The line between IT and OT (Operational Technology) is blurring. In the OT domain of today and tomorrow we no longer have machines with an IT component, but we are dealing with complex IT systems that act on changes in the physical world. These systems are often fully integrated into the process.
The new world is cyber-physical
This cyber-physical interface is unique from the IT world. Complex chemical processes and dangerous operations that occur at this interface can cause serious HSE incidents if errors occur. Cyber-physical thus represents a business risk for organizations. It is therefore of great importance to map out these risks and start managing cybersecurity.
Although there is more awareness of cybersecurity, many companies are still struggling with an important question: Where do I start? Marcel Jutte, managing director of Hudson Cybertec: “Where companies were still struggling with awareness a few years ago, we now mostly see a call for concrete help to make a start with cybersecurity.”
A business case
An international chemical company, like many others, has found its way to Hudson Cybertec. They are well aware of the HSE consequences that the primary process can cause if cybersecurity incidents occur, and the process would be in an unsafe state as a result. Safety PLCs can also fall victim to a cyber-attack and, as a result, fail to operate, or operate differently than expected. This can have major (physical) consequences. The chemical company wanted to start managing cybersecurity, but had no insight into the current security status.
The zero measurement
A security assessment provided insight into the company’s current situation.
This baseline measurement formed a starting point for improvements. The assessment clearly showed which steps the organization had to take to bring cyber security to the desired level.
For example, an up-to-date security policy and associated procedures were lacking. In addition, it appeared necessary to set up the security organization in a proper way. In order to steer all these matters in the right direction, Hudson Cybertec provided an interim CISO who set up the cyber security management and acted as a sounding board for the chemical company’s senior management. The focus was on people, organization and technology.
The basis for the cyber security management is the IEC 62443, the international de facto standard for cyber security in industrial automation and control systems. Hudson Cybertec is internationally recognized as a subject matter expert in this field and is actively involved in the development of the standard.
Setting priorities with a limited security budget
Because budgets were limited, priorities were set for cybersecurity management. By establishing a scope, the organization has been given direction for security. In doing so, choices were made in which the chemical company would benefit most from the improvements. The choice was made, for example, to assign clear responsibilities for cyber security to a compact security organization and to draw up a security policy with a basic set of procedures. Jutte says: “Clever use was made of things that were already in place and were still topical, such as a high-level risk analysis. This mainly looked at the additional impact of cyber (and cyber-physical) on the high-level risks for the organization.”
Clarity for the organization
By keeping the security organization small, it is possible to switch quickly within the organization. The choice was made to provide input into the organization from various disciplines. As a result, both IT and OT are represented. The new policy and procedures have deliberately been kept concise. It makes clear to all employees what is expected of them in terms of security, both cyber and physical.
Well-trained staff reduces security risks
The organization recognizes the importance of staff in raising the level of cybersecurity. Working with the company, Hudson Cybertec has established a program to improve security awareness among employees. The awareness program ensures that the employees of the chemical company become more aware of the security risks they face on a daily basis. As a result, cybersecurity risks have already decreased while the program is ongoing. “With a security awareness program, periodic repetition is important,” knows Jutte, “After a while, employees become less alert again. Repetition anchors the awareness among employees.”
On the technical side, the decision was made to segment the existing IT and OT infrastructure. The findings made during the baseline measurement clearly indicated how the segmentation could be shaped. The Zone & Conduit model from the IEC 62443 served as a guideline for drawing up a zone model. With small investments, it was possible to achieve a major improvement in cybersecurity here.