Cybersecurity Approaches Unique to OT Security

The engineering profession has powerful tools to address physical risk, tools that should be applied to OT cyber risks much more routinely than they are today. For example: mechanical over-pressure relief valves prevent boilers from exploding for any reason, cyber attack or otherwise. These powerful tools are too often neglected for cyber threats because they have no analogue in IT security – they not even mentioned in most cybersecurity standards, regulations and advice.
Picture of Andrew Ginter

Andrew Ginter

Cybersecurity approaches unique to OT security

The engineering profession has powerful tools that address physical risk, tools that should be applied to OT cyber risks much more widely than they are today.  For example, mechanical over-pressure valves prevent pressure vessels from exploding. These valves contain no Safety valveCPUs and are therefore un-hackable.  Torque-limiting clutches prevent turbines from disintegrating, contain no CPUs, and are thus un-hackable. Unidirectional gateways are physically able to send information in only one direction and are physically unable to send attack information in the other direction. Today, these powerful tools are too often neglected because they have no analogue in the IT security space, and are not mentioned in almost all cybersecurity standards, regulations and advice published over the last two decades.

Digging deeper, the engineering profession has managed risks to public safety for over a century. It is because poor engineering poses risks to public safety that the engineering profession is a legislated, self-regulating profession in many jurisdictions, similar to the medical and legal professions. The engineering profession has an enormous contribution to make to managing OT cyber risks, but this is poorly understood both inside and outside the profession.

Engineering Obligations for Cybersecurity

Why? In part, this is because are perhaps fifty times as many IT security practitioners in the world as OT security practitioners, thus IT experts are often the first people consulted when we need industrial cybersecurity solutions. Most IT security experts, however, are not engineers and so are not aware of the responsibilities of, nor the contributions that can be made by, the engineering profession.

The profession itself is not much better off. If cyber attacks with physical consequences continue doubling annually, then the OT cyber problem will reach crisis proportions before the end of the decade. In most jurisdictions however, the engineering profession has not yet come to grips with these risks to public safety. At this writing, it is unclear whether there has ever been a case of an engineer being disciplined or losing their license for failing to apply robust cyber risk management to industrial designs that involve public safety or national security. While some jurisdictions, such as the United Kingdom, have added “cybersecurity and data protection” to their code of ethics, most engineers are still not aware of the rapidly changing societal expectations for industrial cybersecurity in their practices.

Engineering Approaches to OT Security

There is progress though. In the last half decade, several approaches to robust security engineering have emerged:

  • Process engineering: The ISA’s Security PHA Review textbook documents an approach for using routine Process Hazard Analysis engineering outputs to help design unhackable physical mitigations for cyber threats to worker, environmental and public safety,

  • Automation engineering: The Countering Cyber Sabotage – Introducing Consequence-driven Cyber-informed Engineering (CCE) textbook is primarily about risk assessment, but includes several chapters on unhackable mitigations for cyber threats, including unhackable digital mitigations for cyber threats to equipment protection, and

  • Network engineering: my own Secure Operations Technology (SEC-OT) Appendix in my latest text Engineering-Grade OT Security – A manager’s guide describes the engineering perspective of protecting correct physical operations from cyber-sabotage attacks embedded in incoming online and offline information flows.

In this theme, the US Department of Energy (DOE) also released a National Cyber-Informed Engineering Strategy (CIE) in 2022, and CIE Implementation Guide in 2023. These developments, the CIE initiative and the CIE perspective are arguably the most important advances in OT Security since the Gartner Group coined the phrase “OT Security” in 2005. The CIE initiative is developing an engineering body of knowledge to, among other things, “use design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attack or reduce the consequences when an attack occurs.”

“This makes so much sense. Why is this new? This shouldn’t be new. Why have we not been looking at the problem this way since the beginning?”

Why Is This New?

All these initiatives are long overdue. When I explain these opportunities, perspectives and opportunities to stakeholders from engineering teams to enterprise security teams and boards of directors, the single most common response is something like:

“This makes so much sense. Why is this new? This shouldn’t be new. Why have we not been looking at the problem this way since the beginning?”

Now, to be fair, many of the actual engineering techniques we’re talking about are not new – they are very old. Safety engineering has been with us for a very long time, as has protection engineering. But using these and other powerful tools universally and systematically to address cyber risk – in addition to other threats to safe and reliable operations – this is new. Applying the perspective of the engineering profession to these problems is new, whether it should be or not.

The future is bright for OT Security seen through the lens of engineering for safety, reliability and critical infrastructure / national security imperatives. I encourage you and all OT security practitioners, engineers or enterprise security, to become aware of and start using CIE, the engineering perspective and engineering-grade defenses to improve and simplify OT security.

For more information on this topic, please request your free copy of this author’s latest textbook Engineering-Grade OT Security – A manager’s guide.

About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox