The cyber security of process/production environments is sometimes handled by the IT department. However, they rarely have sufficient knowledge of the process environment and its unique characteristics, which often requires a different approach to cyber security compared to IT.
As soon as organizations realize that their production environment or process control environment (also called Operational Technology or OT) is susceptible to digital incidents, a discussion will ensue about who should take care of this problem. Because IT departments have been dealing with cyber security for some time now and have historically had more ties with decision makers at management level, OT cyber security is placed under the responsibility of the IT department for convenience.
Many organizations use the ISO 27001 standard for information security. Because the IT department is familiar with this standard, they tend to design cyber security for the OT using to the same standard. The IT specialists often have insufficient knowledge of the specific characteristics and priorities of the process automation environment. As a result, the associated requirements for cyber security are, unintentionally, overlooked. Often simply looking for a similar approach for IT and OT, but with unwanted consequences as a result.
A different perspective
IT cyber security is mostly about securing information, whereas OT cyber security is mostly about system availability and integrity; In other words the security of the process. What happens if you are unable to monitor the primary process within the process control environment? Not to mention what would happen if you were to lose controll of the process. In some sectors it is essential to always have control over the process. For example, sectors such as water, energy and chemical. Loss of control can lead to catastrophic incidents.
It is important to maintain a dialogue between the IT and OT specialists of the organization. The OT specialists know the specific dynamics of the OT environment and can explain how access management, patching, antivirus, and change management within the OT environment is completely different than within the IT environment. And it is by seeking dialogue and listening carefully to the priorities of OT, that a collective approach to cyber security can work.
International standard: the IEC 62443
The OT counterpart of the IT standard ISO 27001 is the IEC 62443. This international standard is the worldwide standard for cyber security for industrial automation and control systems. This standard provides tools for improving the digital security and safety of the OT environment.
The IEC 62443 is a standards framework consisting of several parts, each dealing with a different aspect of cyber security. It includes parts for implementing a cyber security management system (the counterpart of the ISMS in IT) and establishing cyber security requirements for system integrators and service providers that build and maintain your OT infrastructure. Other parts discuss risk management and describing technical requirements associated with different levels of cyber security resistance.
For a good understanding of the standard, it is wise to follow a certification training course. Together with Hudson Cybertec, the NEN (Dutch Institute for Standardization) has developed a training program for the IEC 62443. In this training, participants learn from seasoned consultants, involved in complex OT-cyber security issues daily, how they can apply the IEC 62443 within their own organization, or how they can apply it in projects for their clients. A training is also available for IT professionals who have or will have to deal with cyber security for OT.
Start with a zero measurement
Aside from the obvious hurdles like setting up a security organization, integrating OT into the existing organization or mapping the cyber security risks, it is important to know how your organization is fairing today with regards to cyber security. A zero measurement helps with this.
A zero measurement will generate a baseline of the organizational and the technical status of cyber security. An important part of this is the monitoring of the OT network during several days to see whether there are any unexpected fluctuations in network traffic or connected assets. This identifies possible problems and where opportunities exist to quickly and efficiently implement improvements and increase digital defence.
How to continue?
The results and recommendations from a zero measurement can be used to get started with cyber security. The security policy can be enhanced or developed, network segmentation within the OT environment can be implemented, and continuous monitoring of the OT environment can be set up. With a monitoring solution developed entirely from an OT perspective, you not only increase your digital defence, but also always have an up-to-date insight into connected assets, network traffic and even compliancy to various standards.
For optimal digital defence, measures must always be in line with your asset criticality and security risks to which the organization is exposed. By consulting our specialists, you will receive advice on how to optimally protect your OT environment. Ensuring that your organization is taking the right measures for their digital defence.
Source: Securitymanagement, November 2020