This piece was originally published in the July 2018 issue of electroindustry.
Steve Griffith, PMP, Industry Director, NEMA
Mr. Griffith is the NEMA industry director for the Transportation Systems Division and the principal staff liaison for NEMA’s Internet of Things and Cybersecurity activities.
Whether a breach in cybersecurity results in a power outage (and the resulting disruption to homes, businesses, hospitals, etc.), stolen financial information or intellectual property, compromised medical imaging data, or even a hacked vehicle that can be controlled remotely, cyberattacks have the potential to cause serious harm to life, property, and well-being.
Protecting electrical and medical imaging products and systems from unauthorized access without compromising functionality is an evolving challenge. NEMA Members make products that are used in critical infrastructure around the world. They manufacture increasingly secure products to reduce the risk that these critical systems will be compromised. Furthermore, they understand the shared responsibility they have with multiple stakeholders such as the federal government, private industry, and end users.
Since 2012, NEMA and its Member companies have showcased how industry best practices and standards can secure their supply chains, operations, and products. In 2015, NEMA published an industry consensus white paper on cybersecurity supply chain best practices for manufacturers. NEMA CPSP 1-2015 Supply Chain Best Practices identifies guidelines that electrical equipment manufacturers can implement during product development to minimize the possibility that bugs, malware, viruses, and other exploits can be used to negatively impact product operation.
The document addresses supply chain integrity in the United States through four phases of a product’s lifecycle:
- Manufacturing. An analysis during manufacturing and assembly to detect and eliminate anomalies in the embedded components of the product’s supply chain;
- Tamper-proofing to ensure that the configurations of the manufactured devices have not been altered between the production line and the operating environment;
- Ways that a manufactured device enables asset owners to comply with security requirements and necessities of the regulated environment (Security Development Life Cycle); and
- End of life. Decommissioning and revocation processes to prevent compromised or obsolete devices from being used as a means to penetrate active security networks.
Positive feedback launched new opportunities for NEMA and its Member companies to become actively engaged in broader cybersecurity discussions.
With the increasing trend of Internet of Things (IoT) products and systems, cybersecurity attacks are becoming more sophisticated. Two notable examples are the WannaCry ransomware and the Mirai botnet. The WannaCry attack was propagated through an exploit in an older Windows operating system and affected more than 300,000 computers across 150 countries. The Mirai botnet affected more than 300,000 IoT devices using default or weak passwords and created nearly 600 megabits per second (Mbps) of disruptive internet traffic to all the sites affected, bringing down a huge chunk of the internet.
To achieve security within the domain, there is an increasing need to adapt a good cyber hygiene strategy. This means that we are making sure that devices and systems are protected and maintained appropriately using cybersecurity best practices for anything and everything that connects to the web. This includes organizing security in hardware, software, and IT infrastructure; continuous network monitoring; and employee awareness and training.
NEMA’s second major cybersecurity work commenced in 2017. It aimed to develop a document identifying a set of industry best practices and guidelines for electrical equipment and medical imaging manufacturers to help raise their level of cybersecurity sophistication in their manufacturing facilities and engineering processes. The resulting document, NEMA CPSP 2-2018 Cyber Hygiene Best Practices, was published on April 27, 2018.
The guideline document lists seven fundamental principles:
- Segmenting Networks—Separating an organization’s manufacturing network (the OT zone) from its business or public network (the IT zone).
- Understanding Data Types and Flows—Manufacturers need an understanding of the applications into which their products are being deployed, as the application often dictates what type of data typically runs through it.
- Monitoring Devices and Systems—In particular the health and security of their devices and systems.
- User Management—End-user capabilities are broken down into four areas:
- Administration (the ability to add, modify, and delete any user and corresponding credentials within the system)
- Authentication (the ability to change default passwords upon first login)
- Authorization (providing role-based access)
- Auditing (the ability to record user login/logout attempts)
- Hardening Devices—Turning off or disabling a number of device features that are not needed or may have inherent security risks.
- Updating Devices—Knowing when and how to properly patch.
- Providing a Recovery Plan or Escalation Process—What to do if a vulnerability is found in the manufactured device, including the possibility of an active exploit against the device.
For each fundamental principle, the document lists corresponding threats and implications, additional reference material, and general recommendations on manufacturer’s best practices.
With the evolving cybersecurity landscape, NEMA and its Member companies will continue to adapt, advance, and be a resource for stakeholders across the critical infrastructure sectors. A future work project is proposed to address cyber hygiene from the end-user/application perspective.