Editor's Choice


Cybersecurity for operational technology: Part 4: Practical recommendations to reduce cybersecurity risks for OT systems

November 2021 Editor's Choice

According to the latest report from Clatory, it is critical that defenders understand the attack vectors threat actors may take to compromise industrial networks. Having proper visibility into potential weak spots helps organisations prioritise patching and other risk management activities[1]. It is therefore essential that IT professionals can clearly articulate cybersecurity risks to management. According to the World Economic Forum: “The board as a whole takes ultimate responsibility for oversight of cyber risk and resilience”. This means developing a command of the subject[2].

The first step is to adopt a best practice cybersecurity framework, which provides an holistic view of what is needed and will establish your organisation’s current level of maturity and provide a prioritised risk-based roadmap for improvement going forward. This roadmap is like a nautical chart. Without one, an organisation is adrift in the cyber-sea, without knowing where they are or where they are going. This increases the chances of panic when an incident occurs.

Figure 1 illustrates the key steps and processes required. A comprehensive security assessment is performed against a best-of-breed security framework, generating a prioritised, actionable security roadmap.

Table 1 lists some examples of best practice frameworks.

Care needs to be taken when selecting frameworks as industrial control systems (ICS) have different performance, availability and equipment lifetime requirements to IT systems. It is difficult to apply traditional cybersecurity controls to ICS systems, since they are often a combination of legacy and newer systems.

Often, a single security product or technology cannot adequately protect an ICS. The benefit of a best practice framework is that the IT and ICS components in the business will be evaluated holistically. Defences need to be based on a combination of effective security policies and a properly configured set of cybersecurity controls. This includes the organisation and operations. Figure 2 shows a big picture view of all the areas that need to be addressed.

Table 2 shows an overview of some recommendations mapped to the NIST Cybersecurity Framework specific to ICS environments.

Note: The final step ‘Recovery’ has been left out due to space constraints. Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity. I will cover this in a future article.

One of the best ways to demonstrate commitment to reducing cybersecurity risk is to work towards a recognised security certification of your environment. This will provide stakeholder assurance that reasonable steps have been taken to mitigate cyber threats. One of the best frameworks is ISO 27001, which can be assessed locally by the BSI (British Standard Institution)[8] with assistance from cybersecurity professionals such as Wolfpack[9].

References

[1]Claroty, 2021 Claroty biannual ICS risk & vulnerability report: 1h 2021, https://claroty.com/annual-report/

[2]W.E.F, 2017 Advancing Cyber Resilience Principles and Tools for Boards https://www.weforum.org/whitepapers/advancing-cyber-resilience-principles-and-tools-for-boards

[3]https://www.nist.gov/cyberframework

[4]https://www.iso.org/isoiec-27001-information-security.html

[5]https://www.bsigroup.com/en-ZA/ISOIEC-27001-Information-Security/

[6]https://www.cisecurity.org/

[7]https://www.iec.ch/blog/understanding-iec-62443

[8]https://www.bsigroup.com/en-ZA/

[9]https://wolfpackrisk.com/


About Bryan Baxter


Bryan Baxter.

Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com


Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

What to do when fragmented systems get too complex
Absolute Perspectives Editor's Choice
With proper planning, a strategic approach, careful vendor selection and a systematic project methodology, you can successfully upgrade to a future-proof ICT infrastructure that supports ongoing digital transformation.

Read more...
Case History 180: Fuel gas pressure control problem
Michael Brown Control Engineering Editor's Choice
The problem with the pressure control was that it seemed to work intermittently and seldom got to setpoint, resulting in large and unacceptable variance on the control.

Read more...
Loop Signatures 9: Digital controllers – Part 1: Introduction to the simple PID controller
Michael Brown Control Engineering Editor's Choice
There is a commonly held belief in control circles that all PID controllers are similar and relatively simple. This is a dangerous fallacy.

Read more...
Totally Integrated Automation – added value in three dimensions
Siemens South Africa Editor's Choice System Integration & Control Systems Design
Discover everything that’s in TIA, the leading automation concept from Siemens, and how it all works together to create a unique product for machine builders and industrial enterprises.

Read more...
Cybersecurity for operational technology: Part 3: Third-party supplier risks to OT Systems
Wolfpack Information Risk Editor's Choice
As supply chains have become integrated, interconnected and increasingly complex, supply chain cyber-attacks are on the increase as they are very effective.

Read more...
Case History 179: Some unusual measurement and control problems
Michael Brown Control Engineering Editor's Choice
The example given in this article illustrates some mistakes made by the system integrators and control engineers at a metals extraction plant that used a well-known make of PLC and scada for its controls.

Read more...
Tag-specific requirements in RFID systems for track and trace
Turck Banner Editor's Choice Industrial Wireless
The BL ident complete RFID system from Turck Banner offers solutions in the HF or UHF range with interfaces for use in a plant or switch cabinet.

Read more...
Security for operational technology: Part 2: How much of a cyber threat are people to OT systems and what can be done?
Editor's Choice
The recent cyber-attack on Transnet is a wake-up call that South African companies are not immune from cyber threats.

Read more...
Loop Signatures 8: Final control elements – Part 4: the infamous stick-slip cycle
Michael Brown Control Engineering Editor's Choice
An inherent phenomenon occurring in most control valves that few people are aware of is ‘stick-slip’.

Read more...
OT the executor, IT the overseer, IIoT the enabler
Editor's Choice
It is a fascinating and daunting time to be working as professionals in the OT and IT worlds.

Read more...