Systems Security Engineering? For ICS?
So, what exactly is Systems Security Engineering? How does it apply to ICS OT? What resources exist that should be used in a disciplined Systems Security Engineering culture and methodology? Systems Security Engineering has become in many cases a forgotten skillset and disciplined multidisciplinary art that merges multiple worlds into a methodical, rigorous set of practices. NIST SP 800-160 was created to educate the engineering and cyber communities on the basics of system security engineering. Now more than ever it must see a revival and more specifically that revival must occur within the ICS OT community to make all societies safer, more secure and more resilient long-term. ISA and IEC have worked together to create a life cycle of international security and safety standards such as ISA/IEC 62443 and ISA84/IEC 61511. Various parts of the 62443 such as 3-3 for system level security capabilities, 4-1 for secure by design systems development and 4-2 for component and device level security capabilities can and should be leveraged throughout a rigorous systems security engineering discipline and set of practices. The key stakeholders I must address in system security engineering for ICS OT are the vendors and OEMs, integrators and solutions providers, asset owners and operators and dedicated full-time ICS OT cybersecurity focused professionals. The chain is only as strong as its weakest link. Systems Security Engineering requires all stakeholders to participate throughout the lifecycle of assets and operations that directly impact the safety, security and resiliency of societies and the infrastructures they depend on.
Why do we need it?
Many in industry have appeared to have abandoned the idea that secure design, security hardening, in-depth and robust prevention and protection can be done for industrial control systems (ICS) or operational technology (OT) as it is known today. As a career systems and cybersecurity professional I believe otherwise. I believe it is a societal imperative, due care, due diligence, and standard of good practices responsibility for all ICS OT, Industrial Internet of Things (IIoT), Internet of Things (IoT) and critical embedded devices to be designed, acceptance tested, validated, integrated, implemented, operated and maintained with safe, secure and resilient functional capabilities. I believe all stakeholders throughout the asset, environment, societal and ICS OT dependent infrastructure ecosystems should develop and maintain a proactive security culture and mindset throughout the life cycle of assets and operations. I believe that to not do so would put the very infrastructures, raw materials, consumed products, goods and services that society depends on at unnecessary and preventable risk. I believe this is especially paramount in this new era of technology convergence and integration of the physical, electronic, communications, societal and digital worlds. To many Systems Security Engineering is a lost art and a forgotten skillset within cybersecurity. However, when it comes to ICS OT IIoT IoT and critical embedded devices such as chillers, boilers, pumps, valves, breakers, safety systems and implantable medical devices, systems security engineering is absolutely essential.
In this new decade, the new roaring 20s of this 21st century, containing this fourth industrial age, a revival of systems security engineering should be seen as a societal imperative that is no longer optional. Systems security engineering is especially paramount for ICS OT use cases such as IIoT and IoT integration. It is unsafe and unwise for society to continue down the path of automate everything, converge everything and make everything smart without ensuring a social construct that embeds systems security engineering rigor into everything that we make, integrate and operate. The leaders of this new era will be those who have the fortitude to put societal safety, security and resilience above their financial and or political bottom line. How do we measure the cost to society moving forward if we continue to neglect systems security engineering as a culture? The next couple of decades will be the final judge as we build out the infrastructures of tomorrow today without thinking of the future. The wise will leverage NIST SP 800-160 in combination with ISA/IEC 62443 3-3, 4-1, 4-2 and ISA84/IEC 61511 to ensure that all ICS OT is built, verified, tested, validated, integrated, operated, maintained and disposed of from a systems security engineering rigor perspective as a cultural way of life across all domains and all levels of society.
About the Author
Isiah Jones is a Senior ICS OT Cybersecurity Engineer and Cyber professional with 15 years of progressive experiences in various aspects of IT, security, assurance, and ICS OT. Working exclusively on ICS security since 2014. Isiah has performed ICS OT cybersecurity work in the Middle East, East Africa, Europe, Hawaii, and throughout the continental United States. Isiah has delivered cyber IT or ICS OT security services or support for the US Navy, US Marine Corps, Siemens, FERC, and many commercial asset owners, ICS OEMs, ICS integrators and operators across several sectors and asset type verticals globally.
Isiah has held national security clearances as high as TS/SCI and Q. He has had a network of affiliations that reach into the US intelligence community, Defense community, US Congress, FERC, Department of Energy, Depart of Homeland Security, Department of Commerce, National Labs, ICS OEM vendors, ICS integrators, and asset owners/operators. He is a former US Navy civil services Information Assurance Officer (IAO) and Systems Analyst as well as a former FERC civil services GS-15 subject matter expert on ICS OT cybersecurity for US national security critical energy infrastructures. He is also a former ICS OT cyber mission assurance and Information Systems Security Engineering (ISSE) consultant and contractor. He is an active volunteer contributor on multiple working groups within the ISA/IEC 62443 international standards committee, the ISA84 standards committee working group for cybersecurity for safety systems as well as multiple committees within American Water Works Association (AWWA). He brings well rounded experiences, access, insights, connections and visibility into critical infrastructure security issues across many asset types and sectors (water, wastewater, electric, oil, gas, LNG, building automation, airfields, maritime, hydro dams, manufacturing, life sciences, logistics & warehouse, ERP etcetera).
For the full paper, download it here.