Organisations are still underestimating the risks created by insufficiently secured operational technology (OT).
One current example comes from Germany. According to a report by heise.de, external security testers consider it “likely” that a successful serious cyberattack against the publicly owned water company Berliner Wasserbetriebe could lead to a complete failure of the German capital’s waste water management.
The good news, at least for Germany, is that a combination of engineering standards and legal requirements often prevents many worst-case scenarios from happening. One such regulation requires that utility companies must be able to control their grids manually, if necessary. This is not the case in all European countries. If the legally required basic IT protections are in place, and two-factor authentication and other best practices are used, many potentially damaging incidents can be prevented or at least contained. Germany has a number of guidelines and standards that aim to minimise cybersecurity risks, including a law on basic IT security, ISO 27001, IEC62443 standards and a compendium published by the BSI, Germany’s equivalent to the UK’s National Cyber Security Centre. There are even free tools to check and document compliance with these guidelines, like the Light and Right Security ICS.
But while these tools can be helpful, they also require a considerable amount of work by qualified personnel. Many public institutions are struggling to find such personnel and also the money to pay for the initial system assessment. We should also not forget that despite all efforts, there will always be a remaining risk, especially with regards to compliance and the potential loss of reputation after a security incident.
IT versus OT?
Until fairly recently, OT and ICS environments were physically separated from enterprise IT and therefore not considered vulnerable to cyberattacks. Some OT networks are older than the security experts managing them, which means that they were built before cyberattacks even became possible. In many cases, this resulted in very flat networks where all physical subnets are connected. As a result, securing them is more difficult. It is nearly impossible to work “ad hoc” and should always be seen as a continuous process rather than a goal to be reached and forgotten about.
When you are planning the implementation of security controls, you should make sure that the tools and processes you choose support communications via both traditional IT and OT protocols. You should also keep in mind that maintenance and upgrade cycles are much longer in OT than in IT. Even though they are now beginning to get shorter, OT cycles are still not even on the same order of magnitude as the fast-evolving IT and IT security cycles. OT teams and plant managers are also struggling with the frequent updates on the IT side and the associated downtime – something OT teams try to avoid.
Does this mean that OT should do without the security controls that are considered standard in IT?
In practice, the result will almost always be a compromise. Some recommended IT practices and monitoring options can definitely be used in OT, but they have to be adapted exactly to the industrial context where they will be used, and they must be communicated clearly. IT security has become an incredibly complex field with very sophisticated threats. It is not always easy to explain this complexity to OT teams where people tend to have different priorities.
Some of the reservations regarding IT security are a historical legacy from as far back as the earliest days of active and passive network monitoring. Active monitoring has an especially dubious reputation amongst OT experts. When active network monitoring was first adopted, some methods were simply transplanted from office environments without any adaptation. These methods had been tried and tested, so it seemed a good idea to use them more widely, including in much more sensitive OT networks. The result: device outages and costly disruptions to production processes. Even today, some OT experts shudder when they hear the word “scanning.”
The differing priorities of IT and OT add to the communications difficulties experienced in many organizations.
In cybersecurity and IT, confidentiality, integrity, and availability – the components of the CIA triad – are typically (and sensibly) the top priorities, in that order. In industrial cybersecurity, the acronym AIC is used instead of CIA, as availability is the highest priority.
Security Risks in Convergent Networks
In convergent networks, information and automation technology are increasingly growing together. The connections and transitions between them invariably lead to increased risks, which can cause disruptions and damage. Security experts worry that enterprises’ dependency on connected devices is growing much faster than their capacity to protect those devices.
Basic concepts need to be developed and security mechanisms defined for different industrial environments. OT operators urgently need to invest time and effort into the improvement of their security posture. All this is hampered by a number of myths and misunderstandings around the subject of industrial security.
Too often, these prevent necessary measures from being planned and realized. One of these persistent myths is that cybersecurity incidents are synonymous with “malicious hacker attacks.” Early research revealed that the overwhelming majority of incidents are caused by human error or a device outage. In both cases, the efficiency of the manufacturing plant is directly impacted. Even if cyber criminality is involved, the culprits are more often malicious insiders than external cyber criminals. In these cases, an employee or external collaborator is usually trying to disrupt or damage systems, processes, devices or people.
A first step towards better protection for flat networks is segmenting them. You could start by monitoring protocol activity and assigning each catalogued system a risk score based on identified vulnerabilities. At this stage, organizations have already achieved a certain level of transparency, and the next step is often an investment in firewalls or patching solutions. From this point onwards, the key objective should be the continuous monitoring of the environment.
Once you have established a configuration that meets your security requirements, you need the right tools to discover any digressions from this secure baseline as quickly as possible. The most effective monitoring solution for your organization will probably be a combination of passive, active, and hybrid tools, as different tools are best suited to different environments.
In its element, each type of tool works effectively, delivers the maximum amount of transparency, and keeps the network as stable and available as possible. But the differences between the various network environments are too great for a “one size fits all” solution. No matter which solution you choose, you will always have to keep fine-tuning it. This is a vital part of the process, especially for organizations modelling their cybersecurity on trusted industry standards or frameworks.
Many people still think that smaller manufacturers are largely immune against attacks. Unfortunately, this is not the case. In reality, cyber criminals see organizations with less expertise, personnel, and resources as attractive targets in and of themselves, as convenient training grounds, and often also as handy first-bases and springboards for future, larger attacks.
As a process, industrial cybersecurity is comparable to health and safety in scope and timing. You should define policies for your team and technologies and develop processes to enforce them, to establish a baseline, and to monitor your security posture continuously in order to maintain and improve it constantly and ensure compliance.
This is necessary in the public and the private sector, as neither politicians nor managers want to make the news for the wrong reasons. Regardless of whether a cyber-incident damages the reputation of a company, disrupts production, or causes security alerts in OT, cybersecurity is now the responsibility of the C-suite.