The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program March 2005
Legal and Copyright Notice The Chemical Industry Data Exchange (CIDX) is a nonprofit corporation, incorporated in the State of New Jersey, which is exempt from federal taxation under Section 501(c)(6) of the Internal Revenue Code. This guide, The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program,, has been developed in furtherance of CIDX s nonprofit and tax exempt purposes in accordance with the CIDX Intellectual Property Policy and is owned by CIDX. CIDX has taken reasonable measures to develop this Guide in a fair, reasonable, open, unbiased, and objective manner for the purpose of providing information and guidance to assist companies participating in the global chemical sector value chain in implementing cybersecurity management practices in conjunction with physical security in the chemical sector. However, the nature of appropriate practices or guidance is likely to change over time and with developments in technology. Therefore, inclusion of material in the Guide does not constitute a guarantee, warranty, or endorsement by CIDX regarding any guidance, methodologies, or preferences for conducting business, implementing any CIDS standards, or enhancing computer security. This Guide necessarily addresses problems of a general nature. Local, state, and federal laws and regulations should be reviewed with respect to particular circumstances. In publishing this work, CIDX is not undertaking to meet the duties of employers, manufacturers, or suppliers to warn and properly train and equip their employees, and other exposed, concerning health and safety risks and precautions, in compliance with local, state, or federal laws. This Guide provides baseline practices, examples, and resources to assist companies in addressing cybersecurity considerations as a component of corporate security management practices. The guidance is intended solely to stimulate thinking and offer helpful ideas. They are in no way intended to establish a standard, legal obligation, or preferred option for any practice. Other approaches not described here may be just as effective or even more effective for a particular company. If a company so chooses, it may adopt any of this guidance or may modify it to fit the company s unique situation. Information concerning security, safety, and health risks and proper precautions with respect to particular materials and conditions should be obtained from the employer, manufacturer, or supplier of that material, or the material safety data sheet. Nothing contained in this Guide is to be construed as granting any right, by implication or otherwise, for the manufacture, sale, or use of any method, apparatus, or product covered by letters patent. Neither should anything contained in the publication be construed as insuring anyone against liability for infringement letters patent. Further, neither CIDX nor its officers, directors, members, employees, or agents shall be liable for any loss, damage, or claim with respect to any such documents, work, or services; all such liabilities, including direct, special, indirect, or consequential damages, are expressly disclaimed. Information provided in the Guide is as is without warranty Page 2 of 2
of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or freedom from infringement. Page 3 of 3
Table of Contents Legal and Copyright Notice 2 Table of Contents 4 1 Purpose 5 2 Establishing a Cybersecurity Program 5 3 Cybersecurity Management System Overview 7 4 Activities Required to Develop a Cybersecurity Program 10 5 Resources 20 Page 4 of 4
1 Purpose Most companies have already begun the process of addressing cybersecurity for their computer systems, although the processes and the practices used to achieve and sustain success are varied. The CIDX publication Guidance for Addressing Cybersecurity in the Chemical Sector provides detailed guidance about what should be in place in order to manage cybersecurity on an on-going basis. However, the larger issue still remains How does a company evolve its current process and practices to a more mature, integrated, and complete level? This document is intended to help you understand the various activities that must be integrated to establish a security program under the umbrella of a cybersecurity management system. It also provides a roadmap to help you recognize your current security position (Point A) and get to the desired, mature, integrated security level (Point B). 2 Establishing a Cybersecurity Program Driven by increasing cybersecurity risks, many companies have taken a proactive approach towards Information Technology security. Certain sectors, like the chemical sector, have also begun to establish cybersecurity practices for process control systems and networks. Historically, Information Technology (IT) and Manufacturing organizations operated in two mutually exclusive areas, and the expertise and requirements of each organization were not understood or appreciated by the other. Issues arose as organizations tried to employ common IT security practices to manufacturing and control systems. In some cases, the security practices were in opposition to normal manufacturing practices designed to maximize safety and continuity of production. Because today s open information technologies are used extensively in manufacturing and control systems, additional knowledge is required to safely employ these technologies. The goal is a mature security program that integrates all aspects of cybersecurity, incorporating desktop and business computing systems, manufacturing and control systems, and the value chain systems interacting with customers, suppliers, and transportation providers. Figure 1 shows the integration journey most businesses face while trying to reach maturity. As indicated in the graphic, many companies have fairly detailed and complete cybersecurity programs for their desktop and business computer systems, but cybersecurity management practices are not as fully developed for manufacturing and control systems and value chain systems. Page 5 of 5
Figure 1 Cybersecurity Program Maturity While the desired end result is the same (a cybersecurity management system that encompasses all aspects of electronic security), every company s journey to achieve that goal will be different based on company objectives and tolerance for risk. Integrating cybersecurity into a company s standard practices is a cultural change that takes time and resources. As Figure 1 suggests, it cannot be achieved in one step. It is an evolution that standardizes on the approach to cybersecurity. The security practices implemented are proportionate to the risk level and will vary from one company to another, and may even be different for various operations within the same company based on global needs and requirements. Individual policies and practices may also be different for each class of system within a company because the level of risk and security requirements is different. The cybersecurity management system establishes the overall program that accommodates these differences. Some of the options for handling the differences between the IT and manufacturing organizations and developing a mature cybersecurity management system include: Page 6 of 6
training the manufacturing and process control personnel to understand technology and cybersecurity issues training IT personnel to understand manufacturing processes and technologies, along with the Process Safety Management (PSM) processes and methods developing practices that join the skill sets of both organizations to deal with cybersecurity collaboratively For the cybersecurity program to be successful, you should bring together the right mix of people on both the mitigation projects and the overall Cybersecurity Management System program development. Figure 2 illustrates the skills and understanding that should be pulled together from multiple groups of people in order to reach the desired integrated, mature cybersecurity program state. Figure 2 Integrated Resources 3 Cybersecurity Management System Overview The cybersecurity management system is the umbrella set of security practices and policies that collectively are used to drive cybersecurity throughout the company. The management system addresses creation of the practices and policies, mitigation activities to reduce vulnerabilities, periodic reassessment of the changing landscape of Page 7 of 7
vulnerabilities and the effectiveness of institutionalized practices, and finally, the overall effectiveness of the umbrella program. The maturity of the company s cybersecurity program increases as the elements of the cybersecurity management system are implemented. The complete cybersecurity management system consists of 19 key elements that take place in four major phases: Plan Establish the scope and policy of the cybersecurity management system, identify, classify, and assess risks, and develop a business continuity plan. Do Implement and operate the security management system and all its processes. Check Monitor, assess, and measure performance and report results to management for review. Act Take corrective and preventive actions and continually improve performance. Figure 3 indicates that the activity is a continuous one. The program must be evergreen and will require upgrades to address the changing landscape of security risks. Figure 3 Plan-Do-Check-Act Model Plan Establish Act Maintain and Improve Cybersecurity Management System Implement and Operate Do Monitor and Review Check With any program, there is a starting point and a progression of activities to get to an end state. When applied to the development of an integrated security program, the high level phases can be thought of as taking place in overlapping stages along the maturity curve. This concept is depicted in Figure 4. Depending upon a company s starting point and security needs, the phases may compress or expand. Page 8 of 8
Figure 4 Phase Overlap The Cybersecurity Management System (CSMS) defined in Guidance for Addressing Cybersecurity in the Chemical Sector maps the 19 key elements into four macro level Plan-Do-Check-Act phases of developing the overall security management system. In reality, there is a mini set of Plan-Do-Check-Act steps that will be done as each of the 19 key elements is implemented. The 19 elements are additive in nature and move the security program up the maturity curve. It is important to consider the overall design of the cybersecurity management system early and incorporate that thinking as you develop the program. While all the implementation details are not required, it is extremely important to establish responsibilities, accountabilities, corporate principles, and high-level policies that guide further development of the key Cybersecurity Management System elements and the overall program. Page 9 of 9
During the cybersecurity journey, you should identify the unsatisfactory risks that require the proper mitigating controls to reduce the level of risk. A common approach is to launch targeted projects that employ a project-based Plan-Do-Check-Act model. Figure 5 shows how individual projects contribute to a higher level of security practices as the program matures. Figure 5 Cybersecurity Mitigation 4 Activities Required to Develop a Cybersecurity Program This section explains the process activities involved in developing a security program through establishment of the cybersecurity management system. Descriptions are provided for each activity, along with information on where to find further information in the Guidance for Addressing Cybersecurity in the Chemical Sector publication. Realize that every company s approach to the process will be different based on the company s objectives, tolerance for risk, and degree of maturity of their cybersecurity program. Some companies may choose to combine or eliminate steps along the journey. Page 10 of 10
Some activities may be sequential and need to be completed before the next activity can begin; others can be done in parallel. Figure 6 shows the timeframe involved and points out areas where steps can be overlapped. Page 11 of 11
Figure 6 Activity Flow 10. Organize for Security 14. Begin Developing an Integrated Security Management System Plan 9. Perform Screening Assessment 12. Develop Detailed Security Policies and Practices 11. Prioritize Systems and Conduct Security Assessment 13. Define the Standard Security Mitigation Controls and Criteria 15. Quick Fix 16. Charter, Design, and Execute Security Mitigation Projects 17. Refine and Implement Security Management System 18. Adopt Continuous Imporvement Operational Measures 16. Charter, Design, and Execute Security Mitigation Projects Maturity 8 Establish High-Level Security Polices to Support Risk Tolerance Level 6. Characterize Key Risks that are Present 7. Define Corporate Risk Tolerance Level 5. Raise Security Awareness Through Training 4. Form a Team of Stakeholders 3. Define the Charter and Scope for your Company Plan Phase Do Phase Legend Activity must be completed before proceeding to next activity 1. Develop a Business Case 2. Obtain Leadership Commitment, Support, and Funding Check Phase Act Phase Activity does not need to be completed before proceeding to next activity Time Page 12 of 12
Activity 1 Develop a Business Case The business case provides the justification (financial and business impact) for creating an integrated cybersecurity program. It should include detailed information about: the benefits of creating an integrated security program potential risks if the system is not created costs and resources required to develop the security program potential costs and damage scenarios if a system is not put in place a high-level overview of the process required to implement, operate, monitor, review, maintain, and improve the cybersecurity program. CIDX provides two reference documents that can be used to help support the business case. A Case for Taking Action on Cybersecurity Making the Case for Addressing Cybersecurity in Manufacturing Control Systems Additional information can be found in Section 6.1 of the Guidance for Addressing Cybersecurity in the Chemical Sector. Activity 2 Obtain Leadership Commitment, Support, and Funding Present the business case to leadership for Information Technology, manufacturing and control systems, value chains, and third parties involved. Obtain buy-in and support from all involved parties, and determine how funding requirements will be divided. The business leadership will be responsible for approving and driving cybersecurity policies, assigning security roles, and implementing the cybersecurity program across the company. Note: Funding for the entire program can usually be done in phases. While some funding may be required to start the cybersecurity activity, additional funding can be obtained later as the security vulnerabilities and needs of the program are better understood and additional strategies are developed. Additional information can be found in Section 6.3 of the Guidance for Addressing Cybersecurity in the Chemical Sector. Activity 3 Define the Charter/Scope for Your Company Establish the corporate policy that defines the guiding charter of the security organization and the roles, responsibilities, and accountabilities of system owners and users. Decide upon and document the objective of the Cybersecurity Management System, the business organizations affected, all the computer systems and networks involved, the budget, Page 13 of 13
resources required, and division of responsibilities. The scope can also address business, legal, and regulatory requirements, timetables, and responsibilities. There may already be a program in place or being developed on the Business/Information Technology side of your company. Find out whether anything is underway and if you can piggyback on an existing effort. In the long run, it will be easier to get results if you are able to share resources with others in your company who have similar objectives. Refer to Sections 6.2, 6.3 and 6.4 in Guidance for Addressing Cybersecurity in the Chemical Sector for more details. Activity 4 Form a Team of Stakeholders Who will be Impacted by Cybersecurity Incidents As stated before, the objective for a cybersecurity management system is an integrated approach that involves traditional desktop and business computing systems, manufacturing and control systems, and value chain systems that interact with customers, suppliers, and transportation providers. While representatives from those organizations are automatic stakeholders in the cybersecurity program, the list of stakeholders impacted by cybersecurity incidents should extend to a broad range of disciplines and functions, including Human Resources, Security, and Legal. Determine what role the stakeholders should play in implementing a cybersecurity management system. Activity 5 Raise Staff Security Awareness through Training Installing a cybersecurity program may bring changes to the way in which personnel access computer programs, applications, and the computer desktop itself. Design effective training programs and communication vehicles to help employees understand why new access and control methods are required, ideas they can use to reduce risks, and the impact on the company if control methods are not incorporated. Training programs also demonstrate management s commitment to and value for a cybersecurity program. Feedback from staff exposed to this type of training can be a valuable source of input for refining the charter and scope as the project gets under way. For additional information see Section 6.15 in the Guidance for Addressing Cybersecurity in the Chemical Sector Activity 6 Characterize the Key Risks that are Present Each company must establish a risk tolerance profile ( threshold for pain ) that defines acceptable risk regarding: Page 14 of 14
safety of personnel financial loss or impact environmental and regulatory consequences damage to company image impact to investors loss of customer confidence impact on infrastructure Establish the costs associated with each risk ahead of time so you are able to compare the benefit of doing nothing with that of implementing the proposed cybersecurity management system. Refer to 6.1 in Guidance for Addressing Cybersecurity in the Chemical Sector for more details. Activity 7 Define the Corporate Risk Tolerance Level that is Supported by Senior Leadership Meet with senior leadership to obtain commitment and support for the risk tolerance level defined for the security program. Make sure leadership understands the costs associated with both the risks they are accepting and the cybersecurity management system they are underwriting. Leadership support will include involvement in creating and enforcing security polices to support the program. For additional information see Section 6.1 in the Guidance for Addressing Cybersecurity in the Chemical Sector Activity 8 Establish High-Level Security Policies that Support the Risk Tolerance Level Develop the security policies and gain approval from leadership. Communicate the policies so that everyone understands the objective of the policies, how to comply with them, how they are enforced, and by whom. Most companies already have a security program and policies that address traditional Information Technology assets and practices. An integrated cybersecurity policy defines and addresses the various risks associated with traditional Information Technology assets, as well as with manufacturing and control systems and other partners involved in the value chain. Remember that the policies addressing manufacturing and control systems assets and practices may differ from those applied to traditional Information Technology assets and practices because of the different requirements of each part of the business. Wholesale adoption (or rejection) of existing Information Technology policies is probably the wrong answer. Page 15 of 15
For additional information see Section 6.3 in the Guidance for Addressing Cybersecurity in the Chemical Sector. Activity 9 Perform a Screening Assessment to Identify Major Systems or Classes of Systems that Exist and the Relative Risk Level Associated with the System Identify the applications, computer systems, and networks within the information technology and manufacturing and control system areas. Assess each class of system to understand the financial and safety consequences in the event that confidentiality (measure of the importance of the data), integrity (measure of confidence in the accuracy of the data being accessed), or availability (measure of the reliability and ease with which data can be obtained when needed) of the system are compromised. Refer to the Report on Evaluation of Cybersecurity Self-Assessment Tools and Methods. Additional information can be found in the Report on the Evaluation of Cybersecurity Vulnerability Assessment Methodologies & Processes v 2.0. Activity 10 Organize for Security Establish the organizational structure responsible for managing physical and cybersecurity within the company. Accountability for security may fall under one organization, or can be shared among multiple groups. If these security functions can be performed by an organization that is already in existence and charged with similar responsibilities (e.g., physical security might be properly the responsibility of the corporate police/security department), you can avoid the turf wars that may arise when gray areas of responsibility are addressed later. The organizational structure developed has responsibility for communicating direction, developing policies, and confirming that processes are in place to protect company assets and information. For additional information see Section 6.4 in the Guidance for Addressing Cybersecurity in the Chemical Sector Activity 11 Prioritize Systems and Conduct a Detailed Security Assessment of Each Major System Because every company has a limited set of resources, use the results of the screening assessment (Activity 9 above) to prioritize the systems to be addressed based upon the risk consequences. Begin with systems that have the highest consequence and perform a detailed security vulnerability assessment. The risk assessment will help identify any weaknesses that may be present in the system that could allow inappropriate access to systems and data, along with the related cybersecurity risks and mitigation approaches to reduce the risks. A typical risk assessment includes the following steps: Page 16 of 16
Determine the assets you need to protect. Determine the threats to those assets typical threats might include theft of information, falsification or loss of data, denial of service or system malfunction or application failure, or inappropriate system or application access. Use these threats to identify various damage scenarios. Estimate the cost of compromise involved with each of the assets. For example, loss of accounting information might not have any permanent cost associated with it (especially if the data can be reconstructed from other sources), but loss of control on a process unit might have serious capital, environmental, and legal costs that cannot be mitigated after they occur. Complete the assessment of threats against your assets. The CIDX web site provides guidance on various security vulnerability assessment methodologies. Select an appropriate methodology that matches well with you company s culture and risk level. See Report on the Evaluation of Cybersecurity Vulnerability Assessment Methodologies & Processes v 2.0. Additional information can be found in Section 6.7 in the Guidance for Addressing Cybersecurity in the Chemical Sector Activity 12 Develop Detailed Security Policies and Practices After the risks for the various systems are clearly understood, examine existing security policies to see if they adequately address the risks. If needed, develop additional sufficiently detailed policies and practices to address desktop and business systems, manufacturing and control systems, and value chain systems. For additional information see Sections 6.3 and 6.8 in the Guidance for Addressing Cybersecurity in the Chemical Sector Activity 13 Define the Standard Set of Security Mitigation Controls to be Used and the Criteria for When to Use Them Analyze the detailed risk assessment, identify the cost of mitigation for each risk, compare the cost with the risk of occurrence, and select those mitigation controls where cost is less than the potential risk. Because it may be impractical or impossible to eliminate all risks, focus on mitigating the risk for the most critical applications and infrastructures. The mitigation controls to address a specific risk may be different for the different kinds of systems. For example, user authentication controls may be different for corporate payroll systems, manufacturing and control systems, and e-business systems. Document and communicate the selected controls, along with the policies and procedures for using the controls. Page 17 of 17
Refer to Section 6.8 in the Guidance for Addressing Cybersecurity in the Chemical Sector Activity 14 Begin Developing an Integrated Security Management System Plan Establish the objectives and expectation of the security management system. Examine the existing site and business operating practices for the three classes of systems. Seek ways to incorporate enhancements into existing processes to meet the objectives of the overall security management system rather than starting fresh and developing an entirely new set of practices spanning all system classes. Seek ways to align, leverage solutions, and evolve existing practices to meet the need. For example, one of the 19 key elements of a security management system is employing adequate change management practices. This task involves separation of duties and good review and approval processes. For manufacturing and control systems, it may be more appropriate to align change management with existing process safety management practices. Minor enhancements to an existing related institutionalized process to meet the overall security management system objectives may be more readily accepted, adopted, and implemented at lower cost than creating a new separate process aligned with business IT processes. Activity 15 Implement Quick Fix Activities As you develop the integrated security plan, you may identify several risks that can be mitigated by quick fix solutions low-cost, high-value practices that can significantly reduce risk. Examples of activities that fall into this category include restricting Internet access and eliminating e-mail access on operator control stations. Pick the low hanging fruit and implement quick fix activities as soon as possible to begin reducing security risks and achieving benefits. Refer to Section 6.8 in the Guidance for Addressing Cybersecurity in the Chemical Sector Activity 16 Charter, Design, and Execute Security Mitigation Projects The corporate wide mitigation risk reduction strategy may involve a series of actions on multiple systems (e.g., firewall installation, authentication controls, access controls, physical and environmental controls). Address the mitigation activities as individual projects, each with its own Plan-Do-Check-Act cycle. The Plan and Do phases (up-front design followed by installation activities) are normal approaches of projects. It is important to follow installation with the Check and Act phases for each project. Start using the initial concepts of the compliance and review elements in the proposed security management system to ensure that the risk reduction objectives are being achieved. Page 18 of 18
For additional information see Sections 6.8 and 6.9 in the Guidance for Addressing Cybersecurity in the Chemical Sector. Activity 17 Refine and Implement Cybersecurity Management System Continuously monitor the cybersecurity management system to ensure that all processes are working correctly, and evaluate security performance. As changes occur to information technology and manufacturing and control systems, implement improvements as necessary to make sure the security management system stays in-step. Implement change management, incident response, and system development processes Develop and implement integrated audit and compliance processes Develop and implement the processes to maintain and improve the security management system practices Activity 18 Adopt Continuous Improvement Operational Measures (including Report and Analysis, Auditing of Management System) Use a series of self-assessments and independent audits to measure and review the performance of the cybersecurity management system and evaluate performance against the program s policies and objectives. Identify appropriate corrective and preventative actions, prioritize them, and put them into place to further improve system performance. Use tools such as trend analysis or Six Sigma to identify areas of improvement and measure sustainability. Refer to Sections 6.16, 6.18, and 6.19 in the Guidance for Addressing Cybersecurity in the Chemical Sector. Page 19 of 19
5 Resources The following publications are available on the CIDX Web site. From the CIDX Home page, click the Cybersecurity link in the banner at the top of the page, then click Publications in the navigation pane on the left. A Case for Taking Action on Cybersecurity Guidance for Addressing Cybersecurity in the Chemical Sector Cybersecurity Reference Model Making the Case for Addressing Cybersecurity in Manufacturing Control Systems Report on the Evaluation of Cybersecurity Vulnerability Assessment Methodologies & Processes v2.0 Report on the Evaluation of Cybersecurity Self-Assessment Tools and Methods Additional reference information can be found on the CIDX web site. Follow the link to the Reference Material and Educational Library found under the Cybersecurity link on the web site. Page 20 of 20