OT Cybersecurity for Operations Leaders

Introduction

Cyber security is a crucial aspect of modern life, especially for industrial organizations. Operational Technology (OT) environments—which manage critical infrastructure and industrial processes in plants and other industrial settings—are increasingly vulnerable to cyberattacks due to their growing reliance on digital technologies and network connectivity. Operations Leaders must proactively understand and mitigate these risks to ensure the safety, reliability, and resilience of their operations.

This overview provides Operational Leaders with fundamental concepts, a framework overview, a glossary of terms, and links to additional resources. The goal is to equip Operations Leaders (and IT Teams that may not be familiar with OT) with key concepts as they begin collaborating with their organization's technology and cybersecurity teams. It is not a replacement for a detailed and comprehensive OT Security strategy and plan.

Key Risks

OT environments face unique cybersecurity risks due to their distinct characteristics, including:

• Increased connectivity: The increased connectivity of most OT environments to routable networks for remote access and system monitoring has inadvertently created potential pathways for attackers
• Minimal security by design: OT systems, often designed with minimal security features to prioritize operational efficiency and avoid impediments in emergencies, can be more easily exploited by attackers.
• Critical assets: OT environments, which often control vital assets underpinning essential human services like energy, utilities, manufacturing, and transportation, are prime targets for attackers.
• Severe consequences: Cyberattacks on OT systems can have more severe consequences than those on IT systems, potentially including:

Key Actions to Take

• Conduct a thorough cybersecurity risk assessment: A risk assessment helps to understand the organization's unique threat landscape, vulnerabilities, and potential impacts of cyber attacks.
• Develop an OT cybersecurity strategy: Based on the risk assessment, organizations should define a strategy that aligns with their business objectives and risk tolerance levels. This strategy should encompass policies, procedures, and technologies to mitigate identified risks and should be aligned with an IT cybersecurity strategy.?
• Implement a defense-in-depth approach: This approach involves layering security mechanisms across multiple layers of the OT environment (as defined by ISA95 or other models), including physical security, network security, hardware security, software security, and security management.
• Establish strong identity and access management: Securely manage user accounts and access privileges to OT systems to prevent unauthorized access and limit the impact of potential breaches.
• Implement robust detection and response capabilities: Proactively monitor the OT environment for suspicious activities, establish incident response plans, and conduct regular testing and validation exercises.
• Provide cybersecurity awareness training: Educate all personnel who interact with OT systems about cybersecurity threats, best practices, and reporting procedures.
• Foster strong collaboration: Encourage collaboration between IT and OT teams, as well as with external partners such as equipment OEMs, to share threat intelligence, best practices, and lessons learned.
• Continuously improve: Regularly review and update the OT cybersecurity program and your general Cybersecurity strategy based on evolving threats, vulnerabilities, and technologies.

Frameworks? to Use

Several cybersecurity frameworks can help organizations establish and improve their OT cybersecurity programs.Commonly used frameworks that can assist organizations in this endeavor include:

• NIST Cybersecurity Framework (CSF) 2.0: This framework provides a comprehensive set of guidelines and best practices for managing cybersecurity risk across five core functions: Identify, Protect, Detect, Respond, and Recover.
• ISA/IEC 62443: This series of standards specifically addresses cybersecurity for industrial automation and control systems.
• NIST Special Publication 800-82: This guide provides recommendations for securing industrial control systems, including specific considerations for risk management, defense-in-depth architecture, and incident response.
• COBIT 5: This framework focuses on IT governance and management and can be applied to OT environments to improve cybersecurity practices.
• ISO 27001/27002: This set of standards provides requirements and guidelines for establishing, implementing, maintaining, and continually improving an information security management system.
• NERC CIP Standards: These standards specifically address cybersecurity for the bulk electric system in North America.
• CIS2: This framework provides guidance on how to apply the security best practices found in CIS Controls Version 7 to Industrial Control Systems (ICS) environments. It highlights the unique considerations and challenges of implementing these security controls in ICS, emphasizing the need to balance security with the operational requirements of these systems, such as availability, real-time performance, and vendor agreements.
• The Defender's Advantage: This framework from Mandiant outlines six critical functions of cyber defense: Intelligence, Detect, Respond, Validate, Hunt, and Mission Control.
• NIS2: The NIS2 Directive is a European Union law that strengthens cybersecurity requirements for a wider range of organizations deemed "essential" or "important" to the EU economy and society.? It aims to improve EU-wide cybersecurity by mandating risk management measures, incident reporting, and greater cooperation between member states, with stricter enforcement and penalties for non-compliance

Organizations should select a framework that best suits their needs and industry requirements. Using a combination of different frameworks can also be beneficial in providing a more comprehensive approach to OT cybersecurity. By understanding the key risks, taking appropriate actions, and leveraging relevant frameworks, organizations can build a resilient OT cybersecurity program to protect their critical assets and operations from cyber threats. Let’s go into more detail on two of the above frameworks.

The Defender's Advantage Explained

The Defender's Advantage is a cybersecurity concept developed by Mandiant, Google Cloud Security. It highlights the natural advantage organizations have when defending their own systems. This is because organizations know their own networks and systems better than any attacker ever could. They have the ability to control and manipulate their environments to deter and respond to threats.

The Defender's Advantage refers to the strategies and practices that organizations responsible for critical infrastructure can use to proactively strengthen their cybersecurity posture. The goal is to reduce the risk of cyberattacks and their potential consequences, such as disruptions to essential services, damage to equipment, and even threats to public safety.

Think of critical infrastructure as the essential systems and services that a modern society depends on – things like power grids, water treatment plants, manufacturing facilities, and transportation systems. These systems rely heavily on OT, which includes the hardware and software that directly control and monitor physical processes.

Why is the Defender’s Advantage important in OT?

• Convergence of IT and OT: The increasing connection between traditional Information Technology (IT) systems and OT systems has created new pathways for cyberattacks.. Attackers can exploit vulnerabilities in IT systems to gain access to and control critical OT systems.
• Unique characteristics of OT: OT systems often have unique characteristics that make them more vulnerable to cyberattacks, such as:

Key Components of the Defender's Advantage:

• Threat Intelligence: Understanding the specific threats that are relevant to OT systems is crucial. This involves gathering information about potential attackers, their tactics, and the vulnerabilities they might exploit. It also means staying informed about emerging threats and vulnerabilities specific to OT environments. Collaboration and information sharing with government agencies, industry partners, and specialized security organizations are crucial for obtaining and sharing threat intelligence?
• Defense in Depth: This approach involves implementing multiple layers of security controls to make it more difficult for attackers to compromise OT systems. This includes both traditional IT security measures, such as firewalls and intrusion detection systems, and OT-specific controls, such as jump hosts and protocol-aware intrusion detection systems. The goal is to create a layered defense that can detect and prevent attacks at multiple points.
• Specialized Detection and Response: Traditional IT security tools and techniques may not be effective in OT environments due to the unique characteristics of these systems [10]. Specialized detection and response capabilities are needed to identify and respond to attacks quickly and effectively. This includes real-time monitoring of OT networks, specialized tools for analyzing OT-specific data, and processes for coordinating responses across IT and OT teams?
• Incident Response Planning: Organizations need to develop incident response plans specifically tailored for OT environments. These plans should consider the unique challenges of responding to cyberattacks in critical infrastructure, such as:
• Cautious Testing and Validation: Testing security controls in OT environments requires a cautious approach to avoid disrupting critical operations. Testing should be carefully planned and executed, and it is important to have a clear understanding of the potential impacts on OT systems. Special considerations should be made when conducting vulnerability scans in OT networks to avoid overloading devices or disrupting communications. Organizations need to be prepared to investigate and address any incidents or anomalies that arise during testing, even if these incidents are not caused by malicious activity.
• Threat Hunting: Threat hunting is a proactive approach to cybersecurity that involves actively searching for threats that may have bypassed traditional security controls [23]. In OT environments, threat hunting often focuses on identifying and investigating suspicious activity that may indicate an attack is in progress. This can include analyzing network traffic, system logs, and user activity for signs of malicious behavior. Given the unique challenges of accessing telemetry in OT environments, threat hunters need to leverage available data sources strategically and prioritize threats that could lead to the most severe consequences.
• Awareness, Collaboration, and Continual Improvement: Building a strong security culture is essential for effective OT cybersecurity. This involves:?

By focusing on these components, organizations can build a more resilient and secure OT environment, reducing the risk of cyberattacks and their potential impacts on critical infrastructure.

NIST Cybersecurity Framework for OT (NIST800-82) Explained

The framework highlights that OT security prioritizes safety, availability, integrity, and then confidentiality, in that order. This is a different prioritization from IT systems, which typically prioritize confidentiality first.

The framework emphasizes the importance of several key aspects:

Importance of a Cybersecurity Program

• Senior management commitment is crucial for a successful cybersecurity program. This commitment can be demonstrated through:
• A strong business case is essential to secure management buy-in and obtain the necessary resources. The business case should:
• The cybersecurity team should include individuals with diverse domain knowledge from various departments, such as IT, control engineering, operations, and security. This cross-functional team can effectively evaluate and mitigate risks to the OT system.
• Continuous monitoring is needed to assess the effectiveness of security controls and identify any potential issues.
• A comprehensive incident response plan is essential to quickly recover from cybersecurity incidents. The plan should include:

Risk Management

• Organizations must understand and manage risks to their OT systems using a comprehensive risk management framework. The framework should:

Cybersecurity Architecture

• The framework recommends a defense-in-depth strategy, which involves implementing security controls in multiple layers to protect OT systems. This approach helps minimize the impact of a security breach by preventing single points of failure.

Key Layers of Defense-in-Depth

• Security Management: This foundational layer involves establishing a strong cybersecurity program, as discussed earlier.
• Physical Security: Protecting OT systems from unauthorized physical access is crucial. This includes measures such as:
• Network Security: Segmenting OT networks to isolate critical systems and devices from less secure networks is essential. This helps prevent the spread of cyberattacks.
• Hardware Security: Ensuring the security of OT hardware, such as PLCs, sensors, and actuators, is important. This includes:
• Software Security: Protecting OT software, including firmware, operating systems, and applications, is critical. Key measures include:

The Cybersecurity Framework (CSF) 2.0

• The framework also highlights the importance of the NIST Cybersecurity Framework (CSF) 2.0. The CSF provides a structured approach to managing cybersecurity risk with five core functions:

Specific Considerations for OT

• Legacy systems: Many OT systems are legacy systems that are no longer supported by vendors and cannot be easily patched or updated. The framework recommends using compensating controls to mitigate risks in these cases.
• Safety systems: Safety systems are critical for preventing accidents and ensuring the safe operation of OT systems. The framework emphasizes the need to consider the cybersecurity of these systems as well.
• Environmental considerations: Some OT systems can pose environmental hazards if they are compromised. The framework recommends incorporating environmental considerations into security architecture designs.
• Regulatory requirements: Organizations in regulated industries, such as energy and transportation, must comply with specific cybersecurity regulations. The framework highlights the importance of incorporating these requirements into security programs.

The framework provided in-depth details for:

• OT system topologies: A general overview of the typical systems OT encompasses.
• OT cybersecurity program development: Guidance on establishing a cybersecurity program including policies, procedures, risk management, incident response, and recovery.
• Cybersecurity architecture: Recommendations for integrating security into OT network architectures, emphasizing network segmentation and defense-in-depth.
• Detailed control specifications: Provides specific security controls tailored for OT environments, addressing areas such as access control, awareness and training, and system security.
• Tools and training: An overview of resources like CISA tools, training courses, industry standards, and research initiatives related to OT cybersecurity.

By addressing these key aspects, organizations can significantly enhance the cybersecurity of their OT systems, mitigate risks, and protect critical infrastructure and industrial processes from cyber threats.

Basic Cybersecurity Terms: IT and OT Environments

Note: Many cybersecurity terms apply to both IT and OT, but some have nuanced meanings or specialized applications within each context.

This glossary provides a basic understanding of key cybersecurity terms in both IT and OT environments. It is important to note that cybersecurity is a constantly evolving field, and new terms and concepts emerge regularly. Staying informed about the latest threats and best practices is crucial for maintaining a secure environment in both IT and OT.

Conclusion

OT security in infrastructure, plants and the supply chain is an ever evolving threat to an organization’s ability to make and deliver high quality goods to their customers. Operations Leaders need to incorporate these risks into their decision making including but not limited employee training, capital equipment purchases and installation, technology system selection, maintenance and third-party support activities.

Sources and Additional Information

The NIST Cybersecurity Framework (CSF) 2.0

NIST SP 1800-10B Protecting Information and System Integrity in Industrial Control System Environments

NIST SP 800-82r3 Guide to Operational Technology (OT) Security September 2023

USNC Current Volume 16, No. 1 IEC ANSI Newsletter

Industry 4.0 and cybersecurity: How to protect your business against cyber risks. CGI Whitepaper? 2021

The Defender's Advantage: A guide to activating cyber defense. Mandiant part? of Google Cloud 2024

The Defender's Advantage: Operational Technology. Mandiant part? of Google Cloud 2024

Mandiant.com/solutions/operational-technology