rotecting your site has always been a requirement to ensure the continuity of your business. Physical security is a given. Spending money and time to obtain land, build structures and protect tangible assets is expected. Physical security, just like operational safety, protects against an easily quantifiable loss. Loss is measurable and understood.
But for those who manage an operational site and perhaps those who provide an infrastructure service, securing a site against physical, cyber, human, and weather events can seem overwhelming. In fact it can seem so overwhelming that many see it as insurmountable and simply accept most risks with the hopes that they simply remain lucky.
However, anyone who has been the victim of a security incident can attest to the fact that prevention is much less painful than reaction. The cost of an incident to an operating business can be steep, with lasting effects that can make recovering a challenge. Tackling the many risks of a technology-filled environment requires a new view of security.
Operational security is the merging of critical components that facilitate the continuity of operations, and subsequently business. These components are:
For decades, operational sites such as infrastructure services and manufacturing facilities enjoyed security through obscurity. Systems operated on a stand-alone basis, and perimeter security around the site was enough protection. But given the interconnectedness of processes from operations to billing to customer and partner sites, cyber risks abound. Likewise, human interactions with these systems pose many risks, not necessarily intentional or malicious, but accidental. We also see the reliance on cyber technology to provide physical security through ingress/egress systems, surveillance, and forensics. The presence of risk across these interdependent systems requires a new way of addressing protection, prevention and mitigation.
Solve This Equation
Understanding risk and the ability to identify it at your site is the first step. Scientifically, risk is defined with an equation, R(f) = T x V x C, where risk is a function of a plausible threat, existing vulnerability, and observed consequence. (T) Threat, is defined as the existence of an entity to do harm. Identifying every possible plausible threat to your site is difficult, so we rely on other parts of the equation to measure risk. (V) Vulnerability, is the existence of a weakness at your site that would provide a threat with a mechanism to do harm. Vulnerabilities can exist in the physical structures, human and automated processes and individual systems. (C) Consequence, is the observed or measured result of a threat that successfully exploits a vulnerability. While there is little that anyone can do to remove a threat, vulnerabilities at the site can be mitigated.
Understanding the potential consequences associated with risk can help to prioritize mitigations and identify a return on investment.
Consequences can be tangible and intangible. Physical damage to a site or equipment, downtime and human injury can be measured. Intangible consequences are consumer and public confidence, negative press and customer doubts. These can certainly lead to economic consequences, but they are difficult to quantify upfront. Without a clear return on investment, it can be difficult to dedicate resources to security, which is viewed much like insurance. We rely mainly on the values of the organization and map corporate objectives and business continuity to risk, mitigating as much as possible through a comprehensive view of operational security.
Operational security offers the ability to better mitigate risk by addressing interdependencies, applying layers of security, and reducing vulnerabilities across the site as a whole. Operational security should facilitate operations, rather than hinder them. An approach to operational security is outlined below. It is important to note that while implementation of operational security requires resources, it does not always require dollars for new technology or additional staff. In many cases, organizations find low-hanging fruit, such as policy changes, that mitigate risks and establish a culture of security. Ranking risks and selecting mitigations based on organizational values and return on investment is the key.
The process may sound extensive, but for many organizations, the lengthiest phase is planning. It can sometimes be difficult to enumerate organizational objectives and determine the most important critical aspects of site operations. Once these are determined, it can often be easy to deploy security controls. If security is viewed as just another aspect of operations, and something that facilitates business, it can be easier to implement and maintain. Although preventing a security incident is the most desirable, spending time on prevention can often slip in priorities. Reacting to and recovering from an incident is typically much more costly and difficult.
Viewing Security in a New Light
Infrastructure such as energy, manufacturing, telecommunications, and other critical services, can be difficult to protect, and they require a different approach to security. These sites often have 7/24/365 uptime with high consequences of downtime. For many years, operations were contained within the site's perimeter, and no external networks posed an attack vector. Many operational sites use systems for great lengths of time. It is not unusual to see an operational system over 10 years old. These systems had little initial security, and it can be tough to bolt security onto a very dated system.
Operational sites are very attractive targets. Disruption of critical services and damage to the supply chain are often the goals of those with malicious intent. Because the primary objective of an operational site is to produce a product or service without disruption, there are often few restrictions, outside of safety, on what people can do inside the site. This means that without operational policies and security guidelines in place, trusted insiders can knowingly or unknowingly create a security risk. Likewise, establishing a culture of security is a new approach for many sectors such as manufacturing and services, which historically were never considered attractive targets.
Possibly the most difficult barrier to implementing operational security is the culture or perception around risk and security. Without fully understanding potential security risks, it's unlikely that resources will be allocated to implement operational security. Many feel that operational security risks are too big of a problem to tackle or feel that it simply "won't happen to me." Many of the new threats recently identified prove that operational sites may be increasingly targeted in the future.
Cyber Attacks Far Too Real
Unfortunately recent cyber events simply highlight the targeting of operational sites and infrastructure. Stuxnet targeted Siemens systems in a control environment. Stuxnet was a sophisticated attack that leveraged several system vulnerabilities. This took planning and resources to create. Although there are many arguments surrounding its origin and the extent of its effects, one thing is certain: It confirmed the fact that control systems and operational environments were targets, and those industries could no longer rely on a lack of incidents to rationalize the existence of poor defenses.
Many accept that cyber security is a good idea, even required. But in reality, it requires allocated resources, planning, and management to ensure security is maintained.
Stuxnet was not an isolated threat. We now have Duqu. Many feel that Duqu shares the same author as Stuxnet. While it does not target a specific control system, evidence has been reported from countless sources that it is targeting control system and operational environments.
It's unlikely that this class of threat will disappear — in fact we should all expect the opposite. There are many reasons why we have successful threats in these environments: increased reliance on standard operating systems, increased interconnection of systems, and reliance on technology in general. Operational environments have come to depend upon technology and connectivity to operate more effectively. Given that, there is an increasing need to address security in a way that supports business and ensures uptime.
The Path Forward
Incidents in the news, tight budgets, schedules and a complicated technical environment can make securing an operational site feel like a huge challenge. A good plan with clear objectives can make the process much easier. Considering operational security as it relates to your core business goals ensures that you take a comprehensive view to security, rather than a piece-meal approach or even waiting to react to an incident. A few points in the path forward include:
It is important to dedicate some resources to security, but it is possible to target low-hanging fruit by recognizing mitigations with high security value and minimal implementation costs. Promoting a culture of security in everyday operations can have minimal costs but very high impact. It is also important to empower personnel at the site to achieve a culture of security and view security as an integrated part of operations, rather than an added responsibility to already busy personnel.
Operational security is achievable. It requires a new way of approaching security that includes people, processes, physical protection, cyber protection and policies. The results create a resilient operational site with strong protective mechanisms. This ensures operational continuity and promotes a focus on meeting business objectives. Dedicating a small amount of time and effort into prevention can go far toward ensuring operational stability. It is far cheaper and easier to address security to protect against an event rather than reacting to one.
Annie McIntyre is the president of Ardua Strategies, Inc. [www.arduastrategies.com], in Paris, Texas, which provides solutions for the cyber and operational security issues of energy and infrastructure, focusing on oil and gas. Prior to founding Ardua Strategies, Ms. McIntyre was a Principal Member of Technical Staff and Program Manager at Sandia National Laboratories in Albuquerque, New Mexico. Her research areas at Sandia included threats, vulnerabilities, and protection of critical infrastructure systems, and cyber security for fossil and renewable energy systems.