Over the past decade the team Byres Research and Byres Security has seen a lot of successes and failures when it comes to the implementation of security programs for control systems. The single most important factor that determines success is the development of a strong security policy at an early stage, leaving the details of specific security technologies such as patching, encryption or firewalls for later.
The security policy is simply a statement of the goals, responsibilities and accepted behaviors required to maintain a secure production environment. It defines the direction, gives broad guidance and demonstrates senior management support for security-related facilities and actions across the organization. The primary objectives of a typical industrial cyber security policy are to:
- Establish a secure production base and a safe and reliable processing environment;
- Effectively manage the risk of security exposure or compromise;
- Articulate the responsibilities of management, information technology staff and controls systems staff for the protection of control systems;
- Promote understanding and compliance with all applicable laws and regulations;
- Protect the company and preserve management's options in the event of a security incident.
A security policy should be technology independent and not include the implementing procedures and processes – these are best left for subsequent standards and guidelines documents. In other words, the security policy outlines what you want to achieve, not how to do it. It is also worth noting that not all authors on cyber security share this view on the importance of separation between defining vision and objectives in a policy document versus technology and best practice in standards and guideline documents. Our experience has shown that this can cause considerable difficulties for the organization as technologies and day-to-day processes change.
Byres Research has guided many energy and manufacturing companies through the process of developing coherent control systems security policies. Typically the best are modeled after and fit into existing company safety policy and structure, but with different individuals assigned to the key responsibilities. Once documented, these policies are introduced to the employees via a variety of ways such as security meetings, training programs, self-assessments and community programs for home security. Using these techniques can both reduce cost of creation of a policy program and ease the implementation of the policy, since they are based on principles and programs that are already familiar to staff.
Security Governance
Closely related to security policy is the creation of an infrastructure that defines the roles and responsibilities of all individuals in company for security. It is one of the main anchor points to govern any security program and ranges from the overarching duties of senior management to personal duties of new employees and contractors. Without this infrastructure in place, most security programs will collapse under the pressure of daily operational demands. Nearly all industry standards highlight the need for a clear definition of responsibilities for company security. For example, American Petroleum
Institute (API) Standard 1164 (page 21) states:
“The owner/operator should develop job responsibilities for key personnel including System Administrators, Security Coordinators, SCADA support personnel and controllers. Each employee should be required to follow these job responsibilities.”
Of course security responsibility will have many levels to it. Using the ISO/IEC 17799:2005 standard as a basis, Byres Research recommends breaking the security governance infrastructure into three main components as follows:
- Management Security Forum - ensures that there is clear direction and visible management support for security initiatives. It also promotes security within the organization through appropriate commitment and adequate resourcing.
- Security Co-ordination Team- a cross-functional team of representatives from relevant parts of the organization may be necessary to co-ordinate the design and implementation of security controls.
- Assignment of Security Responsibilities - Responsibilities for the protection of specific assets and for carrying out specific security processes should be clearly defined. The security policy should provide general guidance on the assignment of security roles and responsibilities in the organization.
Finally, security responsibilities should be defined for all employees, addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment. This should include any general responsibilities for implementing or maintaining security policy as well as specific responsibilities for the protection of particular control system assets, or for the execution of particular security processes or activities. Byres Research can offer specific guidance and documentation for each of these steps.
Byres Security Inc. and Byres Research
P.O. Box 178
Lantzville BC V0R 2H0
Phone: 250-390-1333
Fax: 250-390-3899
Email: info@Byressecurity.com
