Co-written by Todd Stauffer, Director of Alarm Management Services at exida
A wise man once said, “You can’t manage what you don’t measure.” Let’s apply this to the world of cybersecurity to discuss the importance of cybersecurity metrics and how they are different from a cyber diagnostic and a cyber alarm.
Cybersecurity Metrics are usually defined in terms of either leading or lagging performance. Think of cyber metrics as the Key Performance Indicators (KPI’s) that help you evaluate your cybersecurity performance and whether things are improving or getting worse. Audits or performance measurements /calculations of specific work processes or cyber events are the norm. However, the addition of performance expectations or specific target goals for each metric allows for an expectation of performance level.
Metrics may include but are not necessarily limited to:
- Audits & Performance summaries of policies, procedures, and results of various Industrial Control System Metrics (KPI’s);
- ICS systems logs;
- ICS system patching updates;
- ICS Malware table updates;
- ICS network MOC’s;
- ICS Inventory Update;
- Mean time to detected cyber intrusion;
- Mean time to recover from cyber intrusion
The KPI’s or metrics should be designed as a dashboard of performance that can be reviewed by management to ensure the organization is following what is written or is achieving expected operating performance allowing any areas where improvement is needed to be addressed.
Cybersecurity diagnostics represent faults that have been identified that need to be addressed. They are divided into two categories: active and passive. These diagnostics are either real time (notifications) or an offline review of the countermeasure status, health, or acknowledgment of abnormalities and rationalization of said anomaly(s).
Active Diagnostics relate to the operating performance of a specific countermeasure (to prevent a cybersecurity intrusion). A diagnostic alerts the team responsible for that countermeasure that it is not operating as designed or the countermeasure has detected an anomaly that is unexplained. Examples of active diagnostics include:
- Switch or Router Fault alarms;
- Firewall fault alarms;
- ISD/ISP fault alarms
Passive Diagnostics also relate to the operating performance of a specific countermeasure. This diagnostic requires an administrative review to determine if the anomaly requires action or no action, therefore, some time passes before an issue is identified. Examples of passive diagnostics include:
- SYS Logs review;
- Controller Diagnostic Buffer Review;
- Review of ICS Alerts;
- Group Policy Review
Cybersecurity alarms is a relatively new concept. Per ISA 18.2 / IEC 62682, an alarm is an audible and/or visual means of indicating to the operator there is an equipment malfunction, process deviation, or other abnormal condition requiring a timely response.
A cybersecurity alarm provides indication that some portion of your ICS system has been compromised and requires operator response. For example, it may provide indication that the operating code in an ICS controller has been modified. This alarm could provide real-time information to the operator that the cyber protective system, the BPCS, or SIS operating code has been or could be compromised and requires response to prevent escalation.
This begs the question: “Can I create cyber alarms with my current ICS system?”
There may be functions within your current DCS or PLC that facilitate this objective. Reach out to your vendor and ask the question. One thing to look for is diagnostics that can give a high-level view of processor and memory operations between scan cycles of the DCS or PLC. In addition, can the last cycle data be compared with the current completed cycle? “ A little technology hint, take a look at the term CRC.”
Operator response to abnormal situation management, process upsets, and cyber or physical security anomalies are part of the job. Cyber alarms can provide additional tools to ensure safe, secure, stable, and profitable operations.