Nigel Stanley, Global Head of Industrial Cybersecurity at TÜV Rheinland, presented a webinar for Siemens called “Monitoring Your OT Systems for Cybersecurity Threats.” He provides a basic framework for companies that are beginning to understand their cybersecurity risk but need to know what comes next as these threats continue to evolve.
Cyber threats against industrial control or “operational technology (OT)” networks pose serious security risks. Around the world, the number of cyberattacks that target critical infrastructure and strategic industrial sectors is increasing—raising fears that attackers could trigger a catastrophic breakdown in the systems that keep our societies functioning. This risk increases even further when OT networks are based on older technologies or tie into corporate networks holding confidential business information.
The good news is there are steps you can take right now to understand and reduce your cybersecurity risk—from conducting factory-wide risk assessments, to implementing OT systems monitoring. The following framework can help get you started.
Balancing IT and OT Cybersecurity Demands
OT systems differ from information technology (IT) in terms of their architecture, design and role in enterprise environments. As corporate networks, IT systems primarily perform functions such as transaction processing, systems analysis and analytics. OT systems, on the other hand, are based mostly on serial, hardwired analog or digital networks that handle communications between controllers, field devices and servers. Located in substations and control centers, they also perform asset monitoring and process control, metering and protection.
The primary goal of most IT cybersecurity attacks is to gain unauthorized access to confidential data, including personal information or intellectual property, while a secondary objective may be to render a service unusable through a denial-of-service (DDoS) attack. Despite these risks, breaches of IT networks pose a reduced threat of cyber-physical impacts. Unfortunately, the same cannot be said of an industrial control system (ICS) attack, which can cause serious cyber-physical disruptions. These OT disruptions are more likely to trigger a domino effect with a higher magnitude of impact. The effects can include:
- Injury or fatal accidents
- Financial losses
- Loss of shareholder confidence
- Destruction of property
- Damaged public image
- Intellectual property theft
To properly address rising OT cyber threats, it’s important to integrate your view of OT and IT systems. In many cases, attackers use OT systems as an entry point into IT systems and vice versa—despite having air-gapped networks in place. In theory, air gaps ensure that a secure computer network is physically isolated from any unsecured network. But due to the complex, often convoluted interaction of office, plant, control and external networks, a true air-gapped enterprise is next to impossible to achieve and can no longer be the main line of defense.
Fortunately, despite these challenges, there are quick, easy ways to balance your IT and OT cybersecurity demands in a way that effectively guards your enterprise against cyberattacks:
- Look to New and Existing Cybersecurity Standards
A good starting point is to review existing regulations and standards while keeping an eye out for new legislation that can impact cybersecurity in your industry. The standard IEC 62443, for example, outlines foundational requirements for identification and authentication control, user control, data flow, data confidentiality and system integrity. In addition to enhancing your cybersecurity efforts, this standard articulates the critical relationship between cybersecurity and functional safety. It’s in your best interest to engineer both into your OT systems as soon as possible.
- Conduct a Risk Assessment
To better understand your risk, it’s important to perform an OT cybersecurity risk assessment using in-house staff or a reputable security vendor. These risk assessments are increasingly becoming a regulatory requirement and often include provisions for inventorying all ICS and network assets. You can’t manage what you don’t know you have; taking control of your assets is a big step toward effective OT cybersecurity.NIST SP 800-82 is a useful guide to ICS security and promotes the inventorying and categorizing of all applications, computer systems and networks within the ICS—including all programmable logic controllers (PLC), distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems.
- Implement Passive Monitoring As Soon As Possible
Once you’ve conducted your risk assessment, you can put in place a mechanism to monitor your OT network. In particular, OT environments require passive monitoring techniques, which silently analyze network traffic to identify endpoints and patterns. These techniques provide visibility across your ICS and SCADA networks and—unlike active monitoring—create no additional network traffic that could interfere with critical industrial processes.Beyond just cybersecurity, OT systems monitoring and threat detection adds value to your day-to-day OT operations in the following ways:
- Network visibility. Generate a full list of assets in your network. Identify each component’s role and discover new and inactive nodes.
- Industrial visibility. Receive a full list of all PLCs in your network. Identify process variables and analyze traffic bandwidth.
- Asset management. Receive automated and updated asset inventory lists, including all software and firmware versions and serial numbers.
- Operations. Track actions and trigger events based on operational issues, including reconnections, idle links and bandwidth.
- Plan Your OT Incident Response
Unfortunately, taking the necessary OT network precautions won’t eliminate your risk completely. Cyberattacks will still happen, and you must have procedures in place to deal with the event from the moment it’s first discovered. First and foremost, make sure your control room staff are trained to recognize a cybersecurity incident. You should also establish an incident management team to oversee the various primary and secondary response services—from handling crisis public relations, to communicating the event to customers, partners, regulators and law enforcement.
Though complicated and ever-evolving, you can still take active steps to understand and reduce your OT cybersecurity risk—preventing attackers from compromising the safety and availability of your ICS and causing widespread cyber-physical damage. Since attackers exploit the security gaps between IT and OT technologies, taking an integrated cybersecurity approach can significantly minimize your risk and enhance productivity and safety if properly implemented. Moving forward, it’s important to review existing cybersecurity regulations and remain on the lookout for new legislation in this critical arena.
To view the recorded webinar, “Monitoring Your OT Systems for Cybersecurity Threats,” please click here.Have an Inquiry for Siemens about this article? Click Here >>