Cybersecurity has become intertwinedâinescapablyâwith so much of the technology necessary to move industry forward and help manufacturers remain competitive. The cybersecurity ecosystem has also become more intertwined. Hardly a week passes without news of a new partnership among various types of suppliers within this community.
Collaboration is essential to combat the enormous and persistent threat that nefarious cyber actors present to the industrial world. If industry is to protect its assets, people and surrounding communities, its stakeholders will need to put their heads together even more extensively than theyâre already doing.
Because the bad guys are putting their heads together too. âTheyâre collaborating much better than we are,â says Jason Haward-Grau, chief information security officer (CISO) for safety and cybersecurity provider PAS. âThereâs an unholy alliance between organized crime, governments and individual hackers. The integration challenge we have is much more difficult.â
Automation vendors are working continuously to better safeguard their products from the get-go. And news continues unabated about partnerships between those vendors and specialized cybersecurity providers like Claroty, Palo Alto Networks, PAS, and Nozomi Networks, to name just a few. But what about those automation vendors collaborating with each other?
Those big names in automation are often fiercely competitive with one another. But if industry is really going to safeguard itself from increasingly coordinated and sophisticated attacks, we might need every one of them joining hands in new and meaningful ways.
The interest is there, certainly. But so is the trepidation. Some are adamant about the need to share information more closely with one another but arenât sure how to frame those alliances. Others donât even feel particularly comfortable discussing the topic at all. But they all feel the pressure to do whatever they can to protect the castle.
âI want to see collaboration between vendors. Our system is connected to another vendorâs product, so each is at risk if either is attacked,â said Gary Williams, cybersecurity services offer leader for Schneider Electric. âSo letâs come up with an agreed approach on R&D.â
It will be difficult, certainly, Williams concedes. âWeâve got to get rid of the competitive nature.â
Pressure from customers
Thereâs certainly interest throughout industry in getting more collaborative efforts together to fight off the threats, says Rob Putman, global lead on cybersecurity for ABB Industrial Automation. âThereâs also pressure from senior leadership at customers,â he says. âTheyâre saying, âCan you guys please come together and at least speak to a common framework?â From a customer and C-level perspective, Iâve heard that specific feedback.â
For critical infrastructure operators, putting pressure on vendors to work more collaboratively, Putman says, is tied to the holy trinity: availability, resilience, and safety. âOn whether they perceive a threat to any of those three mandates,â he explains. âIf they discover a vulnerability that we at ABB arenât familiar with, how easy is it to fix?â
This is where trusted relationships within the vendor community can be particularly helpful. But those conversations need to proceed with caution. âThe people who are really thinking about this are doing it from a place of integrity,â Putman says. âHowever, you have to put guard rails in place and define the relationship.â
Any communication channels related to sensitive cybersecurity information need to be clearly defined, agrees Camilo Gomez, global cybersecurity strategist for Yokogawa Electric. âIt should be at the request of our end user,â he says. âThe most difficult implications are for the asset owner, so the disclosure needs to be done by the customer.â
Information sharing
Claroty, a cybersecurity company that has forged partnerships with several automation suppliers over the past couple years, has a front-row seat for seeing the types of collaboration going on among vendors, according to Dave Weinstein, vice president of threat research for Claroty. âItâs more about the collaboration between vendors themselves and different authorities in this spaceâgovernment entities that serve as central hubs of not just the analysis of threats, but coordination of vulnerability disclosure,â he says.
Automation vendors are proactively identifying vulnerabilities in the products themselves and sharing that information with government and non-government authorities. âItâs actually the most efficient model,â Weinstein contends. âIf vendors got together and shared information on vulnerabilities with each other, it would probably fall into the wrong hands. And it wouldnât get to the end user as quick as possible.â
On the IT side of the house, the Cyber Threat Alliance focuses on sharing threat information among companies and organizations in the cybersecurity field. The National Cybersecurity and Communications Integration Center (NCCIC) serves as a national hub for cyber and communications information. It integrates functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
âOn the vulnerability side, the model is working pretty well. It incentivizes third-party researchers to insert themselves into this process,â Weinstein says. âThe security research community is an extremely benevolent community. Most folks just like what theyâre doing and have a really serious belief to secure the worldâs infrastructure. It works pretty well.â
VirusTotal, which serves as a public malware repository, is a great example of how researchers can come together for the common good, Weinstein says. âSometimes malware can inadvertently proliferate into the wrong hands. But on net, those types of communities are positive for security of the ecosystem,â he says. âThereâs a constant debate in terms of how much freedom should be allowed to the research community. I come down on the side of more, not less.â
PASâs Haward-Grau comes down on the side of exercising more caution. Heâs concerned, for example, that with VirusTotal, thereâs no validation and no understanding of the implication of whatâs being uploaded. For ICS-CERT, he sees a need to implement a registration system that would validate the credentials of those sharing information. âSharing is good,â he says. âBut lack of control of sharing can harm far more than it can hurt.â
Previously founder and director of Carnegie Mellonâs CERT Insider Threat Center, Dawn Cappelli comes from a background of information sharing. In fact, when she joined Rockwell Automation in 2013, she told them sheâd only join them if theyâd let her keep collaborating across the community. When she initially formed the insider threat information sharing group at Carnegie Mellon, there were only about five people involved. âIt grew to more than 300 people from 200 companies,â she says. âSome of our competitors are members. I actually really like that. I can talk to my peers about similar insider risks that we both have to worry about.â
Now, as vice president of global security and CISO at Rockwell, she would love to be doing something similar with other CISOs at competing companies. âWeâre all in this together,â she says. âIf a nation state attacks one of our products, itâs just by luck they picked yours instead of mine.â
Cappelli points to the model of the Information Sharing and Analysis Center (ISAC), which assists federal and local governments with information pertaining to cyber threats. There are ISACs related to several different industries, including financial services (FS-ISAC), health (H-ISAC) and real estate (RE-ISAC). There are even ISACs for specific industries, such as automotive (Auto-ISAC) and oil and gas (ONG-ISAC).
Ideally, Cappelli would like to start an industrial ISAC. âThe FS-ISAC is very mature. Big financial institutions are on the phone with each other, saying, âI just saw malware come in from this IP address; youâd better block it,ââ she describes. âItâs worked in other sectors, and I think we need to get it to work in ours as well.â
The inability to do much of the same thing within the industrial sector really hit home when the WannaCry ransomware attack struck two years ago. âWho do I call? We know somethingâs happening out there, but whatâs really happening? And how is it happening?â Cappelli wondered. âWe were just reaching out to individuals just trying to get information.â
 |
|
|
Setting standards
An area where competing automation vendors collaborate extensively is within standards, Cappelli notes. âWe all have people on those committees,â she says. âWeâre working together to define what are the standards to better secure our products.â
The Open Process Automation Forum (OPAF) is another example of industry collaboration, points out Tom Clary, director of global business communications at Schneider Electric. He sees OPAFâthrough which competing automation vendors are cooperating to develop a framework for seamless interoperability among their systemsâas an apt model that could be applied to cybersecurity.
âWe put the requisite strictures in place to go into a room to see what the future looks like without risking intellectual property. There could be the creation of some sort of body that looked like that,â Clary says. âItâs a way for Schneider Electric to go into the room with other vendors, with major customers, integrators, third-party providers, and say, âLook, this is what we found.â We put that on the table for everybody to look and discuss and learn from that.â
It would not be simple, he says. âBut I donât think itâs impossible.â
There is an effort being made through OPAF itself to work collaboratively on the security of the system architectures being developed there. âOPAF is a good element,â Gomez says. âWeâre working not only on the functional architecture thatâs required and desired, but also include these things weâve learned for security practices. The new generation will come with those things covered.â
Collaboration with the end user
And then there are the manufacturers themselvesâwhich must take a certain degree of responsibility for working together with their vendors to secure their systems.
Itâs a common misconception that collaboration needs to happen only among the vendors, Gomez insists. âThere needs to be collaboration from all the players,â he says. âWhat good would it be to enable security if itâs not enabled by the owners?â
Automation vendors have a responsibility to ensure that their products are secure, Williams says. âWhat we cannot foresee is how the client is going to use our system.â
Schneider Electric has been widely praised for how transparent it was in the wake of the 2017 Triton attack on its Triconex safety system at a petrochemical plant in Saudi Arabia. At its Triconex User Group meeting this past October, Schneider execs were even more forthcomingânot only about exactly what happened but also their own frustrations with the situation.
In this case, there was really no collaboration going on between system designer and customer because the Triconex system was bought by a third party, which then delivered it to the client. The client had let maintenance and simple software upgrades lapse, but Schneider Electric had no way of knowing that. So while the petrochemical facility was a user of Schneider Electricâs product, it wasnât a client, per se, of the automation vendor.
âThis particular site was not receiving advisories,â said Steve Elliott, Triconex senior marketing director at Schneider Electric. âNobody was caring for and feeding them.â
The incident also involved the customer not following some basic cybersecurity housekeeping steps. Williams was quite frank about the need for end users to take the steps necessary to protect their equipment. âIf you do it properly, we wouldnât be having this conversation,â he said at the Triconex meeting.
Schneider Electric has been part of a large effort working with standards bodies. âWe hope that the next evolution of standards will actually encompass the lessons learned that weâve had to go through for this incident,â Williams says.
âWe have to work as an industry,â Elliott says. âWe have to work together. I hate to say it, but that includes government. If we donât define it, then we have to live with whatever lunacy they come out with. We have to work together to defeat the attackers.â
