Cybersecurity is a race. A race that has for over a decade been extended to include systems that run the world’s industrial facilities, where a breach can compromise more than data.
A cyber breach at an industrial facility may enable a bad actor to move actuators that can trip a switch at a power plant to deny electricity to an entire city, manipulate valves to move highly combustible molecules in the wrong direction and cause an explosion in a petrochemical plant, or redirect wastewater to a clean water reservoir at a treatment plant.
In this race, malicious actors are largely aware of existing vulnerabilities and are constantly looking for new ones. Cybersecurity personnel in this race are also aware of the known vulnerabilities and are constantly trying to stay ahead of the game.
IT organizations have generally made an art out of vulnerability management, making it a systematic and generally accepted practice. The same cannot be said for most organizations that also have to keep OT (operational technology) safe.
OT is different, really different
Vulnerability management in OT continues to be one of the biggest challenges in securing industrial control systems (ICS). OT systems, which encompass the ICS, are computer-based control systems that automate and provide safety protection for personnel and equipment in the industrial, commercial buildings, avionics and other IoT-intensive industries.
OT includes Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), the data historian and other servers and applications that manage and optimize industrial processes. They also include Safety Instrumented Systems (SIS) whose sole purpose is to monitor the process and protect plant personnel and equipment by shutting down the process safely upon loss of control.
While the annual total OT market spend is less than 5% of that of the IT market, control systems are the engines that make automation possible. Without them, the world’s production facilities would come to a halt, crippling every economy.
Here are a few distinct characteristics that differentiate OT from IT:
It is not unusual for an IT team to take a server out of commission to upgrade or patch the device late in the evening or over the weekend on a regular basis. This is not possible for OT assets in 24/7 industrial operations. In some cases, like in continuous processes, a control system may run for years with a known vulnerability, waiting for a plant shutdown to apply a patch.
OT assets at high risk
Meanwhile, the risk to the same facility can be staggering should an attacker get in and take control of a safety critical process. The attack surface in the OT environment is vast and vulnerabilities abound. With hundreds or even thousands of known vulnerabilities, OT owner operators are left dealing with the dilemma of security versus uninterrupted production.
A practical approach to patching OT assets
Since it is a monumental task to address all vulnerabilities on all control system assets, there is an alternative to make the task more manageable. This is where we can rely on existing knowledge within the organization to identify and prioritize critical assets to be patched.
The knowledge for identifying the “crown jewels” (critical assets) is derived from a process known as Hazard and Operability (HAZOP) study in the petrochemical and other industries handling highly hazardous chemicals. HAZOP study is a structured and systematic assessment of a manufacturing operation designed to identify specific process safety risks to equipment and personnel. The resulting output is a prioritized list of mitigation measures to address such risks.
HAZOP is a USA Occupational Safety and Health Administration (OSHA) regulation that requires companies to identify and address risks prior to the startup of a new plant and every five years thereafter. Cybersecurity teams can leverage this information to quickly identify the crown jewels that drive critical processes and implement additional security controls to protect these assets. There is no need to “hunt” for the crown jewels – your operations team already knows what they are.
Protect the “crown jewels”
Once identified, the OT security team, in close coordination with operations and process control personnel, must isolate and upgrade/patch the critical ICS assets at the earliest possible. For critical assets that for whatever reason cannot be protected, mitigation plans such as installation of additional firewalls must be taken.
Upgrades and patches for non-critical ICS assets can be postponed until an opportunity, such as a plant maintenance turnaround, is presented.
Visibility, agility and cross-functional synergies
A strong OT security posture requires full visibility to the entire asset inventory plus agility in the organization to mitigate or remediate vulnerabilities in time. Organizations in the industrial sector can gain significant advantage by leveraging the engineering information embedded deep within existing systems and databases such as safety instrument systems and HAZOP databases, respectively.
Doing so, saves tremendous time and cost, but most importantly, it helps harden those critical OT assets whose function enables production and safety of personnel in real time.