The border between IT and OT (Operational Technology) is fading. In today’s and tomorrow’s OT we no longer have machines with an IT component, but complex IT systems that act upon changes in the physical world. These systems often are completely integrated into the process.
The new world is cyber-physical
This cyber-physical boundary is unique compared to the IT world. Complex chemical processes and dangerous actions that take place at this boundary can cause serious HSE incidents when things go wrong. This turns cyber-physical into a business risk for organizations. It is therefore of great importance to map these risks and manage cyber security. While there is more awareness for cyber security, many companies still struggle with an important question: Where do I begin? Marcel Jutte, managing director of Hudson Cybertec: “Where companies faced lack of awareness a few years ago, now we mainly get a concrete cry for help to get started with cyber security”
A business case
An international chemical company has, like many others, found its way to Hudson Cybertec. They are very much aware of the HSE consequences that can be caused by the primary process when cyber security incidents happen that can push the process into an unsafe situation. Safety-PLC’s can also be victim of a cyberattack and, as a result, function in unexpected ways, or not at all. This can have major (physical) consequences. The chemical company wanted to start managing cyber security, but lacked insight in the current security situation.
A security assessment made clear how the company was performing in this area. This baseline functioned as a starting point for improvements. The assessment clearly pointed out which steps should be taken by the company to raise cyber security to the desired level. The organization did not have a current security policy or accompanying procedures. It also lacked a sufficiently defined security organization. To steer the process, Hudson Cybertec delivered an interim CISO who implemented cyber security management and functioned as a sounding board for the senior management. And putting focus on people, process and technology. The basis for the cyber security management is the IEC 62443, the international de facto standard in cyber security for industrial automation & control systems. Hudson Cybertec is internationally renowned as subject matter expert in this area and is actively involved in the development of the standard.
Setting priorities with a limited security budget
Because the budget was limited, priorities were set for cyber security management. By defining the scope, the organization now has a clear focus for security. Choices were made to let the organization profit most of the improvements. Hence the choice to set clear responsibilities for cyber security in a small security organization, and to create a basic set of policies and procedures. Jutte says: “We made clever use of those parts that were already in place and still current, like a high-level risk analysis. We added the additional impact of cyber (and cyber-physical) on the high-level risks of the organization to that.”
Clarity for the organization
By keeping the security organization small, it can act swiftly within the organization. Different disciplines give input to the organization. This results in involvement of both IT and OT. The new policies and procedures were kept concise. They clearly state for all employees what is expected from them in both cyber and physical security.
Properly trained staff reduces security risks
The company underlines the importance of staff to increase the cyber security level. Hudson Cybertec created, together with the company, an awareness program to increase security awareness for all employees. This security awareness program makes employees of the chemical company aware of the security risks that they face on a daily basis. While the program is till running, the security risks are already dropping. “Periodic repetition is important for a security awareness program” says Jutte, “after a while employees get less aware. Repetition anchors the awareness with employees.”
It was decided to segment existing IT and OT infrastructure on the technical side. The findings of the baseline clearly indicated how to shape the segmentation. The Zone & Conduit model of the IEC 62443 was used as guidance for developing the zone model. With only small investments it was possible to establish a major improvement in cyber security
To prepare the organization for incidents, if any will occur, we’re currently working on forensic readiness for the chemical company. Things like logging and monitoring will be set up in such a way that there is only a minimal interruption of the production process, should an incident occur, and allow for a proper response. With new cyber security legislation approaching fast, it’s important to take care of these matters.
Jutte: “At the end of the year we will do another assessment of the cyber security level. Then we can clearly show how effective the improvements in cyber security have been. We already see the benefits of cyber security management within the organization. A new assessment allows us to quantify what we already see and feel today.” He concludes: “We treat all our customers as partners. Together we work on improving cyber security. We always try to unburden our partners to the maximum extent possible.”
Click here to read the article (in Dutch).