Story image

Industrial control systems: How to approach OT cybersecurity

09 Oct 2018

Article by PAS Global founder and CEO Eddie Habibi

To secure industrial facilities and ensure safe, reliable production, operational technology (OT) and IT security, traditionally two separate disciplines with different priorities, must come together to share cybersecurity and risk management best practices.

PAS Global recently reached out to a panel of industry experts focused on OT cybersecurity risk mitigation and asked them to share their strategies for making industrial control systems more secure. 

The first-hand experience comes from experts across a diverse range of industries including oil and gas, chemicals and refining, and power generation.

Their views illustrate the importance of understanding similarities and differences between IT and OT environments.

OT security begins with a technical standard of critical security elements. 

According to Total TEPDK industrial IT & infrastructure head Jacob Laas Glass, OT security begins with a technical standard of critical security elements.

Glass is responsible for integrated operations and industrial control systems (ICS) security on six offshore oil platforms, so he knows what would make ICS security easier for him.

“Vendors always think their system is the only system in the world that’s going to install on a platform,” he says.

“But if they had the view that they are part of a much bigger thing, we would have a much simpler solution offshore. That would be my request. Please, vendor, consider you are not the only one in the world.”

As the ICS industry gives more consideration to cybersecurity, vendors must develop a more holistic view.

But for now, Glass must contend with an OT environment that is complex and difficult to secure.

He has adopted several practices that have greatly improved cyber security in his environment.

These include: 

Begin with a technical standard of critical security elements 

OT control systems often require multiple components to work together in order to perform a control function.

Every device in that control system could have a critical safety impact on the overall system’s function.

When a device is installed, all the ways it could negatively impact the system must be evaluated.

Glass recommends applying the same strategy to evaluate ICS from a security perspective.

Begin with a technical security standard that the system and its components must meet. 

“Every time we install something, we apply a Swiss cheese model against the standard. We look at it to see what can be set up initially, what we can prevent, what we can detect, what we can respond to, and what we can recover,” Glass says.

“If there’s something we can’t do, we look for what we can do in the system instead to cover for that security element,” he adds.

When something is added to the system, one way or another the system as a whole must still meet the standard of critical security elements.”

When in doubt, assume protection is not there 

In Glass’s environment, systems are pretty well documented from a cabling standpoint.

However, documentation of device configuration is often poor.

New technology that detects OT devices and their configurations has been a tremendous help in providing greater visibility, but there still can be areas of uncertainty.

“For example, it might not be clear if a device is configured with a host firewall. In this scenario, we have to assume that it’s not there, and then develop a plan for hardening that device or network.”

This involves a lot of work and help from vendors.

“Some vendors know how to protect their own systems, but others do not get involved in industrial security. Then we do it ourselves,” says Glass. 

Establish an OT department that works closely with the IT department 

This gives OT people access to IT people, who typically have more detailed technical knowledge about cybersecurity issues.

In Glass’s organisation, although the OT department resides in the IT department, it is still responsible for operations and OT security.

But sitting next to IT has been a big help.

“Every time we connect a device, we have different information from the vendor. ‘This is possible, this is not possible’ and so on. We get our network guy and the IT guy together and we apply our Swiss cheese model—what can we do to prevent, detect, and respond. That has helped us create good, secure solutions.”

Having a security standard for control systems and working with IT to help implement them has been very effective for Glass.

“Someone could just sit in their security officer chair and say, ‘No, that’s not possible.’

“But we have to make it possible. That’s the whole point with OT. We have to make it possible because there’s a lot of money involved,” he says.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.