OT SYSTEMS ARE INCREASINGLY JUST AS EXPOSED TO ATTACKS AS IT SYSTEMS
The increase in digitalization, automation, cloud technology and Internet connectivity with operational technology (OT) at industrial sites has resulted in an increase in OT cyber risk; automation systems and processes that once were logically isolated now exposed to the same cyber threats as the IT world. No longer stand-alone, critical infrastructures and supply chains are increasingly integrated with enterprise systems, which significantly increases the exposure of industrial and OT networks to cyber risk. This is clearly a problem; as enterprise IT systems are exposed to the Internet in ways that OT systems should not be exposed, and are thus compromised much more frequently than we can afford OT systems to be.
OT RISK MANAGEMENT TAKES A DIFFERENT SHAPE
Addressing this exposure to operations networks requires ongoing OT cyber risk management. Risk management is the discipline of taking on reasonable risks when necessary to achieve the goals of the organization. IT (information technology) and OT (operations technology) risk management have developed separately however, as each arena presents differing levels of risk and security challenges. IT risk management, an historically more mature discipline, involves managing OT cyber risk to enterprise systems, information and technology. IT risk management accounts for business consequences of financial loss, data compromise, and data theft with the oft-associated lawsuits. OT risk management, however, is quite different. It involves an engineering approach to addressing the worst-case consequences of cyber compromise – consequences that can extend far beyond data risk into the physical world: physical damage to property, systems, the environment, and even worker casualties and threats to public safety.
HOW DOES AN OT RISK MANAGEMENT APPROACH DIFFER?
Operations technology comprises systems and networks that manage and control physical processes and assets. These systems were originally designed and built as isolated networks, with specific engineering principles to control for engineering risk; to protect the reliability, safety, and efficiency of physical operations. Today, because enterprises rely on accessing operations data for everything from preventative maintenance to centralized asset management, the same connectivity that enables business efficiencies makes it possible for adversaries to compromise our most critical systems.
OT networks must often be managed very differently from IT networks. For example, unlike IT systems that are frequently updated for both functionality and security, all change has the potential to disrupt automation and impair production. As a result, OT systems that now use the same hardware and software as IT systems typically cannot be regularly replaced in the same way as otherwise identical IT systems are updated to control for risk. As IT and OT have distinct missions and protocols, controlling for OT risk will need to be specifically tailored to the unique engineering environment and potential consequences of compromises of operations control systems.
On the other hand, while much has been written about how OT networks must be managed differently from IT networks because of the difficulty of upgrading, applying security updates or even installing anti-virus protections, these difficulties are consequences of the fundamental IT/OT difference, not what drive the difference. The fundamental difference between IT and OT networks, as mentioned earlier, is consequences. We must manage OT networks differently because fundamentally, we cannot restore human lives, damaged equipment, or environmental disasters “from backups.”
Since IT and OT systems serve distinct purposes and can have dramatically different consequences of compromise, properly securing OT systems against compromise involves an analysis of potential threats and worst-case consequences. Ongoing OT risk management involves multiple stages: assigning responsibility, asset identification and inventory, network criticality and dependency determination, threat analysis, and risk mitigation planning and implementation.
STEP 1: RISK OWNERSHIP – WITH WHOM THE BUCK STOPS
A sound OT Risk Management program starts with people. Experienced personnel in engineering, maintenance and operational health & safety departments are knowledgeable of system weaknesses, past failures, and potential sources of error and sabotage. Personnel with this institutional knowledge and experience should make up the core of your OT risk management team. Other individuals to consider including in the core team would be cyber security professionals from the IT side, risk professionals, and someone who can offer a financial perspective in terms of cost. The lead of this team should bear ultimate responsibility for OT cyber risk. Given the gravity and potential consequences of control system mis-operation in the case of a cyber event, it is worth seriously considering the roles, experience and skills of the person ultimately responsible for OT cyber risk.
There are a couple of different scenarios worth exploring, and who will be ultimately responsible for the program will be a function of both the size of the organization and of the potential worst-case consequences of a cyber event. Ideally, OT cyber risk should be the ultimate responsibility of one individual. If IT and OT networks are more or less integrated, both IT and OT risk management could be rolled up into an existing role. For example if you are a single-site shoe manufacturer, the OT cyber risk owner could also be the person responsible for all IT and OT security (or CISO) in the organization. If the organization is lean, the security architecture is straight-forward, and the worst-case consequences of compromise are mostly business consequences (financial loss, production loss, etc), then the CISO could have the capacity and skills to successfully take on this role.
On the other hand, a passenger rail business with operations in many jurisdictions, each with different cultures, regulations and languages, would potentially need separate risk owner roles in each region, distinct from the head of OT security or CISO, to bear full responsibility and lead all efforts to ensure a level of OT network security commensurate with the potential consequences of the cyber risks posed: train derailment, collision, loss of life, etc. This scenario would require full time monitoring, managing, controlling, and reporting on OT cybersecurity risk. The risk owner must also be able to understand potential inter-departmental and inter-network dependencies which could impact physical operations and must work with those department heads to control for risk. For example, if systems within the operations control center of a rail network depend on Active Directory which sits on an IT network connected to the Internet, risk must be duly controlled for and managed with the stakeholders of IT security. If the risk owner function is too siloed within an IT or OT department, inter-departmental risk responsibility gets confused and the buck stops with no one in case of attack.
What all OT cyber risk owners should have in common are a specific set of skills. The risk owner should have a knowledge of OT and engineering principles, as well as a knowledge of IT systems, networks, defenses and attack patterns. This individual should be adept at crafting a What-If analysis to thoroughly identify, monitor and control for any potential operational risk posed by a cyber event.
The risk owner should not only have the knowledge, but also the authority, resources, skills and capacity to actively and effectively manage the risk over the OT risk management lifecycle. They also must have not only risk management skills, but the experience in initiating respond and recover efforts as these events require leadership through time-sensitive, state-of-emergency situations. This also requires effective communication skills to not only keep various stakeholders abreast of any risk creep, but also to coordinate efforts for successful risk program and recovery implementation.
Assigning responsibility is the beginning of the risk management process. The risk owner takes the burden off the shoulders of engineering project managers, technicians and other IT practitioners, so that he can manage, monitor and control the OT-specific cyber risk and initiate appropriate responses that are required in the case of a cyber event. Assigning responsibility is the first of a multiple stages of an effective OT risk management process which will also include network risk assessment, criticality assessment, consequences analysis, solution implementation, response plan, and mitigation strategy. Watch this space for further articles expanding on these stages.