Industrial control systems: How to approach OT cybersecurity
Article by PAS Global founder and CEO Eddie Habibi
To secure industrial facilities and ensure safe, reliable production, operational technology (OT) and IT security, traditionally two separate disciplines with different priorities, must come together to share cybersecurity and risk management best practices.
PAS Global recently reached out to a panel of industry experts focused on OT cybersecurity risk mitigation and asked them to share their strategies for making industrial control systems more secure.
The first-hand experience comes from experts across a diverse range of industries including oil and gas, chemicals and refining, and power generation.
Their views illustrate the importance of understanding similarities and differences between IT and OT environments.
OT security begins with a technical standard of critical security elements.
According to Total TEPDK industrial IT & infrastructure head Jacob Laas Glass, OT security begins with a technical standard of critical security elements.
Glass is responsible for integrated operations and industrial control systems (ICS) security on six offshore oil platforms, so he knows what would make ICS security easier for him.
“Vendors always think their system is the only system in the world that’s going to install on a platform,” he says.
“But if they had the view that they are part of a much bigger thing, we would have a much simpler solution offshore. That would be my request. Please, vendor, consider you are not the only one in the world.”
As the ICS industry gives more consideration to cybersecurity, vendors must develop a more holistic view.
But for now, Glass must contend with an OT environment that is complex and difficult to secure.
He has adopted several practices that have greatly improved cyber security in his environment.
These include:Begin with a technical standard of critical security elements
OT control systems often require multiple components to work together in order to perform a control function.
Every device in that control system could have a critical safety impact on the overall system’s function.
When a device is installed, all the ways it could negatively impact the system must be evaluated.
Glass recommends applying the same strategy to evaluate ICS from a security perspective.
Begin with a technical security standard that the system and its components must meet.
“Every time we install something, we apply a Swiss cheese model against the standard. We look at it to see what can be set up initially, what we can prevent, what we can detect, what we can respond to, and what we can recover,” Glass says.
“If there’s something we can’t do, we look for what we can do in the system instead to cover for that security element,” he adds.
When something is added to the system, one way or another the system as a whole must still meet the standard of critical security elements.”When in doubt, assume protection is not there
In Glass’s environment, systems are pretty well documented from a cabling standpoint.
However, documentation of device configuration is often poor.
New technology that detects OT devices and their configurations has been a tremendous help in providing greater visibility, but there still can be areas of uncertainty.
“For example, it might not be clear if a device is configured with a host firewall. In this scenario, we have to assume that it’s not there, and then develop a plan for hardening that device or network.”
This involves a lot of work and help from vendors.
“Some vendors know how to protect their own systems, but others do not get involved in industrial security. Then we do it ourselves,” says Glass.Establish an OT department that works closely with the IT department
This gives OT people access to IT people, who typically have more detailed technical knowledge about cybersecurity issues.
In Glass’s organisation, although the OT department resides in the IT department, it is still responsible for operations and OT security.
But sitting next to IT has been a big help.
“Every time we connect a device, we have different information from the vendor. ‘This is possible, this is not possible’ and so on. We get our network guy and the IT guy together and we apply our Swiss cheese model—what can we do to prevent, detect, and respond. That has helped us create good, secure solutions.”
Having a security standard for control systems and working with IT to help implement them has been very effective for Glass.
“Someone could just sit in their security officer chair and say, ‘No, that’s not possible.’
“But we have to make it possible. That’s the whole point with OT. We have to make it possible because there’s a lot of money involved,” he says.