Editor’s note: The following responses were provided by Matthew Rogers, the Industrial Control System Cybersecurity Lead at the Cybersecurity and Infrastructure Security Agency (CISA; www.cisa.gov), part of the U.S. Department of Homeland Security (www.dhs.gov). The statements were provided in response to questions from Chemical Engineering. The questions and answers are related to a recent article published in the January 2024 issue of Chemical Engineering on operational technology (OT) cybersecurity. The responses did not arrive in time for inclusion in the print edition of the magazine, but are presented here as a supplement to the cybersecurity article.
Matthew Rogers, PhD, is an Industrial Control Systems (ICS) Cyber Security Expert in the Office of the Technical Director at CISA. He received a PhD in securing legacy operation technology (OT) vehicle networks from the University of Oxford on a Rhodes Scholarship. Matthew worked as the founding engineer at a vehicle and weapon system cybersecurity startup before pursuing broader ICS cybersecurity efforts at MITRE. At CISA, Matthew focuses on ICS Strategy and how ICS Research and Development efforts can be transitioned to effective tools for critical infrastructure sectors.
Introductory statement from Matt Rogers on securing OT and ICS:
MR: “The rapidly growing cybersecurity threat to operational technology (OT) and industrial control systems (ICS), particularly across critical infrastructure, is one of CISA’s highest priorities. While CISA provides a variety of services and recommendations around securing OT and ICS, one place we would encourage industrial and manufacturing companies to start in assessing their disposition is to review CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) for critical infrastructure. Based on our operational experience, our role as the Chemical Sector Risk Management Agency, and the input of numerous OT experts, we believe that the collection of goals in the CPGs represents the most impactful actions that companies can and should take to secure their OT and ICS environments. We would like companies to assess how well they are executing the CPGs, and when they determine there might be goals they are perhaps falling short on or have not yet implemented, to prioritize those areas for investment and improvement.”
CE: What are the most significant challenges (or gaps, or areas of need) facing companies operating industrial plants (including chemical manufacturing, petroleum refining and others) when it comes to operational technology (OT) cybersecurity?
MR: “The main challenges can be summarized as not knowing what you have, not having the same security foundations built into OT networks, and a general skills and availability gap for OT cybersecurity expertise.
Asset management best practices can solve the first problem, but it takes a process in addition to technology. Operators need to walk the floor to see what exists. Configuration management processes need to track any new devices, or changes to existing devices.
Security foundations such as multifactor authentication, role-based access control, logging and monitoring, and secure communication are often missing in OT environments. This lack is why segmentation is so important. Legacy OT networks are built for safety, not for security.
Across critical infrastructure, the skills gap and availability of cybersecurity expertise can make staffing difficult. CISA always recommends the IT security and OT teams talking to see where resources can be shared, and ensure that IT teams understand the unique constraints of operational systems.”
CE: How has the approach to OT cybersecurity at chemical process facilities changed over the past 2-3 years?
MR: “In October 2022, CISA released the Cross-Sector Cybersecurity Performance Goals for Critical Infrastructure, or CPGs. These voluntary practices outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats. Both the Cybersecurity Performance Goals and the development and publication of the Chemical Sector Specific Goals, are intended to serve as a common minimum baseline of performance goals for both IT and OT owners and operators.”
CE: Where have you seen positive progress made in how OT cybersecurity is designed and executed?
MR: “The Chemical Sector has leaned into enhancing the resilience of chemical facilities through increased awareness of cybersecurity resources and tools. At CISA we have seen an increase in adoption of CISA services (CyHy, etc.), and during the quarterly meetings with the chemical sector security directors and associations a greater focus has been on bringing awareness of cybersecurity to the entire chemical sector- from large to small companies. In October 2022, the White House officially kicked off the Industrial Control Systems Cybersecurity Initiative for the Chemical Sector, a voluntary and collaborative effort between the federal government and the critical infrastructure community to promote a high standard of cybersecurity across the Chemical Sector and facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings of cyber threats that could degrade critical operations. During this effort, participant organizations were encouraged to adopt, or begin the process of planning to adopt, ICS monitoring solutions. The Initiative was developed from feedback, input, and engagement from the chemical industry and interagency partners.”
CE: What new initiatives/programs/standards from CISA having to do with OT cybersecurity would you say have the most momentum and focus right now?
MR: “The Cybersecurity Performance Goals (CPGs) are our primary focus for OT guidance as we strive to create a stronger security foundation in OT networks, as well the interconnected IT components. As for broader CISA initiatives, our push to make devices secure by design and default applies to the entirety of cybersecurity. This push is meant to help take the burden of security from the consumers (plant owners and operators) and put it onto producers of the technology. CISA’s ChemLock is a voluntary program available to all facilities that possess dangerous chemicals to help them improve their cyber and physical chemical security posture. The ChemLock program provides a variety of no-cost services and tools, including onsite assessments and assistance, training, exercises, and a range of online resources including guides, templates, fact sheets, and more. If learning while doing is of interest, we encourage chemical sites to either work with CISA to develop a Tabletop Exercises for your site, or leverage one of the prepared CISA Tabletop Exercise Packages which include template exercise objectives, scenarios, and discussion questions as well as a collection of references and resources that incorporate various cyber threat vectors including ransomware, insider threats, phishing, and Industrial Control System (ICS) compromise.”
CE: Are there a few recommendations that you would make regarding best practices for an OT-specific program for cybersecurity at industrial process facilities?
MR: “If you don’t already have a relationship with your CISA cybersecurity advisor (CSA) or chemical security inspector (CSI), reach out for up-to-date security guidance, and streamlined incident reporting through the CISA Regional webpage, Covering all 50 states and five US Territories, there is a member of Team CISA near you happy to help secure the sector.
For quick security wins we recommend ICS facilities:
- Ensure that PLCs are kept off the public-facing internet
- Use multifactor authentication (MFA) for any remote access. This is typically done on a jumphost into the OT network, or on a remote desktop protocol (RDP) gateway.
- Back-up any PLC logic and configurations. This helps you recover quickly, regardless of if you are recovering from a ransomware incident or an unexpected technology failure.
- Regularly test off-boarding processes to remove access for departing employees.
For longer term processes and investments:
- Implement segmentation between the IT and OT network.
- Conduct downtime exercises to retain operator skills on manual controls, specifically exercises for safely maintaining and shutting down a process. This is usually done in the greater context of testing an incident response plan.”
CE: Are there any additional comments related to cybersecurity at chemical facilities that you would like to make?
MR: “CISA coordinates the critical infrastructure security and resilience efforts by creating and fostering trusted partnerships with the chemical sector. As the Chemical Sector Risk Management Agency (SRMA) we facilitate the public-private partnership through interaction with facility owners and operators, chemical sector associations, and government partners. Working together, we develop strategic goals to mitigate risk and improve resilience. CISA provides and promote education, training, information sharing, and outreach support that address physical and cybersecurity risks and drive security and resilience activities and programs. If your company is interested in learning more about the private sector involvement with the Chemical SRMA, contact your affiliated association listed on the Chemical Sector Coordinating Council charter.”