It would be fair to say that cyber security is at the top of most businesses’ list of concerns. The increased emphasis on IT and technology – every company is a technology company today, after all – has made it this way.
Technology and data have become so deeply entrenched in many organisations that if it is compromised the damage to their operations, brand reputation and bottom line can be catastrophic. You merely need to flick through any daily newspaper to read about the latest data breach to see how much of an issue cyber security is.
Those same newspapers also arguably perpetuate some myths around cyber security, namely that not every hack, attack or breach is the same. It could be ransomware like the recent WannaCry attack, a DDoS attack like that faced by the BBC in 2016, or a phishing scam in the shape of those suspect emails we’ve all received from suspiciously generous foreign diplomats and royalty. Cyber security is a catch-all term to categorise a diverse ecosystem of threats.
So it follows that protecting different infrastructures and systems too would require different approaches and skillsets – protecting the automated systems of an oil refinery, for instance, would be quite different from the CMS of a retailer. The stakes are much higher too.
For those working in industrial settings, understanding the nuances of protecting operational technologies is the first step to mitigating risk.
OT vs IT
It is an open secret that Operational Technology (OT) cyber security is not the same as IT cyber security.
It’s true that these systems are often based on the same technologies and as such many of the threats they face are exactly the same. However, there are some important differences that mean your operational assets should not be managed as an extension of your IT infrastructure:
- Age: OT computer systems are usually procured for a specific function and represent a significant investment. These platforms are not easily replaced and it is not unusual to find computer hardware that has been in operation with little or no modification for over 10 years. Consequently, they are vulnerable to a wide range of cyber-threats that have already been mitigated for your business systems.
- Availability: These systems are at the centre of every industrial company; excessive downtime goes directly to the bottom line. There is, therefore, an understandable reluctance to take these systems out of service for maintenance, including patching and anti-virus updates. If these systems cannot be updated frequently (consider how often requests to update appear on your own Windows PC) or they cannot be updated at all then alternative measures are required to manage the risk.
- Process hazards: Many OT assets are responsible either for direct control, supervisory control or the safe operation of manufacturing processes. Business systems are also critical but their failure is unlikely to result in the uncontrolled release of hazardous materials or energy. If a control system is not sufficiently secure from cyber threats then it cannot be regarded as adequately safe, and there is a clear implication here that the security lifecycle should be managed appropriately.
Setting the standards for security
There are two standards (both published by the International Electrotechnical Commission) relevant to the identification and management of risk for industrial control systems. The first is IEC 61511 “Functional safety - Safety instrumented systems for the process industry sector”. The second is IEC 62443 “Security for industrial automation and control systems”. It is worth noting that the ISO/IEC 27000 family of standards are sometimes adopted for OT cyber security but their focus is more on information security, not the safety and / or security of industrial control assets. As OT systems are often responsible for the control of a physical process, good practice in ISO/IEC 2700x should be adopted where appropriate, but the IEC standards should take precedence at all times. For example, a password lockout policy might be appropriate for preventing unauthorised access to a business system (business confidentiality) but not for the control room where locking an Operator out of the control system could have serious consequences (availability is more important).
IEC 61511 for functional safety was updated at the end of 2016 and Edition 2 now includes requirements for:
1) Carrying out a security risk assessment to identify the security vulnerabilities of a safety system and also
2) (Re)-designing the system such that it provides the necessary resilience against the identified security risks
This change brings the two IEC standards closer together in their scope and requirements. This trend is likely to continue. For example, the UK’s Health and Safety Executive (HSE) has recently issued an Operational Guidance note to its Inspectors outlining its expectations for the management of cyber security risk on Major Accident Hazard (MAH) sites. Unsurprisingly, the HSE’s focus is on the continuing safe operation of these systems but this Operational Guidance note also makes clear the HSE’s expectations in terms of identifying and mitigating the risks posed by inadequate OT security. It also states that, “duty holders should take reasonably practicable steps to reduce security risks”. The guidance note cites IEC 61511 as “Relevant Good Practice” and also references IEC 62443 under “Relevant Standards” but it does not mention the ISO 27000 family of standards. This effectively reinforces the status of IEC 62443 as THE standard for the security of industrial control systems.
Dedicated rather than deviation
Managing the security of your control systems as an extension of your IT security procedures will almost certainly lead to problems. At best this will result in deviations from your IT policy and at worst will result in mismanagement of the security of your industrial control assets. There are key differences between the security management of IT assets and the security management of OT assets, and surely your control systems are too important to be managed as just a deviation from IT policy? Indeed, in the modern connected enterprise where your industrial systems are networked to your business systems (which they almost certainly are) and your business systems are Internet facing (again very likely) then your business systems should be regarded as a potential source of threat to the integrity, safety and security of your control systems. That threat should be appropriately managed.
Rob Turner, Advanced Solutions Consultant, Yokogawa UK
Image Credit: Elena11 / Shutterstock