Operational technology (OT), including industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, is becoming increasingly connected. Along with the important benefits of connected industrial operations come significant cybersecurity risks. In particular, security experts across all industrial sectors are struggling to minimize the enlarged attack surfaces and other cybersecurity vulnerabilities created by the merger of OT infrastructure with IT networks.
In 2015, the SANS Institute conducted a surveyed of ICS security professionals around the world. The survey results found that 34 per cent of respondents believed that their systems had been breached more than twice in the past 12 months, posing a severe risk to the reliability and availability of their plants.
Complex OT environments
Why is it such a big challenge to secure a large industrial operation? The scope of the task, diversity of equipment and vendors, shortage of resources and lack of integrated and automated procedures all complicate the process of effectively protecting OT infrastructure. This is certainly the case for most energy and utility companies.
OT environments often include thousands of field assets across multiple production facilities, many of which are remote field locations and some of which are unmanned. At the same time, these assets have been installed by multiple vendors over many years and rely on proprietary hardware, software and communication protocols that were not designed with any security capabilities.
More importantly, many energy manufacturers and utility companies have not created an integrated policy to protect their industrial assets and operational equipment, even though their OT infrastructure is increasingly interconnected with their IT networks. In parallel, there are generally no policy definitions for the roles and responsibilities among the plant facilities, operation and control teams, and corporate IT security staff.
Despite investments in standalone security tools, most energy and utility companies are still forced to use manual processes and are not in the position to implement an integrated and automated approach for protecting their OT environment.
Top-down and integrated approach
A top-down and integrated approach is required to effectively protect an OT environment. “Top-down” implies that all policies, procedures and technology solutions are driven by the corporate operation and control team. “Integrated” means that all the intersection points among IT and OT, remote plants and head office, and involved third parties must be taken into consideration when enforcing policies and executing procedures.
However, as a best practice to ensuring the success of a top-down security strategy, complete visibility and a full asset inventory must first be obtained and secure connectivity among these operational assets must also be established.
Once these two perquisites have been achieved, the following are recommendations for a top-down, integrated strategy that can be applied to protect the OT infrastructure:
· Operation-wide policies and procedures for securing the operational assets should be clearly defined by the corporate operation and control team;
· Granular policies by plant, asset and user identity should be included in these policies;
· Security policies should be deployed centrally and enforced locally in order to protect any network segregation;
· Enforcement should be fully automated and include monitoring for policy violations;
· If there is a policy breach, an incident alarm should alert security analysts to begin investigating the event;
· If an incident does occur, authorized personnel must have the ability to promptly access an asset for incident response;
· Backup and restore procedures should allow recovery from an incident; and
· Risk management and compliance reports should be run by the corporate office.
This list of recommendations may seem obvious, although in complex, multi-site industrial environments, this is a complex task.
The main purpose of OT security activities should be protecting the field assets. These are the operational equipment that, if compromised, will pose the largest risk to operational safety, integrity and efficiency.
To meet this objective, energy and utility companies should focus on the security essentials. What this means is that the basic security activities should be done correctly through automated and repetitive processes that cover the entire OT environment.
The following are examples of many security essentials that must be performed to protect OT infrastructure:
· Schedule verification processes to check that qualified operating system patches and antivirus signatures are installed along with triggers to automate processes to install updates;
· Schedule the collection and transfer of device logs to a centralized Security Information and Event Management (SIEM) system for correlation and alerting, if necessary;
· Schedule the monitoring of ports, services and applications against the organizational whitelist and blacklist policies;
· Manage remote access authorization, privileges and accountability;
· Generate compliance reports to monitor that company and regulatory requirements are being met and determine if any fixes are required; and
· Schedule regular scans of IP address ranges and create alerts for any unexpected changes, such as a new device on the list or a device that is not acknowledging its presence.
Security posture and compliance
Considering the scale of operations and consequences of a security breach, protecting an OT environment is a complex task. To simplify the complexity and reach an improved security and compliance posture, energy and utility companies should pursue a top-down, integrated approach for defining, automating and enforcing policies and procedures. Those policies should focus on protecting the operational assets and their enforcement should be fully automated.
Energy and utility companies must do the basic security essentials properly — those security essentials that, if implemented correctly, will bring the highest security ROI. Once these essentials are covered, an energy or utility company will then be in a position to implement and benefit from additional, and more advanced, security measures.
Shmulik Aran is CEO of Nextnine, a provider of security management solutions for connected industrial control system environments.
This article is the fourth and final article is a series on OT security management for the energy supply industry. The first article presented an overview of the OT security challenges faced by energy and utility companies connecting their IT and OT operations and offered three recommendations for improving the security posture of a connected operational environment. The second article looked at the importance of network visibility and operational asset inventory and the third article analyzed approaches for establishing secure connectivity among operational assets.