Today’s higher levels of connectivity also increase demands on security management for operational technologies. Preventing a cyberattack requires a rigorous approach and is a continuous and ongoing process, writes Shmulik Aran
More data is available than ever before
Credit: Steag-VGB Power Tech GmbH
These are exciting times for industrial operations. The Industrial Internet of Things (IIOT), Industrial Internet, Industry 4.0, Integrated Operation or maybe IT-OT convergence – whatever you prefer to call it – promises to revolutionize the use of information in everything from manufacturing plants to generating facilities, pipelines and transmission systems, refineries and more.
The connected operation is already enabling more sensors and more connected devices in more places and is creating more data than has ever been available before.
The benefits of having integrated and connected operations are too good to ignore. Plant owners and operators can measure everything that is worth measuring in order to make important data-driven decisions, such as to predict operational failures and provide preventive maintenance to improve safety and asset reliability as well as to utilize analytics to manage processes more effectively and reduce costs. This all translates to higher levels of safety, improved productivity and better profit margins.
But higher levels of connectivity also increase demands on operational technology (OT) security management. Industrial systems have traditionally benefitted from ‘security through obscurity’ and physical isolation. The new emphasis on connectivity provides exposure to the corporate network and potentially to the public internet, which increases the attack surface. Control of industrial assets no longer requires physical access to the equipment, or even to the plant, as remote access is enabled by network connections. While remote control is intended only for authorized operators and third party suppliers, it can just as easily be accessed and exploited by unauthorized users with malicious intentions unless safeguards are imposed.
Security experts warn of the consequences of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems being vulnerable to cyberattacks and other security issues. Just recently, the National Cybersecurity and Communications Integration Center (NCCIC) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the US Department of Homeland Security, stated, “Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems, it’s not a matter of if an intrusion will take place, but when. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate.”
Mitigating the risk of a cyberattack requires a rigorous approach to hardening the security controls around both the IT and the ICS and SCADA platforms. It is important to emphasize that this is a continuous and ongoing process requiring the close collaboration of IT and OT as well as of the plants and the headquarters.
There are three important pillars to the process of hardening the security controls: Discover, Connect and Protect. Discover entails obtaining and maintaining full visibility of all distributed assets and a complete and thorough inventory of what devices and equipment are on the network. Connect means having the ability to securely connect to every asset with strict authentication to keep out unauthorized users and others with malicious intentions. Protect involves protecting every asset by patching systems, addressing vulnerabilities, keeping anti-virus (AV) signatures current, alerting on policy violations and similar activities.
Why is security still a challenge?
Many energy companies and utilities service providers have already invested significant resources and budgets into plant security measures, but gaps in protection still persist. Complexity can cause quite a few challenges, especially for companies with multiple plant sites, multiple vendors requiring access to assets, multiple lines of business, and legacy and proprietary equipment, much of which is old and may have been designed without considerations for the need for security. Manual processes are also still prevalent and they cannot scale because there are too many assets across too many locations. At the same time, there simply are not enough security experts available to provide sufficient coverage.
Energy companies and utilities service providers have been accustomed to applying security piecemeal, asset by asset and plant by plant. Even at that, security solutions may not be fully utilized and they certainly are not integrated. The result is partial coverage of the security essentials. Now that there is an IT-OT interface, it is critically important to implement security practices across the entire organization using a centralized approach. Moreover, automation is absolutely necessary to ensure that every asset has the proper controls and is monitored for ongoing compliance with security policies.
The NIST SP 800-82 framework for cybersecurity of ICS systems is a good reference model for OT security management. The framework takes into consideration the unique nature of ICS and SCADA environments, where logical controls have physical impacts and the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems.
The following three principles for OT security management are strongly recommended and can be considered best practices for energy companies and utilities service providers:
1. A top-down security approach with centrally-defined plant-wide policies that are automated to ensure consistent shielding of all field assets;
2. Organizations should focus on the security essentials, securing what matters and doing the basic things right on an ongoing basis in order to shield industrial assets from risk;
3. Prioritize protecting the field assets which are key for production safety and integrity.
This security hardening is a continuous process with each iterative step closing the security gap bit by bit.
Bulgaria’s Kozloduy nuclear power plant
Credit: Yovko Lambrev/Wikimedia Commons
Gaining end-to-end visibility
Both the NIST framework and NERC-CIP v5 state that asset identification is foundational for knowing what must be protected. A comprehensive and up-to-date asset inventory is vital to developing and maintaining an appropriate defense strategy and plan of an industrial network and infrastructure. Clear visibility into what devices and equipment are on the network, what they communicate with and how, and their characteristics as well as any known vulnerabilities is an essential starting point. According to the analysis firm Gartner in its Strategic Planning Assumption No. 2, “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources”. Gartner recommends that “security organizations must invest in capabilities to discover and track shadow IT.”
Conducting this asset discovery in an OT environment has its challenges. For example, decades-old equipment might be sensitive and, thus, it is preferable that discovery be done in an unobtrusive way to avoid disrupting availability. As such, a combination of passive and active approaches should be implemented to map the devices and equipment and to understand what they communicate with, and how.
It is also important to understand that every network environment is dynamic. Thus there is a need for automated asset discovery and mapping. All changes to the baseline should be documented and incorporated into a continuously updated inventory. Once the organization has a clear picture of its cyber-assets, it then can consider itself in the position to establish an in-depth defense strategy and plan and to start putting proper hardening processes in place.
Remote access control
A variety of first- and third-party professionals need access to ICS systems used by energy companies and utilities service providers. Their jobs require them to maintain and monitor equipment, perform security processes such as patching and log collection, and improve asset uptime. In some cases, fast access is required for incident response. Performing these tasks in person may not be practical or even physically possible, making remote access an absolute necessity. In addition, some of these activities are based on machine-to-machine (M2M) devices, which can be completely automated without any human intervention.
While these remotely performed activities are often critical to plant safety and reliability, having connectivity from the outside and allowing various remote access processes, especially by third parties, increases the ICS attack surface. It is imperative to protect against unauthorized users and malicious attackers who aim to exploit the vulnerabilities of remote access.
Virtual private networks (VPNs) and proprietary remote access tools are commonly used, but these practices pose risks to the organization from multiple communication lines across the enterprise and shared access credentials. A much better means of secure communications is to funnel all remote access through a single location that is fully controlled by the organization’s IT security professionals. This eliminates proprietary end-runs around security controls that go straight into the industrial assets.
Best practices also call for remote user authentication without sharing assets’ credentials, ideally through a password vault that enables access without sharing the actual password. All user access should be set to “least privilege” mode with exceptions to the policy on an individual basis. Finally, all users’ activities should be monitored and audited with IT and OT being able to approve, deny or terminate a session as necessary.
A top-down, integrated approach
Once an energy company or utilities service provider obtains and maintains its complete asset inventory and it can reach all of those assets remotely through secure connections, only then is it in the position to begin applying continuous protection using a top-down, integrated approach.
By “top-down”, we mean that the head operation and control office should be driving the policies, procedures and technology solutions that secure the entire environment. By “integrated”, we mean that the intersection points among IT and OT, remote plants and head office, and third parties such as equipment vendors are all considered when choosing the means to enforce the policies and execute the procedures so that “everything works together” properly.
ICS security policy creation, deployment and monitoring should be top-down with an integrated operation in mind, and the primary focus of this policy should be shielding the field assets. These are assets that, if compromised, pose the biggest risk to operational safety, integrity and efficiency. Security policies enforcement must be automated.
Energy companies and utilities service providers should address the security essentials, focusing on doing the basic things right. Examples include applying qualified operating system patches and anti-virus signatures, collecting and analyzing devices logs, scanning IP address ranges to look for unexpected changes, and so on.
Security is a process, not a project
Securing a large-scale industrial complex is a big task, but owners and operators do not have to do everything at once. Hardening the environment with good security controls is an ongoing process and not a one-off project. By taking incremental steps through a top-down, integrated approach and doing the right things first, energy companies and utilities service providers can significantly improve their security postures and compliance efforts.
Only when the OT environment is reasonably secure can an organization enjoy the benefits of having more data available from an integrated and connected operational platform.
This article is the first in a series of articles on recommendations for OT security management for energy companies and utilities service providers. The following articles will provide an in-depth analysis of each of the three recommended best practices for OT security management. The next article will take a detailed look at the discovery considerations for maintaining full network visibility and asset inventory.
Shmulik Aran is CEO of NextNine, a provider of security management solutions for connected industrial control system environments. www.nextnine.com