Operational technology (OT) is an umbrella term referring to the use of IT to manage devices, machinery, and processes in industrial environments. The importance of OT extends to a range of value chains in sectors such as steel, oil and gas, chemicals, renewable energy, and manufacturing, which would come to a halt without up-and-running OT systems. That’s why OT requires the attention of risk-management teams that need to closely track business risks not only related to IT but OT-driven risks as well.
Risks follow the three classic protection targets of confidentiality, integrity, and availability. The latter receives top priority in most industrial value chains since systems must run 24/7 and even brief outages can render end products worthless. What ultimately sets OT-heavy environments apart from homogeneous IT setups is the concept of functional safety, which entails OT systems that serve as protective or corrective controls with regard to the prevention of hazardous events (Exhibit 1). The effectiveness of those controls directly impacts a corporation’s ability to live up to its environmental, health, and safety objectives, such as safeguarding the environment for future generations, minimizing air contaminants, or reducing the number of accidents involving casualties. All of these additional risks need to be considered in addition to the usual information-security1 objectives of classic IT setups.
The data on recent attacks against OT underscore the need to take these risks seriously. While the number of OT cybersecurity incidents during the first half of 2020 remained relatively flat compared with the same period in 2019, the attacks were both more sophisticated and more targeted.2 Examples of industrial cyberattacks that occurred in 20203 include the following:
- In January, Belgian weaving-machine manufacturer Picanol was hit by a ransomware attack that paralyzed production at its plants in Belgium, China, and Romania.
- In March, a “WildPressure” attack campaign used a trojan to attack targets in the Middle East to exfiltrate device information.
- In April, the supervisory control and data acquisition (SCADA) systems of Israel’s water supply and wastewater treatment facilities were targeted in a cyberattack.
According to the Kaspersky Industrial Control Systems Cyber Response Team, in Q1 and Q2 of 2020, the percentage of industrial control systems on which malicious assets were blocked decreased by 6.6 percentage points, and attacks on the oil and gas sector increased by 1.6 percentage points. Additionally, Kaspersky blocked 19,700 malware modifications from 4,119 groups on industrial automation systems.4
A recent survey5 looked into the impact of skill level on information-security effectiveness. Those numbers present an underestimated, although not new, challenge. While companies invest in technology and process effectiveness, the factor team know-how is often overlooked. Cybrary reports that 65 percent of managers agree that skills gaps have a negative impact on their team’s effectiveness, 46 percent of organizations don’t confirm new hire skills for specific roles, and 40 percent of organizations rarely or never assess the skills of newly onboarded team members.
These myriad information-security challenges run the gamut, involving technical, process, and human factors. In this article, we look at the ways organizations can improve security for OT and IT regarding the following topics:
- Tuning of organizational setup to minimize business risks caused by information-security pitfalls
- Keeping business stakeholders engaged in information-security matters
- Assessing status of information-security posture holistically
Cornerstones of OT and IT information security beyond technical controls
Before making major adaptations to a given OT/IT security setup, enlist the support of senior management and get buy-in from all relevant departmental and compliance stakeholders. Otherwise, the solutions will likely only remain technical in nature and fall short of the announced goal. One way to win allies is to hold organization-wide exercises that simulate OT cyberattacks so that senior management can practice a coordinated response in a workshop format and document all lessons learned and define follow-ups. The results will show the improvements while increasing senior management’s awareness—and interest—in the topic.
In the finance sector, regulations require that all functions follow the “three lines of defense” (3LOD) framework, which separates governance functions (for example, compliance, audit) from operational departments (for example, HR, exploration, IT, facilities engineering, drilling). This minimizes conflicts of interest and ensures control-policy adherence across operational functions of a company. The same line of independence extends to internal audits, which apply to the control and operational functions without any dependencies. This setup divides the powers so that no single department can unilaterally drive investments to promote their particular business interests without implementing security controls as mandated by policy, such as making sure there’s encryption for data in transit. At the same time, audits ensure that the control functions specify necessary security controls and ensure both functionality (design effectiveness) and usage (operational effectiveness) benchmarks for all business and support functions.
“OT heavy” industry sectors, such as manufacturing and energy, should embrace the same concept when they build information-security governances across OT and IT. In most cases, we wouldn’t recommend following the 3LOD setup completely for various reasons, such as effort, size, and local footprint. But when merging those lines of responsibilities (for example, the security function writes policies and operates security controls), it’s worth considering compensating controls (for example, budget committees or external audits).
Information security requires formalized and frequent communication and reporting between IT, OT, and lines of business. Options include setting up a committee or embedding responsibilities in key departments across the enterprise. Consider how this might work for a company operating in the oil and gas sector. The organization would appoint an information-security officer who would serve as the point of contact between OT and IT operations and the information-security function, representing, for example, downstream departments. This officer would voice any business concerns that arise, such as when OT outages put the safety of oil-rig workers at risk. Any information-security-related issues would then get forwarded to business stakeholders.
Engage business in OT and IT security
Information security has its own technical language. That makes it all the more vital to communicate the range of potential security risks in clear, concise, nontechnical terms, lest business stakeholders lose interest entirely in information security. Reports should speak to real-world business risks, such as an oil rig getting knocked offline or wind turbines deteriorating faster than usual because of hacked vibration sensors.
Control functions should factor in business-risk appetite, which specifies what a business is willing to tolerate in its day-to-day operations (for example, ranging from zero tolerance on risks to human safety to 100,000 barrels of oil lost due to outages). To reference these risks into the OT and IT world, it is necessary to know the systems that would materialize those risks in case of their malfunction along the entire value chain. This includes third-party services.
Information security has its own technical language. That makes it all the more vital to communicate the range of potential security risks in clear, concise, nontechnical terms.
When we consider how to measure operational risks to enable remediation prioritization, there are qualitative and quantitative approaches. Both methods define the impact and likelihood for the defined business risks. Qualitative methods have been widely used for years and have proven effective if the impact categories (for example, financial, regulatory, health, reputation) are well-defined. Quantitative methods always calculate the financial impact, allowing a straightforward prioritization compared with qualitative methods. Both approaches rely on the definition of the likelihood for business risks based on expert knowledge and historic facts (Exhibit 2).
All OT and IT risks deemed relevant by risk management need to have an owner and be monitored by the control function to become part of enterprise risk management. This includes information-security risks and cyberrisks, as well as common OT and IT operational risks. With that information chain in place, a business’s information-security reporting scorecard can be regularly compiled by the control function and IT and OT security teams.
Assess information-security posture holistically
There are no silver bullets in information security, but there are ways to improve your security posture. The following measures have been discussed and tested for years, though they aren’t often combined (Exhibit 3).
Adversary view (outside in)
One technique to judge the information-security posture of a company is called OSINT (open-source intelligence).
OSINT is offered by third parties and should be combined regularly with third-party technical-threat intelligence feeds. It offers deep insights about leaked data (for example, internal documents, General Data Protection Regulation, user login credentials), IT and OT system setups, and other information, such as the social-network interactions of employees. It helps the information-security expert see how an attacker can use the information-security posture visible from the outside for an attack. Based on that knowledge, defenders can initiate countermeasures to mitigate or repel the potential threat.
Risk assessments (inside out)
Information-security risk assessments are among the oldest and most well-known tools. To ensure that an effective risk-management function is in place, an organization needs established risk frameworks across both IT and OT. Those frameworks must include all the information-security cornerstones discussed in this article and also cover technology controls.
For risk assessments of classical IT and cloud setups, framework standards like ISO27K and National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) are commonly used. When assessing OT security, we recommend the organization look at industrial security standards. The following describes a proven approach based on international standards.
The first part assesses the setup of the OT security organization. A solid base for the review is the Cybersecurity Capability Maturity Model (C2M2) issued by the office of Cybersecurity, Energy Security, and Emergency Response.
The second part focuses on the technical implementation and uses the IEC 62443 of the International Electrotechnical Commission (IEC) as its foundation. The IEC 62443 series of standards provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems.6 Its focus is on technical controls.
Which frameworks an organization chooses is of secondary importance. The main point is the necessity to use frameworks to assess the organizational setup and the OT and IT technical setup. Some industrial firms have even created their own versions of OT security frameworks to support their internal setup. This assures complete control coverage and allows a standardized, repeatable approach and fine-tuning of the assessment based on areas of most concern.
Another related topic is third-party security. Many businesses—especially OT environments—depend on third-party products and maintenance. However, most companies don’t have the financial resources or legal capabilities to cover this angle adequately. Assurance and compliance certifications are two ways to address this.
For IT environments, the third-party information-security-focused standard SOC 2 type 2 defined by the American Institute of Certified Public Accountants is gaining importance. Using vendors with certifications such as SOC 2 type 2 gives companies additional insights about their information-security posture. Internal control functions should reflect the existence (or nonexistence) of vendors’ information-security certificates. It provides service companies the opportunity to have independent audit companies certify their information-security setup and receive a widely accepted certificate.
In OT, safety is the most important factor and is the main reason why the terms cybersecurity certification and assurance are seldom used now. The IEC changed the term Security Assurance Levels to Security Levels for its OT security standard IEC 62443 after deciding a certificate or an assurance would provide a short half-life for implementation and configuration setups and a false sense of safety.
To govern any third-party services in an OT setup, a general certification of its involvement, such as work, configuration, software, and hardware, is not a constructive approach. The governance must be based on a contract that ensures that third-party deliverables successfully pass tests to move through the various stages of the industrial-automation-system life cycle until commissioning. This process can take many years.
In practical terms, companies should include and document all control-system-related implementations along the four stages of the industrial-automation-system life cycle (Exhibit 4). This applies, in particular, to contracting and approval of third-party services. Factory acceptance tests (FAT), integrated FATs (iFAT), and site acceptance tests (SAT) are of high importance in that regard.
OSINT, risk assessments, certificates, and OT-acceptance test information should be combined to compile regular up-to-date information-security risk evaluations. This approach must be coordinated by control functions with the support of OT and IT security teams.
Catch ups, progress, and next steps
We would welcome greater inclusion of vendors in information-security setups, including business-continuity-management scenarios, OT continuity of operations, certifications, and contracts.
As noted previously, control functions should add information-security awareness and reviews of security know-how to their ongoing risk-management topics. How well the latter is handled can determine the overall information-security posture of a company for quite some time.
What OT security developments have we recently experienced?
More clients now focus on a security setup across OT and IT. It starts with the control functions and security management and includes security operations as much as possible. The leverage of operations is restricted when OT assets need to be managed locally.
Another positive trend is the interpretation of IT-security disciplines for OT, particularly as it pertains to OSINT, system-resiliency testing, asset repositories, and threat-detection capabilities (for example, use of packet capture, Switched Port Analyzer, and test access point for threat detection within OT environments). Two main challenges for IT-security adoptions for OT are its local distribution and embedded nature.
To make complex OT environments resilient to security risks, it is paramount to overcome the isolated view and separate management of OT. Security departments, control functions, and operations need to work together to secure OT and IT. They must establish and maintain the protection of the most valuable and critical parts of the business value chain by leveraging human, process, and technical factors. To succeed, stakeholders across the enterprise need to be engaged. The sole driver for an organization’s information-security activities is to keep business risks caused by information-security risks within defined thresholds.
To answer where you are in this journey, we invite you to take a micro self-assessment. There are no right or wrong answers, but the exercise gives an impression of how well your departmental goals are incorporated by your current information-security setup.
- Who are my defined contacts when I need to discuss information-security topics?
- Have I been involved in a business-impact analysis to identify the most valuable and most critical business processes for my area?
- Have I received a risk report for my area (for example, business, IT, OT) showing area-specific risks caused by information-security threats?
- What potential impact caused by information-security threats is my area willing to accept?
- When, if ever, did I last participate in a business-continuity exercise based on information-security scenarios?