As a fundamental part of its activity, the Industrial Cyber Security Center (CCI) has held its VIII International Congress of Industrial Cybersecurity, as one of the events of reference for the Latin American market, and as a meeting point and exchange of knowledge, experiences And relations of all the actors involved in this field.
This new edition has had as its central axis the current situation of cybersecurity in Latin American industry, presenting for the first time a benchmarking of the situation in Argentina, Brazil, Colombia, Chile, Peru and Uruguay. The congress has also counted on important experts who will present solutions and cases of success in industrial organizations.
This eighth meeting was held at the Hotel Sol de Oro (Calle San Martín 305 Miraflores, Lima, Peru) on June 7 and 8, and around the same was held on June 6 a workshop with the theme “Applying Cybersecurity In the Life Cycle of an Industrial Automation Project “.
The following chronicle has been elaborated by Segurilatam, collaborator of this Congress.
José Valiente, director of the CCI, started the conference by presenting the main objective of the Center, raising awareness about the technological risks of the industry, and for that reason its activities focus on sharing experiences on industrial cybersecurity through its documents, specialized workshops, Events and congresses, such as the one held in the Peruvian capital. CCI has an international reach with representatives in fifteen countries, of which more than half are in Latin America. Valiente explained that they have an ecosystem formed by more than 1,200 members between industrial organizations, manufacturers and integrators, universities, experts in different areas of security, etc.
Within the framework of the theme of the VIII International Congress, the coordinators of the Industrial Cyber Security Center (CCI), Ernesto Landa and Jorge Abanto, CCI coordinators in Peru, presented some of the main conclusions of the study on the state of industrial cybersecurity in Peru 2017. Among them, it should be noted that 21 percent of the organizations consulted have not assessed the level of risk in their automation and control systems or that 17 percent have not segmented the corporate and industrial networks. But, stressed the speakers, not all bad news, since 77 percent plans to undertake new activities in the field of industrial cyber security. And in order to promote the latter, they proposed, among other solutions, greater regulation, since, unfortunately, “in the industrial sector there is no real awareness about the threats”.
César Vílchez, undersecretary of Digital Technologies of the Digital Government Secretariat, announced the public policies being carried out in Peru to guarantee the provision of essential services to all citizens. Vílchez, warned that “talking about applied cybersecurity to industry is not something that can materialize overnight. We need to plan and dedicate economic resources to that goal”, while showing the Government’s desire to make Peru a Industrial country. “And to be a proactive nation,” he said, “information and communication technologies (ICTs) play a very important role.”
With a broader geographical perspective, Claudio Caracciolo, general coordinator for Latam of the CCI, presented below the Study on the state of industrial cyber security in Latin America, prepared after consulting organizations in Argentina, Brazil, Colombia, Chile, Peru and Uruguay. “A report,” said Caracciolo, “which shows that the assessment of the level of risk in control and automation systems is a pending issue” and noted that there is a high level of equipment connected to the Internet in the region and that There is a centralized incident management, something that can be seen in the formation of the CERT.
Already as rapporteur, José Valiente took the floor again, in this case to deal with a subject as relevant as cybersecurity in the life cycle of an industrial automation project, in this case used as an example an automation project in Oil & Gas, highlighting the consequences of not adequately addressing cybersecurity requirements. During his didactic intervention, the Director of the CCI placed special emphasis on remembering that, when it comes to tackling an industrial automation project, the challenges are many and of great importance (technical, economic, quality and planning), being essential the Presence of a cybersecurity officer responsible for coordinating cybersecurity activities correctly.
To help organizations in this area, Valiente recommended the document Cybersecurity in the life cycle of an industrial automation project, available in the CCI Publications section, https://www.cci-es.org/publications , The pocket guide Cybersecurity in the industrial automation pyramid is also available for free.
Claudio Caracciolo, on this occasion as head of Security at ElevenPaths, referred to the Cybersecurity process maturity evaluation tool in industrial organizations in the introduction of the paper titled “When scans do not reach”. An intervention in which he welcomed the existence of different books and documents dedicated to industrial cybersecurity, but in which he lamented that, when having to perform a scan, “use the tools that are used for everything “. Therefore, he encouraged the use of specific solutions and to implement policies such as the industrial cybersecurity master plans.
And before lunch, Miguel García-Menéndez, vice-president of CCI, was in charge of moderating the table-debate Regulatory framework and of relations between the areas of information systems and industrial control systems, in which Ernesto Landa, Claudio Caracciolo and Patrick Miller, CCI Ambassador to the US and President Emeritus of EnergySec.
On the first question raised by Miguel García-Menéndez – what importance do you give the human component regarding the risks of technologies in both a corporate and industrial environment? – Ernesto Landa said that “within organizations is essential To raise awareness of managers and to have the support of top management, and to achieve this, it is necessary to speak their own language. “Without doubt, awareness must be linked to the strategic business plan,” he said. On this comment, the moderator recalled that the latest document prepared by the CCI (Benefits of cybersecurity for industrial enterprises) is aimed precisely at senior management.
Patrick Miller said that “the technology is certainly for humans, a human can meet many requirements and technology is there, playing a very important role, but our actions are too,” he said, while Claudio Caracciolo Coincided with Ernesto Landa that “it is vital to raise awareness and that the different departments of an organization interact.”
In addition, during the panel discussion, issues such as the internal regulatory framework aspects applied in information systems that could also be beneficial to industrial control, the main difficulties encountered by organizations in achieving understanding between Areas of IT and OT and the performance priorities of organizations to integrate both departments. In relation to the latter, the representative of ElevenPaths insisted that “the two parties have to interact, meet and agree.”
In the evening, Enrique Domínguez and David Marco, strategic director of cybersecurity and responsible for Entelgy Industrial Cyber Security, respectively, offered a talk about the importance of properly managing incidents in the industrial field. The first one gave a brief introduction on InnoTec’s position within Entelgy in the cybersecurity sector and its wide range of services for the entire protection cycle of connected industrial systems, the basis of the secure management of critical infrastructures.
And as for the second, it explored how prevention, detection and effective management of security incidents in industrial systems ensure resilience. Marco showed attendees that the organizations better prepared to face the new challenges and threats presented by cyberspace are also more competitive and able to provide effective responses to situations that may compromise their activity. In the case of Entelgy, he proposes “to be flexible” and “to have no packetized solutions”. And the molds are set aside, as each client requires a personalization of cybersecurity.
Patrick Miller then spoke. The American expert explained several lessons and revealed some myths. During his speech, EnergySec’s chairman emeritus stated that there is no technology that solves problems and claimed that there are enemies everywhere for whom you should always be prepared. And, as he argued at the table-morning debate, he argued that human intervention becomes more important as organizations increase their automation. Regarding the latter, he said that they tend to acquire many tools that do not manage properly and generate more complexity, when it is advisable to simplify security.
Already in the final stretch, Miguel García-Menéndez dealt with some norms or regulatory frameworks that have appeared in Europe in recent years and are linked to cybersecurity. Firstly, the Vice-President of the JRC referred to the popularly known NIS Directive, “whose main objective is to achieve a high and homogeneous level of security in the networks and information systems of the European Union.” Likewise, García-Menéndez referred to the new European Data Protection Regulation, whose transposition to the Spanish scope must materialize before August 25, 2018. Finally, he referred to the ICCF, which aims to become a framework for An articulated reference specifying the principles, activities and actors of an evaluation of components of an industrial automation solution. Among other organizations, the ICC and the National Institute of Cybersecurity (Incibe) of Spain have been involved in the development of the ICCF.
A day later, after welcoming the audience, the director of the CCI gave the floor to César Cuadra. The representative of Open-Sec, a company specializing in security assessments, carried out the paper From theory to practice: ‘hacking’ in the industrial world to warn that “it is necessary to know the attacker to know how we have to defend ourselves: Exist from hacktivists to employees that can be a real danger for organizations, and just as there are different types of attackers, the attacks are also very diverse, from opportunists to social engineering. And among the recommendations addressed to those present, he advised to be “very meticulous” when it is time to perform intrusion tests on industrial systems with the aim of avoiding collateral damage.
Next, as an example of cybersecurity efforts, José Luis Ríos and Luis Hidalgo, representing Radware and Check Point, respectively, announced the alliance between the two Israeli companies to combat cyber attacks. The first, Rios said, specializes in mitigating Denial of Service (DoS) attacks and, among others, has signed a collaboration agreement with Telefonica, a company of which Check Point is a strategic partner. Regarding the work being carried out by this company, Hidalgo said that the same bet on sandboxing techniques and alerted the increase of cyber attacks to industrial organizations, especially through spear phising (emails that appear to be from a known person or company ).
Thinking about organizations, José Valiente wondered if they were prepared to measure their level of cybersecurity. The director of the CCI stressed that it is important to evaluate, since this facilitates “to continuous improvement”. And as a help document to achieve this, he referred to the Cybersecurity Process Maturity Assessment Tool in industrial organizations, downloadable through the CCI website and of general application to any industrial organization. In addition, it makes it possible to establish comparisons with third entities. With a total of 122 targets, the document, explained Valiente, has already been used to evaluate by companies such as Argentine oil company YPF.
Gabriel Faifman, Director of Strategic Programs at GE Digital, took over the role of Connectivity and Risk in industrial automation solutions. An intervention that started with a reminder that, 20 years ago, it was related to a well-known global refreshment brand “in which there was no talk of industrial safety.” Now, it is clear that connectivity is a risk. The organizations, at a global level, believe that it will be attacked. That is why it is necessary to prepare, “he reasoned, while calling it” very serious “that hospitals ceased to serve due to ransomware WannaCry. And considering that the industry 4.0 is a challenge from the point of view of cybersecurity, it opted for the implementation of the series of standards IEC 62443, which, among other advantages, also helps organizations to evaluate their level of maturity in Cybersecurity.
This is essential given that many of the organizations are considered critical and provide essential services to society, Ernesto Landa recalled, on this occasion as coordinator of Information Security of the Amazon Gas Operator Company (COGA). Before showing some practical cases of cyber attacks, this professional recommended reading the article Critical Infrastructure Protection, work of Jorge Albarrán and published in number 4 of Segurilatam, since it emphasizes the importance of having such basic services In day-to-day life such as electricity or water supply. After recalling cyber attacks such as those suffered by the Saudi Aramco oil company in 2012 or a Ukrainian power plant in 2015, Landa explained that COGA is part of the Cybersecurity Committee of the Regional Association of Companies of the Oil, Gas and Biofuels Sector in Latin America and the Caribbean (ARPEL).
Likewise, Ernesto Landa recommended some of the documents published by the CCI, among which are Benefits of cybersecurity for industrial companies. The same was analyzed by Miguel García-Menéndez, who, as in the first day, said that with this text “is intended to raise awareness of top management.” According to the CCI Vice-President, “the document looks for CEOs to be knowledgeable about cybersecurity, because the latter can contribute to a company’s revenue growth. However, 78 percent of CEOs and CEOs complain about Absence of cybersecurity news.
Finally, the four participants agreed that the suppliers of the organizations should be more involved in cybersecurity and have local structures that facilitate greater proximity to the client.
Many thanks to all the assistants, coordinators of Peru, general coordinator of Latam, sponsors and collaborators of the VIII International Congress of Industrial Cybersecurity, thanks to you it has been a success.