Systems can be controlled, but people are only human
Most ICSs are legacy systems with a lot of miles on them. Their age makes them especially vulnerable, because many had inherent flaws that have long-since been addressed in newer versions. Still, they’re responsible for many specific, critical processes and applications, so any change that affects them must always be evaluated for its impact on operations and safety. Custodians must be constantly vigilant about new technology, making sure they get the training they need to understand the newest vulnerabilities and anticipate where they may come from.
Generally, the IT approach to system maintenance and security is to install patches the manufacturer provides. It then restarts the system and addresses any problems with “fixes” after the fact. If, conservatively, the process resulted in a 20 percent failure rate, IT would work its way through, one-by-one, until all the problems were addressed. Contrast that with an operational technology (OT) system. If one of those were to lose 20 percent of its assets for any period of time, the plant would have to shut down.
When our clients’ ICS systems run into trouble and they ask for our help, fully 80 percent of the incidents we see are the result of direct involvement with the systems by staff and third parties. Usually, what’s needed is training and information about OTs and how they work. Staff need to understand the differences between enterprise environments and ICSs so they’re aware of the impact that routine maintenance, upgrades, and unplanned activities can have.
Based on their appetite for risk, companies can use different maturity and security-level approaches to address cyber-resiliency issues and their own compliance with recommended practices for managing it effectively.
Control that is standards-and-documentation-driven. It’s imperative that organizations understand the level of knowledge or ability their people have when they are hired to work with systems infrastructure. Today, many employees have enough IT knowledge to introduce changes—probably unintentionally—that can create serious vulnerabilities. The risk of compromised security is cut dramatically if the only changes that staff can make to the system are those needed to do their own jobs. So it’s imperative to have a good understanding of roles and responsibilities across the organization. It drives decisions about who is allowed to do what.
Control that is cloud-driven. Tools can be purchased for specific processes, based on Applications as a Service (AaaS) or Platform as a Service (PaaS). Real-time, preset controls are often embedded in these third-party services, but they may not meet the requirements of your risk management plan. OT organizations need to understand and apply comprehensive ICS processes and safety requirements to guard against the vulnerabilities of open systems.
Control that is static-driven. Non-cloud and legacy systems require an in-depth understanding of assets, configurations, and processes requirements to protect the system. They must follow a rigorous testing and deployment schedule. Here, the biggest risk-management issues involve configurations and patches made to the systems. They may not be applied consistently across the organization, leaving holes and vulnerabilities that can be exploited.
The hybrid model. The above three models can be adapted and customized, depending on the nature of the OT organization, its cyber-maturity target level, and whether the environment is greenfield or brownfield. The risk of combining cloud– and non-cloud-based controls without governance can undermine the control that the operations group has with ICS systems. For example, ICS systems control may be changed by a third-party service, causing unplanned reactions in plant operations that may not be safe. Clients and OT organizations need to be sure they can address mixed environments holistically to deal with threats and vulnerabilities, however they arise.
If organizations are going to be successful defending their cyber assets, there must be a collaboration between IT and the engineering groups throughout an OT organization. Ultimately, the best protection for cyber assets is a strong industrial cyber program, one that includes appropriate training for your permanent and contract workforce and a rigorous set of cyber controls adapted to your situation. It’s a worthwhile undertaking, because any form of prevention is always better than searching for a cure after the damage is done.
About the author
Kurt Forster
ICS Cyber Resilience Practice Leader, Hatch Digital
Kurt Forster has a cyber security and industrial control system background in Informational Technology (IT), Operational Technology (OT) and Industrial Control System (ICS) systems architect and design, ICS governance development, project management, systems integration, and consulting. He has applied governance, maturity and risk based operational technologies to a variety of critical infrastructure sectors including Mining, Oil & Gas, Power Generation, Pulp & Paper, Water & Wastewater Chemical and Banking. He has worked around the world dealing with various industrial projects and currently leads the ICS cyber resilience practice at Hatch.