Security Patching Is Not Part Of ICS Cyber Hygiene
The term Cyber Hygiene has burst into conferences, papers, webinars and of course marketing literature in the ICS security community. Can we kill it off, or at least correct it, before it takes hold? The latest example is from an otherwise very good article by Andy Bochman of INL in Harvard Business Review. He includes maintaining a detailed inventory, deploying security products like firewalls and IDS, creating air gaps, security awareness programs, and creating a security team as examples of cyber hygiene. The word “hygiene” is used as nothing more than a replacement for “security”.
Hygiene was obviously selected by Andy and many others because it is easy to understand from its common usage, and who can possibly be against hygiene. Wash your hands before eating. Brush your teeth. Take a bath or shower. Don’t put your fingers in your mouth.
The easiest way to see the misuse and flaws in this term is that periodic wellness exams and vaccinations are not hygiene. Not everything a person does, and little a person has done for them, to maintain health is considered hygiene.
If we must keep the term cyber hygiene, then cyber hygiene should only include:
- practices that apply to all participants in the ICS
- practices that do not require any risk analysis to determine if they should or should not be followed
- practices that are so simple they can be stated and fully understood in a single sentence
- practices that are almost universally considered to be helpful and important
Potential examples of cyber hygiene in ICS include:
- Don’t connect your mobile phone to the ICS
- Don’t post information about the ICS on the Internet
- Don’t connect external USB or other removable media to the ICS
From these examples you can see how cyber hygiene could be part of a broad based security awareness program. If it is not something you want to inform and train all involved in the ICS, then it is not cyber hygiene.
Security patching is not cyber hygiene. Operators and most other users should not be applying or even thinking about security patching. There is a risk analysis that is performed before applying patches, and the process of applying patches with testing, phased deployment, and rollback capability is not a simple sentence. Deploying security software and hardware is not cyber hygiene, nor is detection, incident response, backup and most other security controls and practices.
If we insist on coming up with a different term for cyber security in ICS, I’m a strong proponent of cyber maintenance. It fits in the Operations environment. They have a maintenance plan for equipment and systems in the rest of the Plant, why would they not have a maintenance plan for the ICS? Maintenance strategies and plans vary and require judgment as a risk informed cyber maintenance program should.
Of course ICS have all too often had an unspoken cyber maintenance strategy of run to fail. Preventative and predictive maintenance is more common and applicable on components that would have a large impact if an unplanned outage or integrity failure occurred. Operations groups squirm a bit when questioned about the maintenance strategy for their ICS. The term works and is more applicable to the security tasks that the OT security team should be doing.
Or we could just stick with the term cyber security.
Listen to the podcast I recorded with Michael Toecker and Marty Edwards for a deeper discussion on the issue of cyber hygiene and cyber maintenance in ICS.
I was going to post earlier, but I needed to brush my teeth. I agree with your call for a definition or selecting a more context appropriate term like ‘maintenance’. I believe Andy and many others are trying to delineate between security that is appropriate to deal with non-targeted common threats on the low side as opposed to more organized and target attacks on the other. I tend to map that thought to Rob M Lee’s model that suggests you must get architecture right then deploy a passive defense and if appropriate and able you begin to work on a more active defense. If your facility had to withstand targeted attacks then one should plan to move beyond passive defenses. Hygiene used in this context is a term that tries to relate what people should do at a minimum (but why not call it minimum security) and it should be that accepted. I understand why it is used, but it should be followed by statements that explain what people should be doing as a part of the routine to keep ones systems safe from common digital threats. I am a person (being immunodeficienct) that is stuck in a world of frequent and more necessary hygenie to protect me from exposure to bacteria. I have come to realize that even hygenie needs some context to determine what is appropriate. So in my case hygenie has become synonymous with minimum health (like you suggest using security). The important agreed upon point in this conversation is to set a minimum requirement for certain security elements to be in place when deploying ICS to help oneself and to be a responsible member of the larger digitally connected community.
It seems a stretch to seek clarity in use of a colloquial term – especially considering dentistry ‘owns’ a majority of mindshare for the meaning of hygiene.
We might also be wary of a moniker with tendency to be perceived as the ‘minimum’ required. It is all too human to do only what is required.
Meaningful progress will probably need a better effort on ICS hygiene do’s and don’ts.
Which is why I suggest killing the term before it takes hold in the ICS security community. We don’t need another term that adds more confusion to the topic with the primary benefit in that it allows people and organizations to feel good.
I agree. Hygiene is a nice term for use at home with your toothbrush and hand sanitizer, however, it is not sufficient to portray the NECESSARY basic cybersecurity actions required to secure and monitor an ICS. The problem is that our ICS have been plagued by minimum adherence to standards. Maybe we need some Government Regulations.
If we all don’t practice a cyber hygiene regimen (like the minimum one sentence maxims you suggest) then we’re all susceptible to some level of compromise. I believe the term caught on b/c hygiene is a more universally accepted practice by humans than security is. Plenty of people think security is an added benefit of being president, a celebrity, or provided by law enforcement officials / insurance / etc. and therefore costs extra. Hygiene is relatively cheap to maintain and execute on a daily basis and arguably a lot of our existing devices come with the ability inherent already to be more cyber hygienic, but I still have to listen to the podcast