To secure industrial facilities and ensure safe, reliable production, operational technology (OT) and IT security, traditionally two separate disciplines with different priorities, must come together to share cyber security and risk management best practices.
Recently my company reached out to a panel of industry experts focused on OT cyber security risk mitigation and asked them to share their strategies for making industrial control systems more secure.
The first-hand experience comes from experts across a diverse range of industries including oil and gas, chemicals and refining, and power generation. Their essays, like the one following, illustrate the importance of understanding similarities and differences between IT and OT environments.
OT security begins with a technical standard of critical security elements.
According to Jacob Laas Glass, Head of Industrial IT & Infrastructure at Total TEPDK, OT security begins with a technical standard of critical security elements. Glass is responsible for integrated operations and ICS security on six offshore oil platforms, so he knows what would make ICS security easier for him.
“Vendors aways think their system is the only system in the world that’s going to install on a platform,” he says. “But if they had the view that they are part of a much bigger thing, we would have a much simpler solution offshore. That would be my request. Please, vendor, consider you are not the only one in the world.”
As the ICS industry gives more consideration to cyber security, vendors must develop a more holistic view. But for now, Glass must contend with an OT environment that is complex and difficult to secure. He has adopted several practices that have greatly improved cyber security in his environment. These include:
# Begin with a technical standard of critical security elements. OT control systems often require multiple components to work together in order to perform a control function. Every device in that control system could have a critical safety impact on the overall system’s function. When a device is installed, all the ways it could negatively impact the system must be evaluated. Glass recommends applying the same strategy to evaluate ICS from a security perspective.
Begin with a technical security standard that the system and its components must meet. “Every time we install something, we apply a Swiss cheese model against the standard. We look at it to see what can be set up initially, what we can prevent, what we can detect, what we can respond to, and what we can recover,” Glass notes.
“If there’s something we can’t do, we look for what we can do in the system instead to cover for that security element,” he notes. When something is added to the system, one way or another the system as a whole must still meet the standard of critical security elements.”
# When in doubt, assume protection is not there. In Glass’s environment, systems are pretty well documented from a cabling standpoint. However, documentation of device configuration is often poor. New technology that detects OT devices and their configurations has been a tremendous help in providing greater visibility, but there still can be areas of uncertainty.
“For example, it might not be clear if a device is configured with a host firewall. In this scenario, we have to assume that it’s not there, and then develop a plan for hardening that device or network.” This involves a lot of work and help from vendors.
“Some vendors know how to protect their own systems, but others do not get involved in industrial security. Then we do it ourselves,” says Glass.
# Establish an OT department that works closely with the IT department. This gives OT people access to IT people, who typically have more detailed technical knowledge about cyber security issues. In Glass’s organisation, although the OT department resides in the IT department, it is still totally responsible for operations and OT security. But sitting next to the IT people has been a big help.
“Every time we connect a device, we have different information from the vendor. ‘This is possible, this is not possible’ and so on. We get our network guy and the IT guy together and we apply our Swiss cheese model—what can we do to prevent, detect, and respond. That has helped us create good, secure solutions.”
Having a security standard for control systems and working with IT to help implement them has been very effective for Glass. “Someone could just sit in their security officer chair and say, ‘No, that’s not possible.’ But we have to make it possible. That’s the whole point with OT. We have to make it possible because there’s a lot of money involved,” he says.