Editor's Choice
Analytical Instrumentation & Environmental Monitoring
Data Acquisition & Telemetry
Electrical Power & Protection
Enclosures, Cabling & Connectors
Fieldbus & Industrial Networking
Flow Measurement & Control
Industrial Computer Hardware
Industrial Wireless
IS & Ex
IT in Manufacturing
Level Measurement & Control
Maintenance, Test & Measurement, Calibration
Mass Measurement
Motion Control & Drives
News
Operator Interfaces, Switches & Relays
PLCs, DCSs & Controllers
Pneumatics & Hydraulics
Pressure Measurement & Control
SAIMC
SCADA/HMI
Sensors & Transducers
Smart Home Automation
System Integration & Control Systems Design
Temperature Measurement
Training & Education
Valves, Actuators & Pump Control


Editor's Choice



Print this page printer friendly version

Cybersecurity for operational technology: Part 4: Practical recommendations to reduce cybersecurity risks for OT systems

November 2021 Editor's Choice

According to the latest report from Clatory, it is critical that defenders understand the attack vectors threat actors may take to compromise industrial networks. Having proper visibility into potential weak spots helps organisations prioritise patching and other risk management activities[1]. It is therefore essential that IT professionals can clearly articulate cybersecurity risks to management. According to the World Economic Forum: “The board as a whole takes ultimate responsibility for oversight of cyber risk and resilience”. This means developing a command of the subject[2].

The first step is to adopt a best practice cybersecurity framework, which provides an holistic view of what is needed and will establish your organisation’s current level of maturity and provide a prioritised risk-based roadmap for improvement going forward. This roadmap is like a nautical chart. Without one, an organisation is adrift in the cyber-sea, without knowing where they are or where they are going. This increases the chances of panic when an incident occurs.

Figure 1 illustrates the key steps and processes required. A comprehensive security assessment is performed against a best-of-breed security framework, generating a prioritised, actionable security roadmap.

Table 1 lists some examples of best practice frameworks.

Care needs to be taken when selecting frameworks as industrial control systems (ICS) have different performance, availability and equipment lifetime requirements to IT systems. It is difficult to apply traditional cybersecurity controls to ICS systems, since they are often a combination of legacy and newer systems.

Often, a single security product or technology cannot adequately protect an ICS. The benefit of a best practice framework is that the IT and ICS components in the business will be evaluated holistically. Defences need to be based on a combination of effective security policies and a properly configured set of cybersecurity controls. This includes the organisation and operations. Figure 2 shows a big picture view of all the areas that need to be addressed.

Table 2 shows an overview of some recommendations mapped to the NIST Cybersecurity Framework specific to ICS environments.

Note: The final step ‘Recovery’ has been left out due to space constraints. Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity. I will cover this in a future article.

One of the best ways to demonstrate commitment to reducing cybersecurity risk is to work towards a recognised security certification of your environment. This will provide stakeholder assurance that reasonable steps have been taken to mitigate cyber threats. One of the best frameworks is ISO 27001, which can be assessed locally by the BSI (British Standard Institution)[8] with assistance from cybersecurity professionals such as Wolfpack[9].

References

[1]Claroty, 2021 Claroty biannual ICS risk & vulnerability report: 1h 2021, https://claroty.com/annual-report/

[2]W.E.F, 2017 Advancing Cyber Resilience Principles and Tools for Boards https://www.weforum.org/whitepapers/advancing-cyber-resilience-principles-and-tools-for-boards

[3]https://www.nist.gov/cyberframework

[4]https://www.iso.org/isoiec-27001-information-security.html

[5]https://www.bsigroup.com/en-ZA/ISOIEC-27001-Information-Security/

[6]https://www.cisecurity.org/

[7]https://www.iec.ch/blog/understanding-iec-62443

[8]https://www.bsigroup.com/en-ZA/

[9]https://wolfpackrisk.com/

About Bryan Baxter


Bryan Baxter.

Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, [email protected], www.wolfpackrisk.com


Credit(s)

Tel: +27 11 794 7322
Email: [email protected]
www: www.wolfpackrisk.com
Articles: More information and articles about Wolfpack Information Risk


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Simple and efficient level measurement in the mining, minerals and metals industries
Endress+Hauser South Africa Editor's Choice Level Measurement & Control
Measuring devices in the mining, minerals and metals industries face the challenge of varying material states and long distances in measurement height. Endress+Hauser’s answer to these challenges is the new Micropilot family.

Read more...
PC-based control for fertiliser
Beckhoff Automation Editor's Choice Fieldbus & Industrial Networking
On a farm in the USA, valuable ammonia is extracted from slurry and processed into ammonium sulphate. NSI Byosis has transformed this complex process into a flexible modular system. This modular approach requires an automation solution with flexible scalability in both hardware and software, which this Dutch company has found in PC-based control from Beckhoff.

Read more...
Loop signature 28: Things to consider when tuning.
Michael Brown Control Engineering Editor's Choice Fieldbus & Industrial Networking
I was giving a course at a remote mine in the middle of the Namibian desert. We were discussing tuning responses, and as I always do on my courses, I mentioned that in my opinion ¼ amplitude damped tuning is not desirable, and is in fact not good.

Read more...
Control without complexity
Editor's Choice Motion Control & Drives
In an era where precision, performance and smart control define industrial success, the right driver can make all the difference. At Axiom Hydraulics, we’ve seen firsthand how the Sun Hydraulics XMD series transforms hydraulic systems, from mining and construction to agriculture and automation.

Read more...
The thermal combustion balancing act
Editor's Choice
From carbon taxes to export tariffs, and cost containment to security of supply and sustainability, companies are under increasing pressure to switch to greener fuel sources. Associated Energy Services warns that this pivotal change has some potentially serious knock-on effects.

Read more...
What’s driving the IE3 motor revolution?
WEG Africa Editor's Choice
The International Efficiency 3 (IE3) motor standard will soon become South Africa’s legal minimum standard, mandating that local suppliers offer more efficient electric motors. What is driving this change, and how does it affect the many industries that rely on these modern electric workhorses?

Read more...
Unlocking the smart factory
ElectroMechanica Editor's Choice Motion Control & Drives
At ElectroMechanica, we recognise that transitioning to smart automation isn’t just about adopting new technology; it’s about solving real challenges. Labour shortages, rising costs and downtime due to outdated machinery make digital transformation essential for long-term competitiveness.

Read more...
Case History 197: Bad reboiler temperature control.
Michael Brown Control Engineering Editor's Choice Flow Measurement & Control
It is very important that reboiler temperature controls operate well in petrochemical refineries, or the product quality can really suffer. I was asked to check such a control in a refinery where they were having problems with one of these controls.

Read more...
The future of industrial automation: fieldbus and industrial networking
LAPP Southern Africa Editor's Choice
As a global leader in integrated solutions in the field of cable and connection technology, LAPP recognises that fieldbus and industrial networking technologies are pivotal in shaping the future of manufacturing and production processes.

Read more...
AI-driven innovations with CCTV and cyber security
RJ Connect Editor's Choice Fieldbus & Industrial Networking
The fast progress of artificial intelligence (AI) and video analytics is redefining the rail surveillance landscape. Advancements have bolstered proactive event detection, predictive maintenance and enhanced situational awareness.

Read more...











Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  Hi-Tech Security Solutions
»  Hi-Tech Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd | All Rights Reserved