Story image

Industrial control systems: How to approach OT cybersecurity

09 Oct 18

Article by PAS Global founder and CEO Eddie Habibi

To secure industrial facilities and ensure safe, reliable production, operational technology (OT) and IT security, traditionally two separate disciplines with different priorities, must come together to share cybersecurity and risk management best practices.

PAS Global recently reached out to a panel of industry experts focused on OT cybersecurity risk mitigation and asked them to share their strategies for making industrial control systems more secure. 

The first-hand experience comes from experts across a diverse range of industries including oil and gas, chemicals and refining, and power generation.

Their views illustrate the importance of understanding similarities and differences between IT and OT environments.

OT security begins with a technical standard of critical security elements. 

According to Total TEPDK industrial IT & infrastructure head Jacob Laas Glass, OT security begins with a technical standard of critical security elements.

Glass is responsible for integrated operations and industrial control systems (ICS) security on six offshore oil platforms, so he knows what would make ICS security easier for him.

“Vendors always think their system is the only system in the world that’s going to install on a platform,” he says.

“But if they had the view that they are part of a much bigger thing, we would have a much simpler solution offshore. That would be my request. Please, vendor, consider you are not the only one in the world.”

As the ICS industry gives more consideration to cybersecurity, vendors must develop a more holistic view.

But for now, Glass must contend with an OT environment that is complex and difficult to secure.

He has adopted several practices that have greatly improved cyber security in his environment.

These include: 

Begin with a technical standard of critical security elements 

OT control systems often require multiple components to work together in order to perform a control function.

Every device in that control system could have a critical safety impact on the overall system’s function.

When a device is installed, all the ways it could negatively impact the system must be evaluated.

Glass recommends applying the same strategy to evaluate ICS from a security perspective.

Begin with a technical security standard that the system and its components must meet. 

“Every time we install something, we apply a Swiss cheese model against the standard. We look at it to see what can be set up initially, what we can prevent, what we can detect, what we can respond to, and what we can recover,” Glass says.

“If there’s something we can’t do, we look for what we can do in the system instead to cover for that security element,” he adds.

When something is added to the system, one way or another the system as a whole must still meet the standard of critical security elements.”

When in doubt, assume protection is not there 

In Glass’s environment, systems are pretty well documented from a cabling standpoint.

However, documentation of device configuration is often poor.

New technology that detects OT devices and their configurations has been a tremendous help in providing greater visibility, but there still can be areas of uncertainty.

“For example, it might not be clear if a device is configured with a host firewall. In this scenario, we have to assume that it’s not there, and then develop a plan for hardening that device or network.”

This involves a lot of work and help from vendors.

“Some vendors know how to protect their own systems, but others do not get involved in industrial security. Then we do it ourselves,” says Glass. 

Establish an OT department that works closely with the IT department 

This gives OT people access to IT people, who typically have more detailed technical knowledge about cybersecurity issues.

In Glass’s organisation, although the OT department resides in the IT department, it is still responsible for operations and OT security.

But sitting next to IT has been a big help.

“Every time we connect a device, we have different information from the vendor. ‘This is possible, this is not possible’ and so on. We get our network guy and the IT guy together and we apply our Swiss cheese model—what can we do to prevent, detect, and respond. That has helped us create good, secure solutions.”

Having a security standard for control systems and working with IT to help implement them has been very effective for Glass.

“Someone could just sit in their security officer chair and say, ‘No, that’s not possible.’

“But we have to make it possible. That’s the whole point with OT. We have to make it possible because there’s a lot of money involved,” he says.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.