Ireland Makes OT Security Top Priority
Ireland’s NCSC has taken a very positive first step in protecting its national critical infrastructure and OT systems by addressing the essential characteristics that make OT networks different, encouraging engineering-based principles and tasks to effectively mitigate the risk of physical consequences of compromise.
Courtney Schneider
I recently had the opportunity to read Ireland’s Securing Operational Technology guidance published by their National Cyber Security Centre (NCSC). I am no stranger to cybersecurity standards and guidance and must say this document stands out in several ways: it is concise (9 pages in length), employs brevity and sensible language, and is organized in a very reader-friendly manner. It is obvious that the Irish NCSC is taking on a very complex problem with a clear sense of mission.
As the global OT cyber threat environment has evolved rapidly in recent years, Ireland has jumped to the head of the cyber-readiness queue with an overhaul of its national cybersecurity strategy. Amid a general uptick in cybercrime in Ireland, cybercriminals are increasingly targeting automated operations systems. Operational Technology (OT) attacks are likely to continue their upward trend; cyber attacks impacting physical operations or causing shut downs have skyrocketed since 2020 globally, with ransomware responsible for most attacks. Securing legacy OT systems remains of particular concern to the national security of countries worldwide.
The NCSC OT guidance details measures to strengthen cybersecurity for industrial sites and critical infrastructure. As a nation with a strong digital economy as well as vibrant cybersecurity and solutions sector, Ireland is well placed to set a high bar for other European nations to follow.
As a nation with a strong digital economy as well as vibrant cybersecurity and solutions sector, Ireland is well placed to set a high bar for other European nations to follow.
The European and Irish Backdrop
The Irish government’s response has been influenced both by recent national events as well as over-arching European regulatory requirements. At the end of November 2023, a cyber attack impacting water pressurization at the Erris Water local pumping station caused 180 households in the Binghamstown and Drum areas lost water for two days. Erris reported they did not have sufficient budget for firewalls, and that after the attack they failed engage manual pumping operations, ultimately leading to the outage.
Incidents like these justify the driving force for European countries to bolster their national strategies and guidance. The Network Information Services Directive (NIS-2) is mandating spending on cybersecurity as companies, critical infrastructure providers and government agencies work toward compliance with these regulations.
Additionally, the European Network and Information Security Regulation (EU) 2018/151, applies specifically to critical infrastructure and operators of essential services. On the local level, Ireland’s National Cyber Security Strategy 2019–2024 mandates the NCSC to promote measures to protect critical infrastructure and operational technology. The strategy is in place to respond to the NIS2 requirement of the October 2024 deadline to transport requirements to local law by Member States.
Get a complimentary copy of Andrew Ginter’s latest book
Engineering-grade OT Security – A Manager’s Guide
Ireland’s Approach to Strengthening OT
The NCSC Securing Operational Technology guide is essentially a network risk assessment checklist; simple, concise, but at the same time impressively thorough. With a lengthy introduction, the substantive part of the document covers 5 pages, but the authors manage to include 61 sensible, valuable, and clearly articulated recommendations into those few pages, a rare feat!
The guidance applies to the following sectors: electricity, drinking water and waste, oil and gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage and manufacturing industries. The guide details 10 essential areas with subtasks to address and manage the range of associated risks. The first six sections worthy of particular attention as they reinforce a sound engineering-based approach to securing OT networks from cyber threats. The sections are: risk-based approach, know your infrastructure, segment and isolate, control access, network & system hardening, and change control and configuration management. This type of approach to risk closely aligns with the discipline of “cyber-informed engineering” (CIE) which applies constant evaluation, consequence-driven risk analysis, and early design lifecycle engineering for OT cybersecurity mitigation.
- Risk-based approach: this section lays the foundation for effective cyber defense implementation: prioritization of critical systems. Mitigating or eliminating risk is only successful if you understand the severity of consequences of a particular asset or system. As the consequences of network compromise differ from asset to asset within an organization, it is important that groups of assets are prioritized according to criticality. And criticality can effectively be applied as per varying degrees of impact: financial, physical, social-economic, public, etc.
- Know your infrastructure: Understanding, documenting, and actively managing an accurate asset inventory is a must for cyber-physical systems which pose potential grave consequences if compromised.
- Segment and isolate: A golden rule of OT security: segment your OT network and protect it from your corporate network using strong network perimeter controls. Segmenting networks involves grouping assets, classifying their criticality and protecting that group of assets (or entire network) appropriately:
“divide network into zones organized by groups of systems with similar operational function and risk profile. Consider traffic flows between end points.”
Early lifecycle network planning with built-in controls reinforces digital perimeters and prevents the need to bolt-on protections after the fact. Operating with the assumption that the corporate network is compromised at all times will encourage disciplined information flows and appropriate protections from the start.
- Control External Access to the Network: this can be accomplished with clearly defined system and network boundaries and implementing protections accordingly. Remote access is very risky when implemented in OT environments, so it is critical to follow this guidance to include implementing a defense-in-depth strategy and/or enforcing disciplined traffic flows especially for the most highly critical assets and systems.
- Network & System Hardening: this step is very important from a network engineering perspective. There are simple steps that can be taken from design through execution to keep networks safer such as restricting internet connectivity for specific hosts, or better yet for the entire OT network, disabling ports, turning off non-essential services, removing IT assets and dependencies from OT networks, etc.
Interesting Insight
Recommendation 3(f) of the document is particularly interesting. It recommends using discrete hardwired I/Os – eg: 4-20mA current loops – between critical skid systems and DCS I/Os, rather than firewalled or even serial protocol connections for critical components. A hardwired input/out communication mechanism is a powerful tool for preserving limited visibility into key systems without putting those systems at risk from online attacks reaching through firewalls. I have only ever seen the technique documented before in the US Department of Defense Unified Facilities Criteria (UFC) 4-010-06 Cybersecurity of Facility-Related Control Systems guidance – which refers to it as a “Hardware I/O Interface” in section F-3.1.1. This kind of hardened I/O is an example of network engineering. Network engineering is a body of knowledge focused on designing networks to reduce or eliminate information flows that could include cyber attacks, especially those flowing into OT automation networks. Network engineering is focused on controlling the movement, volume, and direction of information.
The most common kind of network engineering for the purposes of network boundary information control is the unidirectional gateway. The unidirectional gateway is a hardware-enforced technology which allows information to flow out of critical systems without allowing any information – including attacks – back in. The gateways are a combination of hardware and software that enable business automation needing access to OT data without putting OT systems at risk by connecting them through firewalls. Unidirectional Gateways are most commonly deployed at the IT/OT network perimeter – precisely at the consequence boundary where cyber impacts generally shift from business-related (IT) to physical (OT). The strength of the protection offered by the Gateways makes it an appropriate choice for a consequence-driven approach to cyber risk, eliminating all remote cyber risks that could potentially affect physical operations.
In summary, this is one of the most readable and comprehensive pieces of OT security guidance in the English language I have come across and I highly recommend a read. Ireland’s NCSC has taken a very positive first step in protecting its national critical infrastructure and OT systems by addressing the essential characteristics that make OT networks different, encouraging engineering-based principles and tasks to effectively mitigate the risk of physical consequences of compromise. And if you want to dig deeper into network engineering and OT security – Waterfall is still distributing free copies of our latest book Engineering-Grade OT Security – A Manager’s Guide by Andrew Ginter.
About the author
Courtney Schneider
Share
Trending posts
Are OT Security Investments Worth It?
Expert Impressions of Cyber-Informed Engineering
Stay up to date
Subscribe to our blog and receive insights straight to your inbox