A globalising, interconnected world is elevating industrial IT and Operational Technology (OT) security to the forefront of today’s boardroom agenda. Specifically, the hardware and software used in the production area on factory floors, utility plants and electrical grids, water supplies, and in many engineering and research and development facilities. Several high profile security breaches in power plants and other critical infrastructure have served to escalate OT security concerns in recent months.
This is especially important, because the digital transformation of industry will cause more convergence between IT and OT systems. Connectivity between the systems will increase to facilitate more efficient business processes, and this increases the attack surface and the vectors available to reach OT systems. But what are the real threats facing user companies and what should they prioritise for cyber defences? What unique concerns and challenges (external and internal factors) are impacting industrial cybersecurity? What strategies and measures are available to secure these vital assets?
Staying alert on the industrial front
There are clear headwinds approaching OT security that senior management should be aware of.
Escalating cyber threats in the industrial sectors and changes in legislation have heightened the profile of OT security recently. For example, the power supply disruptions in Ukraine in 2015 and 2016 triggered by cyber attacks on the country’s electricity distribution and transmission systems sent shockwaves across the globe. The incidents and others like them have reinforced how cyber attacks in the OT and Industrial Control Systems (ICS) space can severely impact organisations, even the physical functioning of society.
Ransomware attacks such as Petya and NotPetya have also shut down manufacturing lines and affected banking, government and airport operations. More recently, the analysis of malware targeted at OT systems such as Industroyer and Triton has increased awareness of cyber threats to industrial control systems. We now have a better understanding of the impact such threats can unleash, including physical infrastructure.”
Another major driver behind the renewed focus on OT security is the changing legislative landscape. The introduction of the Cybersecurity Bill and its associated Code of Practice in Singapore, for example, has influenced the rising focus on OT Security in Singapore. These legislative changes mandate that all ICS must be assessed, tested and monitored consistently. Prioritising security as a matter of policy drives organisations to relook the security practices they have in place.
Bumps on the road to better security
While OT and ICS security are receiving much needed attention, many affected organisations face significant hurdles. One of these is visibility over the assets that run the OT systems and visibility over the security of those assets. Without visibility, organisations struggle to identify the security posture of their system.
In the area of ICS, many organisations are struggling with managing legacy software, proprietary systems and distributed ownership as they seek to deploy security solutions that may not be compatible with older systems. Organisations must recognise that attack surfaces in ICS are different. It’s critical to identify cybersecurity products and vendors that understand the context of this space, and offer solutions that can work with and not against these systems.
Taking appropriate action
Organisations can improve the protection of their OT systems by ensuring that any systems upgrade or new systems built adhere to a security-by-design process. That means that all hardware and software as well as protocols and workflows are designed to be secure. This requires incorporating OT priorities in cybersecurity practices: OT and ICS security practitioners must accept that malicious practices are inevitable. Organisations are better off being prepared with strong understanding of the risks, putting risk mitigations in place, ensuring visibility through monitoring, and maintaining a trained workforce with robust incident handling processes.
1) Risk assessment
Start with a risk assessment of the resident risks in the OT and ICS.
Taking stock of OT system assets is an important first step to instituting better protection and monitoring practices. Plan and implement mitigation measures with an understanding that OT systems are built to last and are designed with different priorities, often with physical safety and availability being paramount and highly prioritised. For example, many OT systems were designed at a time when OT systems were not accessible remotely. The security measures put in place may not consider for new remote access connectivity.
Finally, expand security policies, such as implementing post-breach procedures that are appropriate and sensible in an OT/ICS environment.
With ICS and OT environments consisting of many types of equipment, often with Industrial Internet of Things co-existing with legacy Industrial Control Systems, getting a centralised view is difficult. The greater scope of asset types and legacy equipment presents challenges that traditional IT environments do not encounter.
OT networks are getting increasingly connected and complex. The greater attack surface elevates the importance of monitoring and at the same time, making monitoring itself even more challenging.
While security tools for IT and OT vary, monitoring and threat detection should be simplified as much as possible through smart aggregator platforms that provide useful information in ‘a single pane of glass’, Better visibility and continuous monitoring of systems to identify breaches quickly and start incident investigations should be mandatory for organisations with OT and ICS environments.
3) Upgrading skills
Organisations should also invest in upskilling teams to ensure cybersecurity practices are relevant and up to date. Cybersecurity knowledge and skillsets can no longer be confined to only the IT teams. Non-IT personnel, including OT engineering and production teams, need to be included in cybersecurity processes, such as incident reporting, handling and management. They are essential to ensuring a more cyber secure organisation. Organisations can look for security partners that have experience in OT and ICS, to ensure that cybersecurity best practices are upheld.
These can include scenario-based OT security training courses involving offensive and defensive operations that integrate real and simulated exercises. Such training can be customised to cover water, power, transportation, and manufacturing for more realistic visualisation and adoption, to counter OT and ICS cyber-attacks effectively.
4) Security Partnerships
In all of these, organisations can turn to security partners that have experience in securing OT and ICS. Ensuring the security and resilience of OT and ICS is a shared responsibility among multiple stakeholders, internally and externally, because no one person or entity has the knowledge, authority or resources to do it alone.
Not if, but when
For many ICS environments, it’s not a matter of if an attack will take place, but when. In 20171, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified 753 vulnerabilities through its 137 architecture design reviews, and many more went unreported or undetected.
Attacks on ICS installations are increasing in frequency and complexity; building a network with a hardened perimeter is no longer adequate. Securing ICSs against modern threats requires well-planned and well-implemented strategies to quickly and effectively detect, counter, and expel
At Trustwave, we offer a variety of services to secure OT and ICS through our consultancy services, including risks and vulnerability assessments, and penetration testing, to assess the security posture of the organisation.
Trustwave’s advisory consulting team helps organisations transform and mature their security operations, offering managed threat detection (MTD) that covers both IT and ICS security monitoring. Our managed threat detection service covers use cases and analytics that are focused on identifying cyber security incidents in ICS environments. Last but not least, Trustwave conducts classes on OT security to assist OT engineers in improving their cybersecurity awareness.
This article is contributed by Dr Ong Chen Hui
Director of OT and IoT Security Research at Trustwave, a Singtel Company
Contact us at: email@example.com