathered in Houston on Monday, October 29, to discuss new ways of countering the rising threats of cyberattack in the energy sector.
"Using the Power of Analytics to Address Cyber Security" was a half-day workshop sponsored by the International Society of Automation (ISA) and its Premier Strategic Partner in Industrial Cybersecurity, Siemens. The workshop was held prior to ISA's PCS 2018-Process Industry Event, a technical conference for professionals in the energy processing and process manufacturing industries.
During the workshop, featured experts reported that the rapid pace of digital technology and the increasing sophistication of cyber tools at the disposal of foreign entities are making it more difficult to protect critical infrastructure and the industrial control systems that operate them. However, they said advances in security analytics and machine learning are improving detection and threat assessment, and enabling more proactive and responsive defense measures.
Owners and operators of energy infrastructure also are recognizing the real threats to their businesses that cyberattacks pose and are more willing to invest in cybersecurity solutions-such as best-practice standards and in-house or outsourced security operations-and hire a qualified cybersecurity work force.
The workshop was kicked off by Leo Simonovich, Vice President and Global Head of Industrial Cyber and Digital Security at Siemens. Simonovich set the stage by explaining digital technology and the cyber world in general are evolving too fast for government and private industry to fully keep pace.
Companies must take the lead, he said, "and data analytics are the key." Armed with these tools, companies can "own their environment" by significantly improving detection when an operation system is being attacked and implement effective risk mitigation efforts. "Context and speed," according to Simonovich, are the two necessary ingredients needed to identify and thwart a cyberattack.
Providing a vital perspective from the US government was Bob Kolasky, Director of the National Risk Management Center for the US Department of Homeland Security. Kolasky outlined the federal government's functional approach to risk management in protecting the nation's critical infrastructure. He reinforced the point that data analytics and data aggregation are critical in order to better anticipate and evaluate possible threats.
Kolasky reported that while many nations in the world do not pose a significant military threat to the US, they often do present threats from the cyber realm. He said that while some of these nation states are not currently attacking US domestic infrastructure, they are conducting attacks throughout the world and could, at some point, turn their attention to the US.
Because of the public/private nature of US infrastructure, Kolasky said it's important to implement consistent cybersecurity standards and practices across public and private sectors. To further these efforts, he said the US government is incentivizing R&D and cybersecurity investment. He emphasized the importance of greater engagement among private companies in cybersecurity as solutions cannot come solely from government.
Kolasky agreed that data and security analytics hold great promise in identifying those risks that require greater and more immediate levels of response and connecting patterns and instances of vulnerability.
Sean Plankey, Global Cyber Intelligence Advisor at BP, urged more companies to take a more active approach to cybersecurity given the risks cyberwarfare presents to business operations. He said he is constantly gathering intelligence and scanning the external environment to identify and evaluate potential threats.
He is particularly focused on the operations side, where continuous processes may be affected by an attack. He agreed with Kolasky that cyberattacks differ in their ability to cause actual damage and impact business operations. By defining threats in a hierarchical manner, a business can establish a baseline.
This "baseline" concept was a recurring theme at the workshop. Given the number and types of cyberattack, it's difficult for cybersecurity systems to engage them all. Plankey said for a security system to be effective, it must work from a baseline so it can accurately distinguish viable threats from non-viable ones. Plankey said one factor to determine is whether the attack is levied by individuals acting alone or through state sponsorship. State-sponsored actors, he noted, are much more capable of executing a potentially damaging intrusion.
Ernesto Ballesteros, the State Cybersecurity Coordinator for Texas, said he focuses his efforts largely on information sharing and analysis because his mandate extends beyond government facilities and systems. "We're trying to secure the state as a whole," he explains.
To combat the shortage of workers trained in cybersecurity, Ballesteros said Texas encourages students through scholarships, and supports workforce development programs and apprenticeships so staff can gain vital skills on the job.
Matt Stewart, Head of Research and Development for Industrial Cyber Security at Siemens, highlighted Siemens' advanced security monitoring solutions. He acknowledged that many companies don't have the resources to staff a dedicated Security Operation Center (SOC) and said it can be more efficient to outsource data analysis.
Siemens, he pointed out, can extract data on potential threats at a customer facility and then rapidly get the metadata analysis in front of Siemens' cyber experts. Stewart explained that Siemens uses an industrial security product to monitor traffic on the customer networks, looking for anomalies. Using machine learning, the system monitors all network traffic, defines what is "normal" operation based on millions of transactions, then continues to seek out and flag any abnormal activity.
Siemens technology, he said, can also distinguish between activity that is simply "different" from normal, and that which could be considered dangerous. Potentially harmful activity is either acted upon by the software, or circulated up to an expert, on-call team at Siemens that can evaluate and counter high-level threats.
