Advancing

Automation
Cybersecurity Insights

Volume III
 INTRODUCTION
It seems like every week we hear the name of a new, devastating cyber attack. Names like
‘Wannacry’, ‘Petya’ and ‘Stuxnet’ may not mean much at first, until it’s your plant that is affected
by these increasingly frequent attacks. That’s why Automation.com, your source for the latest
automation news, information and innovation, has compiled this extensive Cybersecurity eBook.
We’ve been working with leaders from across the industry to deliver a detailed guide to help
organizations secure industrial networks and control systems, as well as make forward-looking
security decisions to protect your facility before the next attack happens.

Whether you work in IT, OT, management, maintenance, or sit on the board of a multi-national
manufacturing corporation, this eBook has valuable information that you need to know in order to
actively secure your organization and ensure that the inevitable future cyber attacks are met with a
stronger defense.

This eBook includes:

Owl Cyber Defense Solutions’ detailed guide on how to secure your organization when you can’t use
patches
Patches often contain crucial updates to close security loopholes, yet they can also cause chaos, and
worse, unplanned downtime for an organization. This article discusses multiple ways your organization
can enhance your security preparation, even if it’s not the right time to update the patches.

Indegy’s article discussing the necessary practices to protect your industrial networks and IIoT
technology
While Industry 4.0 and the Industrial Internet of Things (IIoT) have brought major advances to
productivity and connectivity across multiple industries, it has also enhanced the number of security
vulnerabilities today’s organizations face. This article discusses what to do, in order to keep intruders
out of your networks.

Ultra Electronics 3eTI’s expansion of the Department of Homeland Security’s 7 strategies for
Industrial Control System (ICS) defense
If you’re bringing your factory up-to-date with the digital age, you won’t want to skip this 7-step guide
on how to secure Industrial Control Systems, and other previously isolated equipment, which may
represent potential vulnerabilities in the transition to your connected facility.

Belden’s big picture discussion on who truly owns organizational responsibility for cyber defense
strategy
Belden’s article provides industrial management and executives with a real world approach to ensuring
that any C-level executive can ask the right questions to the right people, along with facilitating
organizational cooperation, and proving that you don’t need to be a technical genius to be cyber
secure.

PAGE 2
TABLE OF CONTENTS

What If You Can’t Patch? Page 4

by: Scott W. Coleman, Director of Product Management, Owl Cyber Defense Solutions

IIOT, Industry 4.0 and the Cyber Threat:

Securing Industrial Networks in the Digital Era Page 10
by: Dana Tamir, VP of Market Strategy, Indegy

Seven DHS Strategies for Defending Industrial Control Systems (ICS) &
the Must-Have Protections for Supporting Them Page 15
by: By Kenneth Frische, Director of Cybersecurity, Ultra Electronics, 3eTI

Cyberattacks and Bottom Lines:

Who Has Responsibility for Industrial Cyber Risks? Page 20
by: Katherine Brocklehurst, Director, Industrial Cybersecurity, Belden and Tripwire
 What If You Can’t Patch?
By Scott W. Coleman
Director of Product Management
Owl Cyber Defense Solutions
ICS networks and IT networks are becoming
increasingly entangled (or more politely,
“converging”). Workstations and servers on
the ICS networks using standard IT operating
systems, such as Windows, is becoming
more and more common. Unfortunately, and
as many ICS operators are all too aware,
these changes are making ICS networks more
vulnerable than ever to hacking, especially
malware and ransomware attacks.
The latest rash of NotPetya and WannaCry ransomware
proved cyberattacks are certainly not slowing down,
but simply patching systems and device applications
can go a long way to preventing them. These two
attacks relied on the EternalBlue NSA exploit – a
security flaw within multiple versions of the Windows
operating system – to infiltrate and lock down vital
systems, charging a ransom to get them unlocked.
However, the patch to prevent these attacks was
already available months before they took place.
So why didn’t many major organizations patch their
vulnerable systems?
Downtime = $$$
The first complication is that large industrial,
infrastructure, and commercial networks are usually
tuned to operate at peak performance (or very near it),
and often involve the production of a product, whether
it’s electricity for the power grid or a children’s toy. So
when the systems go down and production stops, there
is a financial impact to the operators/owners.
Not surprisingly, this means operators don’t want to
take the systems down very often, which is required to
install patches. Downtime is planned far in advance,
and often it may be months, or even over a year until
the next patching window. So while the Microsoft patch
Advancing Automation eBook Vol. III
was available in March, they may still not have gotten
to the patch window when the first attack occurred in
May.
Figure 1. Delay from patch release to patching window
To Risk or Not to Risk
In other cases, operators may run the risk/benefit
analysis and choose not to patch. This is to completely
ignore that many modern attacks can completely
destroy entire ICS networks, and that it’s not really a
matter of if your network will get attacked, but when.
Regardless, the most common reason given is simply
because the systems work as is, and no one wants to
perform change management, deal with any downtime,
or risk infection or disruption. While illogical, there
are many operators who assume the costs of breach
remediation will be less than that of the downtime
required to patch or upgrade systems. Needless to say,
this practice is not recommended.
No Can Do
Or ultimately, they just can’t do it. There are often
critical systems, devices, and applications that cannot
be patched because they are outdated and no longer
supported, or they may have no free memory to install
a patch.
Even being “up-to-date” doesn’t necessarily mean
that all software vulnerabilities have been patched. It’s
possible that a vulnerability exists that is unknown to
anyone outside of a few elite hackers – a so-called
“zero-day” exploit, as EternalBlue was before it was
PAGE 4

revealed to the public. Zero-days can be weaponized
by hackers, and because even the company that makes
the software doesn’t know about it, there is no way to
patch them.
There are also instances where third parties which own
or manage equipment within operational networks
neglect to update these systems in a timely fashion.
These third parties might also have connections into
the ICS network. In such cases, operators may have no
control over whether the systems are kept up to date,
but operate under SLAs (service level agreements) that
require data to be shared with the third party.
So what do you do if you can’t
patch?
Taking into consideration the variety of reasons that
patches may not be possible, there are still options
available to protect your valuable ICS operations and
devices:
Internal Audit
The first important step is to take an internal inventory
or audit of connected systems, in order to identify
potential threat vectors and define your risk level. A lot
of companies don’t have accurate maps of data flows
or system architectures, but they are extremely helpful
for effective cybersecurity. Unless you know where you
are vulnerable, there’s no way to mitigate the possibility
of cyberattack.
An audit can be performed manually, or with the
assistance of an automated network device mapping
tool, although many organizations shy away from
the use of automated tools, as they could potentially
disrupt operations by adding even a tiny extra load on
the network.
You don’t usually have to look far to find connected
systems and devices that have known or potential
unpatched vulnerabilities, but finding all of them can
prove challenging. However, a device or system that
may become infected can still be limited from impacting
the entire ICS network.
Remove Unnecessary Connections
Frankly, sometimes devices are connected to external
networks without any good reason to do so. Whether
Advancing Automation eBook Vol. III
through flawed network architecture, lack of clearly
defined security procedures, urgent requests for
data access, or just doing it because it can be done,
unnecessarily connected systems and equipment is a
top cause of malware infections and proliferation.
Among the US Department of Homeland Security’s
Seven Steps to Effectively Defend Industrial Control
Systems, perhaps the most important is to create
a more easily defendable environment by removing
any unnecessary connections. This also includes
connections to third parties that do not require access
into your ICS network.
Every connection to an external network, no matter how
well monitored, is a potential avenue for attack into the
ICS network. Many ICS operators are stretched thin on
cybersecurity to begin with – some don’t even have a
single dedicated role for it – so for each connection that
is removed it is one less requiring protection, attention,
and vigilance from a shorthanded group.
Creating a defendable environment also means
segmenting the ICS network itself, and creating layers
of security within it.
Figure 2. Network Segmentation
By creating multiple network segments, each one can
be assigned its own level of security and trust, and
the flow of data between each segment can be limited
and monitored. Segmentation can also help to mitigate
penetration test-style “lateral traversal”, where hackers
or malware jump from one device/system/workstation to
the next.
Think of network segments as compartments on a ship.
If the ship is attacked and starts taking on water, each
compartment can be closed off from the rest to stop it
from spreading.
PAGE 5
 Implement Hardware-Based Security
Quite often, proposing severing connections to the
ICS network, no matter how trivial, will result in heavy
pushback, as end users in business or IT roles, or third
parties want access to ICS data. In these cases, it is
recommended to change as many of these connections
to one-way as possible, with the use of a data diode or
similar hardware-based cybersecurity device.
A data diode is a hardware-based device that physically
enforces a one-way flow of data. To borrow from the
ship metaphor, it’s perhaps simplest to think of them
as one-way valves for data, allowing it to flow from one
compartment to the next, but not back.
Figure 3. Data diode as one-way data valve
As one-way data transfer systems, data diodes are
used as cybersecurity tools to segment and protect
networks from external cyber threats and prevent
penetration from any external sources. They allow data
to flow out to users that need it, without allowing access
back in, which can be extremely useful for unpatched
or otherwise closed networks. Data diodes effectively
sustain an “air-gapped” architecture from the outside,
while enabling data flows out of the ICS network to
continue.
Firewalls and software-based cybersecurity tools are
usually the first line of defense, and the first to mind
when considering building a wall of security around
sensitive networks. Unfortunately, in addition to having
their own issues with zero-day attacks, firewalls mean
heavy, ongoing change management, configuration, and
(you guessed it!) more patching.
Advancing Automation eBook Vol. III
Data diodes often do not require any change
management, as they also usually do not require any
reconfiguration, upgrade, or replacement of industrial
control systems or settings – including legacy systems.
As hardware-based devices, they are not vulnerable to
software attacks, and thus do not require any regular
patching, although patches to improve functionality may
be available from time to time. Data diodes also assist
in network segmentation and creating layers of defense
between trusted and untrusted networks.
Thoroughly Vet Portable Media
Given that the prudent approach should be to maintain
as disconnected an architecture as possible for
unpatched ICS networks, the majority of data that
comes in, and thus the most likely vector of attack,
will be from portable media – USB drives, laptops, test
equipment, etc. Therefore, it is vital that all portable
media be subject to thorough vetting, including
antivirus, hash checksums, and other file authentication.
Typically this screening is performed with a security
kiosk, where the portable media is first plugged in
and scanned before it is allowed to be connected
anywhere in the ICS network. These security kiosks
may also be used in conjunction with data diodes to
provide additional security. Ideally, no laptops or other
sophisticated media that have been connected to the
internet should be allowed to enter the ICS network, but
if it is necessary, they must also be subject to the same
thorough vetting.
Institute/Pay for Cybersecurity Training
The reality is, all of the strongest cybersecurity
technology and best practices in the world won’t
prevent one human from rendering it all useless. It’s vital
to minimize the human element as much as possible,
especially in an environment where known vulnerabilities
exist. Not to mention that human error accounts for
over half of all cyber incidents and breaches. Unless
your staff are extensively (or at least adequately) trained
in cybersecurity procedures, all your security efforts,
large or small, are at risk.
Nowhere is this more apparent than in phishing attacks
– where an attacker sends an email that appears to be
legitimate, but instead links to malicious software.
PAGE 6
Figure 4. Example of a phishing email

Once one employee is compromised, the attacker can then utilize all of that person’s personal and professional
information to compromise the next employee (so-called “social engineering”), jumping from one to the next until
they get the access that they need to do real damage. The BlackEnergy Ukrainian grid attack in particular showed
the devastation a sophisticated phishing and social engineering campaign can accomplish.

Developing an internal training program is ideal, as it builds security into the routine of your operators and
employees. If an internal training program is not possible, reach out to a reputable company for phishing training,
and to develop a comprehensive program that can be taught and repeated on a regular schedule.

Summary
While applying patches that are readily available sounds simple in theory, in practice, especially in ICS networks, it
can get complicated very quickly. Whatever your organization’s reasons for not patching, all hope of implementing
adequate security and preventing a successful cyberattack is not lost.

With the use of various techniques and technologies, such as data diodes, operators may even be able to avoid
performing change management, which can come with loads of paperwork, limit the need for downtime, which can
be costly, and keep a connection between the ICS network and the IT network while reducing or eliminating the risk
that comes with it.

Following the guidelines above, in combination with best practices from the DHS and industry regulatory bodies, as
well as implementing a comprehensive training program, can provide a strong basis to prevent cyberattack against
your unpatched systems.

For more information about Owl Cyber Defense and data diode cybersecurity, visit www.owlcyberdefense.com.

Advancing Automation eBook Vol. III PAGE 7

www.OwlCyberDefense.com
866-695-3387
Advancing Automation eBook Vol. III PAGE 8
 Professionals in Human Machine Interface

Smart HMI Solutions for IIoT Environments

Supported protocols include: OPC UA S/C, MQTT, MySQL, Modbus TCP/IP, CANopen and 300+ controllers.
Find out more about Weintek’s IIoT-ready HMI solutions, please click here.

ISO 9001:2015

Mention this promo code Weintek#2 for demo discounts!

Weintek USA., Inc. www.weintekusa.com

6219 NE 181st Street, Suite # 120 TEL : +1-425-488-1100 Sales : [email protected]
Kenmore, WA 98028 FAX : +1-425-415-6206 Technical Support : [email protected]

Advancing Automation eBook Vol. III PAGE 9

 IIOT, Industry 4.0 and the Cyber Threat:
Securing Industrial Networks in the Digital Era
Industrial Control Systems Face Safety and Security Challenges on Numerous Fronts

By Dana Tamir Today, cybersecurity is the top barrier for successful

VP Market Strategy implementation of Industrial IoT. Increased connectivity
Indegy exposes ICS to new types of threats in addition to the
ones they were already struggling to protect against.

Industrial Internet of Things (IIoT) and Industry 4.0 ICS Networks Face External and Internal
introduce what has been called the “smart factory,”
Threats
in which physical systems become Internet of Things,
Everyday, ICS networks face cyber threats from a
communicating and cooperating both with each
wide range of actors — state-sponsored hacks,
other and with humans in real time via the wireless
terrorist groups, hacktivists, professional criminals, and
web. While this comes with many benefits, these
disgruntled employees.
disruptive technologies also exposes the already fragile
infrastructure of Industrial Control Systems (ICS) to
External cyber attacks typically come from politically
various cyber threats.
motivated sources such as nation states, terrorist
groups, or hacktivists. They can also be criminally-
When it comes to critical infrastructures, flow
motivated. Industrial espionage is also a common
processes and manufacturing, ICS must function
motivator since ICS hold valuable IP related to
exactly as intended. Any unauthorized change to the
industrial processes and products.
process, whether a malicious act or human error, can
result in hazardous impact, months of work to resume
Over the past few years, there have been a number
production and heavy financial losses. Yet very little
of headline-grabbing attacks on ICS networks. IBM
has been done so far to protect these critical industrial
reported that the number of attacks targeting ICS has
systems.
gone up by 110%.
Unlike complex IT networks — which have a very wide
variety of sophisticated security controls, including
built-in security mechanisms such as authentication
and encryption, and possess detailed logs — ICS
networks lack such controls. This makes them easy
targets.

Most ICS networks were designed and created before

the Internet Age. In other words, before security was
the 24/7 nerve-wracking concern it is today, when
cyber terrorism did not exist, and at a time when they
were isolated by a physical air-gap from other parts of
the organization. Today, many of these legacy systems Threats to Industrial Control Systems
are still in place, unpatched, and vulnerable, exposed
to the growing ICS threat landscape.

Advancing Automation eBook Vol. III PAGE 10

In 2016 the Ukraine suffered a power outage that
affected nearly one-fifth of Kiev’s population. Recently,
researchers have reported that the attack was fully
automated and leveraged a malware that was purpose-
built to disrupt physical systems. They describe the
malware, which was named Crashoverride (a.k.a.
Industroyer), as having the ability to “speak” directly
to grid equipment, sending commands in the obscure
protocols those controls use to switch the flow of
power on and off. They also found disturbing evidence
that the blackout in the Ukraine (that lasted only an
hour) may have only been a dry run. The malware can
be adapted to target other critical infrastructures -
nothing about it is unique to Ukraine.
In March 2016, Verizon reported that hackers breached
a water utility, which they named “Kemuri” and
manipulated systems responsible for water treatment
and flow control. The hackers took control of hundreds
of programmable logic controllers (PLCs) that governed
the flow of toxic chemicals used to treat water.
Also last year, the U.S. Justice Department reported
that Iranian hackers had infiltrated the industrial
controls of a dam in Rye Brook, New York. While they
managed to access its control systems, the breach
didn’t cause any damage because the facility was not
functional at the time.
In all these cases, and in numerous others, hackers had
the ability (or were close to having the ability) to trigger
a massive event that would not only disrupt critical
services like water or power, but could also cause
physical damage to industrial equipment, environmental
damage and even human fatalities.
Not surprisingly, security experts believe that the vast
majority of ICS hacking incidents are not made public
since there is no regulation or law requiring them to be
reported.
Malicious Insiders and Human Error Amplify
the Risks
External cyber attacks are not the only concern in these
sensitive networks. Malicious insiders and human error
can pose just as much risk to these networks. Trusted
employees, contractors, and integrators who work
on manufacturing processes can create disruptions,
unintended outcomes, and significant damage. In
Advancing Automation eBook Vol. III
fact, human error is the leading cause of operational
downtime. Basic mistakes — such as making changes
to a wrong PLC and poor maintenance of DCS systems
— can cause extensive disruptions and downtime.
Since most ICS networks lack any authentication or
encryption mechanisms, anyone with ICS network
access - local or remote, has unfettered access to
any device on a network, including the ability to make
changes to the critical devices that manage physical
processes. This includes the sensitive controllers (e.g.
PLCs, RTUs and DCS controllers) responsible for the
entire lifecycle of industrial processes.
It is not only impossible to restrict access to these
devices, it is also impossible to detect any changes,
because there are no event logs on the devices,
or external audit trails, tracing such activities. If an
organization cannot track activities, it will find it very
difficult and time-consuming to identify the source of
problems, discover who/what caused them, and take
appropriate action. This means that if someone made
an unauthorized change to the controller configuration
or logic, whether there was malicious intent or an
accident, it can take days, in some cases, weeks to
detect it. And since backup information is not always
available, restoring these devices can take a while as
well.
Vulnerabilities, Lack of Security Controls
and Poor Visibility Cripple Security Efforts
Industrial organizations — especially those involved
with sensitive manufacturing processes or critical
infrastructures — are paying close attention to ICS
cybersecurity incidents that can disrupt operations
while causing physical and financial damage.
ICS environments are susceptible to software and
hardware vulnerabilities. In recent years there has
been a significant increase in the number of ICS
vulnerabilities reported. However, the focus on the
increasing number of ICS vulnerabilities obscures
a very important point: even when an industrial
organization has mitigated all vulnerabilities, there are
still design flaws that cyber attackers can easily exploit
to compromise an ICS.
PAGE 11
ICS networks have become easy targets not just
because they include vulnerabilities, but also because
they lack basic security controls such as authentication,
and do not support encrypted communication. In IT
security terms, this represents a major design flaw
that adversely impacts the overall security of the ICS
environment. This means that anyone with network
access can make changes to controller logic and
configuration which can severely affect operations
and have a catastrophic impact on plant safety and
reliability.
As long as security controls aren’t available to prevent
unauthorized/malicious changes, the design flaws of
ICS will continue to affect their security posture and
put them at a high risk of compromise. No amount of
vulnerability remediation can prevent access to the
controllers on ICS networks or mitigate the risk of
compromise resulting from a lack of security controls.
In-Depth Visibility is Key to Industrial
Cybersecurity
Monitoring ICS network activity is a key requirement
for securing these networks, especially those related
to the critical controllers which manage the operational
environment. Keeping tabs on the activities of the
users, applications and the devices enables operators
to ensure expected and normal operations. Monitoring
also allows problems to be detected and corrected
before damage can occur.
Industrial Controllers are the most critical assets in ICS environments
Monitoring industrial control system activity is difficult
for two reasons. First, they use different protocols than
Advancing Automation eBook Vol. III
IT networks. Second, separate protocols are used for
performing data-plane and control-plane activities:
• Data-Plane: sometimes referred to as the user
plane, carries the user-data traffic. The data-plane
is used by the HMI and SCADA applications to
communicate process parameters and physical
measurements between the human operator and
the industrial equipment (I/Os).
• Control Plane: carries the control information.
In industrial networks the control-plane activities
include all the engineering activity related to the
maintenance lifecycle of industrial controllers,
such as any read/change of: controller firmware,
control-logic, configuration settings, or state. It also
includes the administration and operations traffic.
[Note that the term ‘control-plane’ is a general
networking term, and isn’t related to the control
layer of the Purdue Model or controllers in ICS
networks]
Different communication planes in ICS networks.
The data-plane protocols used by HMI/SCADA
applications to communicate with control-devices, i.e.
MODBUS, PROFINET, DNP3 and others, are well known
and fully documented.
However, it is not common knowledge that in ICS
networks the control-plane activities use different
protocols - a separation that does not exist in IT
networks!
Unlike the data-plane protocols, control-plane protocols
are vendor specific proprietary protocols that are mostly
unknown, undocumented and often unnamed.
PAGE 12
This is because they were designed to be used only by the vendor’s engineering software tools. But over the
years, other tools that utilize these protocols have been developed and can be used for control-plane activities and
changing critical industrial controllers.

Data-Plane
Standard HMI and SCADA application
PLC/RTU
HMI Protocols like:
MODBUS, PROFINET, DNP3

Industrial
Furnace
SCADA

Control-Plane
Proprietary, vendor specific engineering
protocols Logic
(Unnamed, Undocumented) Configuration
Firmware
Engineering

Data-Plane Protocols vs. Control-Plane Protocols

While many companies are concerned about cyber threats to their operations, often the differences between
data-plane and control-plane protocols are not well understood. As a result, few companies are monitoring these
proprietary vendor specific protocols for unauthorized control plane activity. This is creating a dangerous security
gap in their networks.

The Importance of Monitoring Control-Plane Activities

Unlike the data-plane which contains information relating to the systems’ process parameters (i.e. current
temperature in a tank, or the RPM of a turbine), core functions are carried out via the control-plane protocols. These
include changes to controller logic, firmware uploads/downloads and configuration changes.
In IT networks, activities like changing a server configuration or the software code it executes, are highly privileged
activities. They can only be executed by a select group of users, typically systems administrators.

In contrast, industrial controllers do not have any authentication mechanisms or encryptions mechanisms. This
enables anyone with network access to access these critical devices and make changes to their configuration and
logic, changes that can lead to severe operational disruptions.

To make things worse, control plane activities aren’t logged or registered anywhere - not on the device, or the
Historian, or any other component in the ICS network. This allows adversaries to hide their actions and remain
undetected until the physical damage is detected.

Since most threats to ICS systems occur in the control plane, it is essential to monitor these activities. Protecting
ICS networks begins and ends with gaining visibility and control over control plane activities.

Cybersecurity, Reliability and Safety are Critical Factors for Successful IIOT and Industrie
4.0 Initiatives
The key to protecting ICS environments begins with real-time visibility into every facet of the network and every
action. This includes being able to monitor all activities, track all attempts to access controllers and make changes
to these critical devices (whether performed by trusted insiders or unknown sources), and determine whether
actions are authorized or not.

Advancing Automation eBook Vol. III PAGE 13

 With full visibility into both data-plane and control-plane activities, organizations can identify anomalies and
malicious attempts to tamper with control devices in real-time, allowing ICS cyber security professionals to quickly
respond and prevent, or at least minimize, damage to operational systems.

New ICS network monitoring technologies that provide comprehensive visibility into both the data and control-
planes can provide early detection of reconnaissance activities, such as requests to read the controller firmware
or logic from an unknown laptop, or requests to list open ports on a controller. A full audit trail of actions executed
by employees, contractors, and integrators that have unfettered access to ICS networks enables detection of all
malicious activities, unauthorized changes and human error.

About the Author

Dana Tamir is VP of Market Strategy at Indegy, a leading

Industrial Cyber Security Company that helps protect
Industrial Control Systems used in critical infrastructures,
utilities and manufacturing industries against operational
disruptions caused by external and internal threats. Indegy
enables advanced detection and response to threats
that place the safety, reliability and security of industrial
networks at risk before damage occurs.

For more information on Indegy, please visit: www.indegy.com.

Advancing Automation eBook Vol. III PAGE 14

 Seven DHS Strategies for Defending
Industrial Control Systems (ICS) & the Must-Have
Protections for Supporting Them
By Kenneth Frische
Director of Cybersecurity
Ultra Electronics, 3eTI

The increasing demand for machine-to-machine

(M2M) networks directly reflects how quickly new
system technologies are emerging as a driving
force in government and industry. Characterized by
anytime, anywhere connections that link data from
devices, equipment and digital systems, these open
environments facilitate efficient exchange of detailed
information and analytical reporting. However, this
need to interconnect previously isolated control-system
networks has come at an expense, exposing vulnerable
and fragile systems to risks from cyber-attack. As
DoD and industry adapt to these fast open-exchange
environments, significant challenges come to bear to
ensure the cyber-hardening of critical control systems.
By way of guidance, the Department of Homeland
Security (DHS) released a report in December 2015
titled “Seven Steps to Effectively Defend Industrial
Control Systems (ICS).” The report highlights the
increased frequency of successful intrusions into
US critical infrastructure systems. It also provides
cost-effective strategies that, if followed, will raise
the security posture of the entire industry. This article
reviews the DHS defined Seven Strategies to Defend
ICS in relation to the latest ICS protection technologies.
It reviews an environmental control system as a case
in point, deployed to protect US Naval operations
buildings.
As noted by DHS, 98 percent of all incidents reported in
ICS could easily have been prevented by implementing
the identified strategies.
1. Implement Application Whitelisting
Historically (and still persisting today), firewalls were
black/ 4list devices, meaning that rules could only be
created to deny traffic. All other traffic not explicitly
denied was allowed to flow
freely through the firewall. Unfortunately, this approach
has the potential to create network vulnerabilities
simply due to ignorance or errors such as incorrect,
incomplete, poorly architected, and overly complex
firewall rulesets.
Prior to the advent of whitelisting, a best practice was
newly proposed for blacklist device firewalls to always
require a DENY ALL rule at the end of rule listings.
While a better practice, the rule (assuming it actually
gets implemented) is still just a Band-Aid and not a
solution.
Thankfully, firewall device capabilities have improved,
and best practices now recommend whitelisting.
Whitelist firewall devices by default deny all traffic,
passing only traffic that has been explicitly allowed by
the firewall rules. While administrators can still make
rule errors (allowing more traffic than they should),
whitelisting allows the rulesets to be simpler, more
visible and far less prone to error.
Deep Packet Inspection (DPI): Deep Packet
Inspection (DPI) takes whitelisting to a new level. Even
with whitelisting, critical industrial equipment (especially
safety equipment) can still be vulnerable. This is due to
the inherently insecure nature of the protocols used

Advancing Automation eBook Vol. III PAGE 15

to monitor and control networked devices. These
protocols include Modbus, BACnet, Ethernet/IP and
OPC, among others. Malicious use of these protocols
(particularly by malicious insiders or resident malware)
can potentially damage equipment and place plant
personnel at risk.
In DPI, traffic protocol requirements are isolated to
the specific commands, values and services allowed
to be issued from a specific source to a specific
destination using a specific protocol. An “emergency
stop” command, for example, cannot be issued to a
specific PLC that controls multiple flow valves without
a specific rule authorizing the source, protocol, and
destination device.
Learning Mode: Another fairly recent and valuable
piece of the whitelisting picture is “Learning Mode.”
This is the ability to place a whitelist device into a
listening mode so it can automatically build a firewall
whitelist ruleset based on unique occurrences of the
network traffic that flows through it. All traffic is allowed
through the device so that it can establish a baseline
of “normal” traffic. After a certain amount of time,
when it is assumed that all relevant traffic has been
accommodated, the administrator then reviews, edits,
and prunes the ruleset and places the device online.
From that point on, the rules are enforced.
Learning Mode is useful for engineers to identify
the actual protocol commands and value ranges
being read and written. Determining these settings
and requirements through Wireshark, HMI, IO, and
PLC program analysis can often be difficult -- if not
impossible -- for large network architectures with
hundreds or thousands of devices.
Learning Mode is also an invaluable capability for
establishing baselines during a risk assessment. Only
the most advanced whitelist devices for ICS offer this
feature for both standard traffic and DPI ICS traffic.
2. Ensure Proper Configuration/Patch
Management
Configuration and patch management apply not only to
ICS devices but also to the firewall devices protecting
them. Centralized management of ICS firewall devices
is useful (and often necessary) when a large number of
devices are deployed.
Advancing Automation eBook Vol. III
Centralized configurations also aid in determining
firmware revisions and differences in configuration.
The ability to export (backup) and import these
configurations in XML or other editable forms also
enables faster and more consistent deployment across
a large organization.
A best practice for centralized management of ICS
firewalls is to monitor and secure access to the relevant
stations used for ICS firewall device configuration
and management. In addition, all changes must be
documented and approved through Management of
Change (MOC) procedures. Backups also have multiple
security and control requirements.
Refer to ISA/IEC 62443 standards (document 62443-
2-3) for detailed Patch Management and Backup
considerations.
3. Reduce Your Attack Surface &
4. Build a Defendable Environment
The most innovative ICS device firewalls provide
advanced features beyond whitelisting, features
designed to reduce the attack surface area as well as
the impact of any successful intrusion. These methods
include the following functionalities:
Segmentation:
• VLANs: Virtual LAN segmentation without
additional device IP/subnet changes
• Encryption: FIPS 140 military grade
encryption potentially for all segment traffic
or specifically to one or more VLANs using
certificate-based authentication
• DIN mount form factor: Allows for the
minimization of network segment size by
installation of the device closer to the actual
devices protected
Out-of-Band Management: An ISA/IEC 62443
standards best practice to manage ICS firewall devices
using a segmented network separate from the network
for data. An alternative (where a secondary physical
network is not available) is to provide an in-band
encrypted VLAN to separate data and configuration
traffic.
PAGE 16
Stateful Inspection: Common hacking approaches
involve port and application scanning of various
forms to include attempts to take over conversations
(i.e. sessions based man-in-the-middle attacks)
or queries for information (for example, sending
acknowledgements to conversations that were
never started). It is an ISA/IEC 62443 standards best
practice to implement stateful inspection so that all
conversations (sessions) are inspected for proper
initiation source, as well as for sequence.
US Navy Case Study: Putting the DHS
Seven Strategies to Work
The project is part of the Naval District Washington’s
(NDW) ongoing Smart Shore Initiative. It includes
an enterprise-level sensor network that integrates
cyber-secure technologies to intelligently monitor and
respond to ICS threats.

5. Manage Authentication
All ICS firewall devices should be capable of providing
certificate-based PKI security to authenticate users
administering the device. In addition, certificate-based
PKI (public key infrastructure) authentication should
be used to authenticate all devices participating in an
encrypted VLAN or network.

Whenever possible, ICS firewall certificate validation

should be integrated with a device-embedded Trusted
Platform Module (TPM). TPM is an international
standard for a secure crypto-processor, which is a
dedicated microcontroller designed to secure hardware
by integrating cryptographic keys into devices.
Certificate creation and validation using hardware
device-embedded TPM is the most secure method to
validate certificates and assure the certificate store has
not been compromised.
6. Secure Remote Access
ICS protection devices that offer VPN services
should secure all connections using PKI certificate
authentication (in concert with TPM). All sessions
should also be encrypted, preferably using AES 256
TLS.
7. Monitor & Respond
For all ICS protection devices, where the functionality
exists, all of the following should be logged and
accessible via export or syslog servers: Stateful firewall
violations, DPI session violations or blocks and device
activity such as login, logout, and changes.
Devices should be monitored as well as the activity
crossing them. SNMPv3 is a secure best-practice
standard for monitoring all ICS protection devices.
The program’s cyber objectives and outcomes
parallel the DHS recommendations, and the system
implementation shows how the guidance can be
executed in a real-world, high-stakes context.
This case-based illustration began with Navy’s decision
to establish aggressive goals for better energy security
and efficiency. After extensive evaluation, the Navy
selected a system built using Ultra Electronics, 3eTI’s
products and services.
The Navy’s resources are vast, including many
buildings constructed at different times over several
decades. As a result, they lacked common controls
and contained unique security vulnerabilities. The
Navy required a cost-effective and accredited network
capability to monitor legacy SCADA and direct digital
controls (DDC) systems associated with more than six
installations that include 3,129 buildings, 2,822 non-
building structures and 1,029 utility locations.
The Navy team understood the potential impacts if
vulnerabilities were not addressed. High priorities were
risks associated with denial of view, denial of control,
manipulation of view and manipulation of control.

Advancing Automation eBook Vol. III PAGE 17

At the project’s outset, the Navy performed a comprehensive risk
management analysis. The effort prioritized assets requiring greater
protection. It also evaluated the most serious vulnerabilities the
assets might face, and quantified impacts associated with securing
them.

The solution incorporates multiple complementary layers of

security controls into the facilities to monitor and respond to
potential physical and cyber intrusions. This approach allows for
more efficient management of energy utilities while containing any
threats that get through the security layers.

The Navy’s Middleware Panel is a key component of the

architecture that underpins the Smart Shore Initiative. It utilizes
an array of industrial control technologies for secure monitoring
and control of equipment such as HVAC systems, generators,
water treatment pumps and the like. It integrates SCADA and other control systems into a local monitoring,
management and reporting architecture.
In essence, the Middleware Panel allows the Navy to monitor and control Smart Shore information, meet energy
management objectives, and maintain DoD-required security thresholds.

The following items correlate the Smart Shore initiative to the DHS strategies for ICS:

1. Application Whitelisting: The Navy sought strict control over end-user systems by applying ICS firewall deep
packet inspection (DPI) to the environmental control protocols. In the event an application is compromised, any
attempted action will be limited to pre-approved operations. This helps prevent an attack from spreading which,
in turn, improves system reliability and integrity.

2. Ensure Proper Configuration/Patch Management: Certified to the highest government security

implementation standards, the Middleware Panel has been tested extensively for its effectiveness in allowing
Navy managers to safely monitor, control and optimize energy across facilities from one central location using
energy dashboard applications. Unauthorized access beyond an initial entry point is blocked, as are man-in-the-
middle and other attacks. Only authorized personnel have access to key management systems for configuration
and patch-management control.

3. Reduce Attack Surface Area: The Navy’s solution employed technology with end-to-end FIPS 140-2
encryption for a secure and segmented ICS device network. The devices are effectively invisible to unauthorized
devices so they are protected from direct attack or interference. It also applies advanced certificate-based
authentication at the in-building device level to block unauthorized device access (such as an unapproved
contractor laptop) or port re-use. It assures that only necessary and approved communications occur between
known devices.

4. Build a Defendable Environment: The Navy-selected technology was designed to provide both
cryptographic and network isolation solutions to segment a control system into smaller functional groups
without impacting normal system activity. Validated cryptographic protections ensure that critical control
traffic is isolated from other traffic even when transported over the same physical network. Through device-
level firewall functionality and command-level whitelisting, all host-to-host communications are monitored
and restricted. With this architecture, adversaries are immediately detected and easily constrained, promoting
expedient system remediation and recovery.

Advancing Automation eBook Vol. III PAGE 18

 5. Manage Authentication: The Navy’s implementation allows the segmenting of network and security
management data from ICS data using centralized PKI security. To prevent breaches that occur when attackers
use key loggers to steal authentication credentials, the Navy’s security devices use TPM and unique certificates
stored in each unit.

6. Secure Remote Access: The FIPS 140-2 validated and Common Criteria certified VPN solution is trusted
to provide secure VPN access over its encrypted connections using PKI-based authentication. It also provides
monitoring-only modes to allow valid and authorized data to be exported. It does so without opening a link that
an attacker can use to send traffic in, or tunnel data out.

7. Monitor and Respond: The Navy’s technology incorporates advanced monitoring built into each system
device and can be managed from a central command center. When unauthorized activity is detected, the
system blocks the attempt and sends an alert to approved personnel.

The program’s positive outcomes include a fully secured ICS infrastructure that is affordably maintained and
contributes to reduced energy output across NDW. Extending this type of implementation to other agencies and
industries in the private sector could dramatically reduce the types of intrusions DHS has cited while helping to
reduce energy usage.
To learn more > >

About Author

Kenneth Frische - Director of Cybersecurity, Ultra Electronics, 3eTI

ISA Certified Cybersecurity Trainer (IC32, IC33, IC34, IC37)
MBA, PMP, CISSP, C|EH, Agile, MSCE, MS DBA
[email protected]
https://www.linkedin.com/company/3eti
https://twitter.com/ultra_3eti

Article References

https://ics-cert.us-cert.gov/sites/default/files/documents/Seven Steps to Effectively Defend Industrial Control

Systems_S508C.pdf
http://www.ultra-3eti.com/products/cyberfence

For more information on Ultra Electronics, 3eti, please visit www.ultra-3eti.com.

Advancing Automation eBook Vol. III PAGE 19

 Cyberattacks and Bottom Lines:
Who Has Responsibility for Industrial Cyber Risks?

By Katherine Brocklehurst
Director, Industrial Cybersecurity
Belden and Tripwire

Abstract
Cyberattack continues to be one of the biggest worries
of today’s business leaders. More than anyone,
boards of directors and C-level executives have the
responsibility to govern overall company cyber risk.
However, very few company leaders are aware of 2017 SANS State-of-ICS-Security Survey Report
how weak and exploitable the plant technology is
that powers the economic engine of their business
operations. Further, most do not have the background Cost Savings V. Cyber Risk
to assess complex industrial cyber security risks in Closely coupling control systems, Internet and business
terms of the full extent of damages and costs. This systems delivers attractive gains for plant profitability.
article offers background analysis and arms executives The efficiency, automation and cost savings are strong
with the questions to ask their plant operations and incentives for most industrial companies to opt for
corporate IT teams across 10 key areas. those benefits through cloud, connected devices,
remote access and wireless connectivity to the plant

Article floor. According to Gartner, at least for Information

Technology (IT) these are all key areas for budget
investments.
Balancing ICS Cybersecurity Risks
Cybersecurity is a top concern for 87% of global
business leaders.1 In 2017, large-scale cyberattacks
and massive cyber theft were ranked among the top
technological risks to global growth by the World
Economic Forum.2 Control system cyber security
threats were rated “Severe/Critical and High” by
66% of the respondents of SANS Institute’s 2017
survey of global ICS security professionals. The
worldwide ransomware epidemic of 2017 has ensured
cybersecurity will be a leading topic on corporate board
and C-level executive agendas for the remainder of
2017 and into budgeting cycles for 2018.

1
https://www.cgi-group.co.uk/article/cgi-cyber-security-research
2
http://www3.weforum.org/docs/GRR17_Report_web.pdf

Advancing Automation eBook Vol. III PAGE 20

Trends indicate that hackers are increasingly gaining access to the control levels of industrial and critical
infrastructure assets, in large part due to connectivity to the Internet.3 Industrial companies have technologies
and processes that interact with the physical world, which make attractive targets. Profits and investments in
cybersecurity must be balanced against cyber threat risk in our highly connected world.

ICS Cyber Risk Discovery the Hard Way

Unfortunately most companies must suffer a security breach to understand the extent of their cyber risk and
become motivated to take action to reduce industrial cyber risk. Consider the granddaddy of all industrial
breaches, the 2012 attack on Saudi Aramco.4 CNN titled it “the biggest attack in history.” The Shamoon virus
quickly ravaged Saudi Aramco’s business, destroyed more than 35,000 systems, and taking over 5 months to
recover from with some parts of the business taking even longer. During the attack Saudi Aramco cut themselves
off from all internet connectivity for weeks and were reduced to conducting business with phone calls, handwritten
paperwork and faxes. Total cost of this attack? Unknown and never disclosed, but easily estimated at well over
$1 billion (U.S. dollars).5 The firm has been investing millions of dollars into industrial cybersecurity to mitigate ICS
weakness.

In another recent example, the ransomware-worm-wiper Petya6 and its several variants spread globally, encrypted
systems, destroyed hard disks, and halted many businesses including industrial and critical infrastructure
organizations such as a power company, public transit, manufacturers, an oil and gas company, a major airport,
a shipping and energy company and an international pharmaceutical company. As of this writing it’s not possible
to quantify the costs that will ultimately be tallied from the sum total of reported cyberattacks, and some say it’s
futile to try to estimate the damage.7 And then of course there’s the Ukraine utility attack showing what a targeted,
sophisticated and well-planned attack looks like.

Budgets for ICS Cybersecurity

How much does your industrial company spend on cybersecurity every year? It’s likely that’s a question for the
IT department, and it’s difficult to find good data to support spending on plant automation and process control
security. Most IT department spend on behalf of ICS Operations Technology (OT) has centered on perimeter
firewalls and maybe a Demilitarized Zone (DMZ) to separate the plant network from corporate networks. One
exception is within the U.S. and Canada’s energy sectors where NERC CIP compliance has been a key driver and
potentially more has been spent as a result, including securing remote substations.

Firewalls have been very common perimeter defense technologies, but are not adequate protection anymore,
since ‘Internet of Things’ (IoT) devices can just walk past them onto the plant floor inside a worker’s pocket or
hand. If there is a budget for ICS security, it’s often used to outsource security to ICS equipment vendors as part
of their maintenance contracts. In that case, vendors are often granted remote access and allowed to maintain the
equipment without being onsite, again bypassing firewall defenses.

Historically, organizations have dedicated five percent of the overall IT budget to cybersecurity, recent trends at
10%.8 Gartner saw an average jump in IT security budgets of 18% in 2016, with between 5% and up to 25%
projected for 2017.9 These trends are good news for OT if they can get their share of it. Gartner’s data is IT-centric
and doesn’t reflect ICS security needs for industrial plant networks, endpoints and control systems, remote
locations, supply chain partners or staffing and training of ICS engineering to undertake the complex discipline of
industrial cybersecurity.

3
FireEye/iSIGHT 2016 ICS Vulnerability Trends Report
4
http://money.cnn.com/2015/08/05/technology/aramco-hack/index.html
5
https://www.webpagefx.com/data/cost-of-hackers-in-the-us/
6
http://www.belden.com/blog/industrialsecurity/is-petya-making-you-wannacry-how-to-protect-against-this-ransomware.cfm
7
https://www.economist.com/news/business/21639576-businesses-would-benefit-reliable-information-cyber-crimes-costs-think-number-and
8
https://www.cgi-group.co.uk/article/cgi-cyber-security-research
9
https://www.gartner.com/technology/media-products/newsletters/Fortinet/1-40EWICQ/gartner2.html

Advancing Automation eBook Vol. III PAGE 21

Nevertheless, this budget detail gives OT management
some idea of the spending required for IT to defend
corporate assets.
The top three challenges faced by IT in gaining the right
amount of budget from senior executives per Gartner
are:
• 44% - Cybersecurity metrics are too technical,
making it difficult to communicate value
• 28% - Lack of understanding the ROI for security
spending
• 25% - Low security awareness throughout the
senior leadership
Plant teams must typically prioritize safety and
highest availability over cybersecurity. This may be
an opportunity for senior leadership to calibrate plant
production and availability goals to assure scheduled
time is made for managing cyber risks.
The other side of this dilemma is that OT teams rarely
have the skills or background that IT has built up over
decades of cybersecurity development in support of
securing corporate-side assets and information. Often
the best guidance from IT is unwanted and not helpful
because it doesn’t work for OT.

It may be especially difficult for OT to champion budget

needs for plant cybersecurity because IT largely owns
the budget in the minds of the C-suite and because
boards and C-level executives typically turn to the
CIO for information. Also, plant management does not
always have representation at the table in the C-suite.

Boards And C-Level Executives Own

Corporate Cyber Risk
Even when the state of a company’s cybersecurity is
regularly reported upon to senior management it comes
most often from the CIO and may/may not include
status of plant cybersecurity and risks. The problem
with that is this: IT has completely different priorities,
practices and goals than those of OT. Guidance will be
IT-centric, not likely helpful to OT teams, and can be
viewed as undermining.10 If OT has not provided input
to briefings to the C-suite, assessing cyber risk will be
faulty.
Safety
IT Priorities OT Priorities
IT hasn’t dedicated time to understand the unique
requirements of OT and plant systems. The strongest
and most common defense OT will wage against IT
“meddling” in their networks is, “If we do that
it could void our equipment warranty” and the
old adage “If it ain’t broke, don’t fix it”- citing
risk of downtime with any changes. Stories
abound where IT pushed Windows updates
out and took down a Human Machine Interface
(HMI) unexpectedly causing loss of visibility
to field I/O, or they updated a centrally shared
database causing unplanned downtime. It’s not
unusual for OT to fully reject any assistance
from IT for reasons like these or the amount of
added work it will be for OT to make changes
on already fine-tuned and tested sets of
automated systems and process controls.

10
http://www.belden.com/blog/industrialsecurity/it-ot-convergence-and-conflict-who-owns-ics-security.cfm

Advancing Automation eBook Vol. III PAGE 22

NOTE: One observation is that if OT finds inadvertent downtime caused by IT department changes so disruptive,
imagine the havoc adversaries or malicious insiders can cause given the purposeful intent to disrupt, damage or cause
public harm. This should be a driver for OT to add layers of defense to secure Levels 2, 3 and 3.5 DMZ assets where
compromised key resources could highly impact process control (resources such as HMI, data historians, batch
process control servers, asset management systems, possibly Active Directory, key databases and web-facing app
servers for interacting with manufacturing supply chain partners and others.)

Cyber Risk Assessment

Cybersecurity should be understood as a journey and a process, regardless of whether the discussion is in IT or
OT. The starting place should be a risk assessment. Many organizations prefer to begin with a self-assessment
in the beginning - there are numerous online tools for that purpose. One of the best is ICS-CERT’s free Cyber
Security Evaluation Tool (CSET)11. Other organizations bring in outside consultants to give an objective analysis
of cyber risk. If this is scheduled it should encompass both the corporate and plant sides of the industrial
organization.

After gaps are identified, they should be prioritized in a cross-functional working team if possible. Managing cyber
risk is often linked to the weaknesses and vulnerabilities discovered during assessment, including risk to and from
IT and OT networks, interaction with business systems and partners, automation and control systems along with
physical assets. Unless the prioritization of risk is performed, any changes (e.g. acquiring technology, adding staff,
etc.) will not reflect your organization’s risk tolerance and mitigation strategies.

Your organization must have foundational ICS security controls in place to reduce overall risk. The chart below
gives some context to cybersecurity’s lifecycle, technologies typical to the level of maturity your organization has
achieved, a sense of costs and resources
required. Cyber risk should be aligned and
balanced with your specific risk tolerance,
prioritizations, budget, amount of risk
reduction desired and requirements.

All these investments cannot be considered

in an organizational vacuum and every
business has unique considerations
when balancing costs, profitability and
competitiveness. A cybersecurity strategy
is needed that spans both IT and OT.
This holistic approach is outlined in many
industrial cyber security standards and
frameworks.

Cyber Risk Oversight

For boards and senior leadership of industrial firms and critical infrastructure sectors, cyber risk oversight is
becoming a business necessity;12 some would even say a fiduciary responsibility. At a minimum, leaders should
be able to show “due care” has been taken against inevitable cyber threats to plant assets and operations. Boards
and C-suite members do not always know what to ask and, as the Gartner research showed, the information
provided is not always helpful due to its technical nature. This set of 10 topics and questions13 can provide a
good, non-technical starting point.

11
https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
12
https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_ICS_Cybersecurity_C-Level_S508C.pdf
13
Adapted from DHS ICS-CERT Factsheet ICS Cybersecurity for the C-Level, FireEye Executive Cybersecurity Playbook, 2017 National
Association of Corporate Directors Handbook, NIST SP800-82r2, NIST SP800-53r4, CIS Top 20 Critical Security Controls

Advancing Automation eBook Vol. III PAGE 23

10 Areas of Cybersecurity Awareness & Cyber Risk Governance

Responsibility –
Who is responsible for cybersecurity in our plant operations?
How are we kept apprised of our cyber risks and impacts?
Do we have any cybersecurity insurance?

Monitoring and Reporting –

Who can brief us on our cybersecurity program?
How are we monitoring for threats and what industrial standards are being applied?
To whom is the status reported?
What are the key performance indicators and trends?

Cyber Risk Prioritization –

What is the most valuable asset our company has?
Who has identified and prioritized our assets and the potential consequences if our control systems were
compromised?
What would be the costs incurred if our plant was down for a week due to a cyber incident?

Internet Connectivity –
Who has the details on how our ICS environment is connected to the Internet
What protections exist and who validated that those protections work?
Who has a map of our industrial networks?

Cyber Risk Prioritization –

Who can walk us through our risk profile (or risk posture)?
Who has identified the potential consequences if our control system was compromised?
Who can walk us through the criteria used to prioritize cyber risks?

Email –
What email access exists in our plant networks?
What protections and training have we instituted with our employees against phishing, spear-phishing and
malware?
How are we monitoring and measuring?

Remote Access –
Who manages remote access to our ICS network?
What is the purpose of that access and who uses it (by name and organization)?
How is it protected, monitored and documented?
Who can provide us this list?

Supply Chain/Third Parties –

What level of cybersecurity do we require of our supply chain partners, third parties and other connected
resources?
Who validates the security they say is in place?
Who tracks changes when they’re needed and re-validates with the changes in place?

Advancing Automation eBook Vol. III PAGE 24

Incident Response –
Who can walk us through our last cyber incident and the incident response process?
What did we learn from our last incident and how have we documented the process?

Employee Education –
Who is responsible for our industrial cybersecurity awareness program, and associated employee training
program?
What percentage of our employees has completed required training?
What are our metrics?

Summary
The cyber threat landscape is constantly changing and new attack scenarios present themselves all the time.
Recommended cybersecurity strategies and solutions are also continuously evolving. Both of these factors will
require boards and C-level executives to become more informed about what cyber risks exist in the plant and
what can be done about them to properly assess and manage cyber risk.

For more information on Belden, please visit www.belden.com.

Advancing Automation eBook Vol. III PAGE 25

SURPRISINGLY GENIUS!
Learn how to get a proven 80% security bang for your 20% security effort with
foundational ICS security that has been field-tested. This special Belden/Tripwire
e-book shares the expert insights you need to jump start your industrial security
program.

Get started–understand the impact of

IT-OT convergence

Be prepared–know the signs of an

industrial attack and learn from a real-
world incident

Be strategic–conduct a risk
assessment, apply defense-in-depth
methods and choose the right
security controls

Get Your Free Copy Now!

About the Authors

David Meltzer is the chief technology officer for Tripwire and serves as the chairman of
Belden’s Global Technology Council.

Jeff Lund is Senior Director, Product Line Management, Industrial IT Division, at Belden

Advancing Automation eBook Vol. III PAGE 26