Story image

Industrial control systems: How to approach OT cybersecurity

09 Oct 2018

Article by PAS Global founder and CEO Eddie Habibi

To secure industrial facilities and ensure safe, reliable production, operational technology (OT) and IT security, traditionally two separate disciplines with different priorities, must come together to share cybersecurity and risk management best practices.

PAS Global recently reached out to a panel of industry experts focused on OT cybersecurity risk mitigation and asked them to share their strategies for making industrial control systems more secure. 

The first-hand experience comes from experts across a diverse range of industries including oil and gas, chemicals and refining, and power generation.

Their views illustrate the importance of understanding similarities and differences between IT and OT environments.

OT security begins with a technical standard of critical security elements. 

According to Total TEPDK industrial IT & infrastructure head Jacob Laas Glass, OT security begins with a technical standard of critical security elements.

Glass is responsible for integrated operations and industrial control systems (ICS) security on six offshore oil platforms, so he knows what would make ICS security easier for him.

“Vendors always think their system is the only system in the world that’s going to install on a platform,” he says.

“But if they had the view that they are part of a much bigger thing, we would have a much simpler solution offshore. That would be my request. Please, vendor, consider you are not the only one in the world.”

As the ICS industry gives more consideration to cybersecurity, vendors must develop a more holistic view.

But for now, Glass must contend with an OT environment that is complex and difficult to secure.

He has adopted several practices that have greatly improved cyber security in his environment.

These include: 

Begin with a technical standard of critical security elements 

OT control systems often require multiple components to work together in order to perform a control function.

Every device in that control system could have a critical safety impact on the overall system’s function.

When a device is installed, all the ways it could negatively impact the system must be evaluated.

Glass recommends applying the same strategy to evaluate ICS from a security perspective.

Begin with a technical security standard that the system and its components must meet. 

“Every time we install something, we apply a Swiss cheese model against the standard. We look at it to see what can be set up initially, what we can prevent, what we can detect, what we can respond to, and what we can recover,” Glass says.

“If there’s something we can’t do, we look for what we can do in the system instead to cover for that security element,” he adds.

When something is added to the system, one way or another the system as a whole must still meet the standard of critical security elements.”

When in doubt, assume protection is not there 

In Glass’s environment, systems are pretty well documented from a cabling standpoint.

However, documentation of device configuration is often poor.

New technology that detects OT devices and their configurations has been a tremendous help in providing greater visibility, but there still can be areas of uncertainty.

“For example, it might not be clear if a device is configured with a host firewall. In this scenario, we have to assume that it’s not there, and then develop a plan for hardening that device or network.”

This involves a lot of work and help from vendors.

“Some vendors know how to protect their own systems, but others do not get involved in industrial security. Then we do it ourselves,” says Glass. 

Establish an OT department that works closely with the IT department 

This gives OT people access to IT people, who typically have more detailed technical knowledge about cybersecurity issues.

In Glass’s organisation, although the OT department resides in the IT department, it is still responsible for operations and OT security.

But sitting next to IT has been a big help.

“Every time we connect a device, we have different information from the vendor. ‘This is possible, this is not possible’ and so on. We get our network guy and the IT guy together and we apply our Swiss cheese model—what can we do to prevent, detect, and respond. That has helped us create good, secure solutions.”

Having a security standard for control systems and working with IT to help implement them has been very effective for Glass.

“Someone could just sit in their security officer chair and say, ‘No, that’s not possible.’

“But we have to make it possible. That’s the whole point with OT. We have to make it possible because there’s a lot of money involved,” he says.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.