Finding a Balance: Managing OT Cyber Risk

Tuesday, February 24, 2015 @ 03:02 PM gHale


By Nate Kube
The Industrial Internet holds so much promise for oil and gas and other energy sectors: Increased human safety, efficiency, productivity. At the same time, the network connectedness required to reap these benefits makes operational systems security more important than ever.

Imagine that while reading this, your chief executive interrupts you with an urgent question: Is your organization protected against Regen, a just disclosed industrial controls vulnerability?

RELATED STORIES
Employee Training Boosts Security
Cyber Attacks Top Continuity Threat
Complex Security Should be Easy
ICS Security Guide Up for Final Review

For many companies we consult with, this type of industrial cyber risk question cannot be easily answered. While their CFOs may review daily reports for IT security risks, they have nothing in place to handle the realities of critical infrastructure and operational technology (OT) risks.

Moving forward, companies will need to balance between these opposing forces. On the one hand, the desire to automate and interconnect will push for opening up systems that have been closed for decades. On the other hand, leaders will need to understand and responsibly mitigate related risks. As we have seen while performing OT security assessments and certifications worldwide, organizations need help to address several operational realities first, including:

  • Visibility into security posture – Considering the massive number of controls systems and vintages of operational equipment, it’s difficult for a manufacturing plant or wind farm to see operational-specific network traffic. (This is partially what makes it impossible to respond to the chief executive’s valid question in the example above.) Adding more sensors and connected equipment will only make this situation more acute.
  • Workflows – Closed off, isolated processes (such as shutting down a turbine engine) used to be the norm, but today, business and technical drivers are forcing more open workflows. Plant managers and compliance directors will need to build security into workflows, to assure commands are authenticated first, as an obvious example.
  • People qualified in operational technology (OT) security – Achieving a good balance between the promise of the Industrial Internet and the operational challenges of securing it will depend on who can see the nuances of industrial security risk. IT perspectives will not suffice to address OT risks. Few companies have considered who can design and implement the steps needed to address the unique threats facing critical infrastructure. Nor have they considered who will accurately monitor dynamic threat landscapes and implement updates as attack vectors evolve.

This may seem an overwhelming set of tasks, but there is hope. A pragmatic starting point is having the vital information to make correct risk assessments. Are you looking at how your operational equipment connects and communicates, for example, or only seeing IT protocol traffic? Do the technologies, processes, and people responsible for watching that communication know how and where to look if something suspicious is detected?

Believing they have security visibility is the most common misperception I see across the energy sector. In the majority of cases, only IT risk is addressed at operational facilities today.

Current Information
If you think about how we use driving information like Google or Yahoo maps, it helps to understand just how insufficient the current security posture information really is. If you are driving in a foreign city, for example, one map version might show you existing roads and interstates. Yet another map might highlight and recommend the best routes based on real-time traffic, latest road conditions, and accidents.

Which map would you rather have to plan your trip?

Similarly, many power plants and oil refineries today are relying on that first map when it comes to protecting their operations. Worse, they are unaware there could be other, more effective maps to guide them. And worse still, they believe their current information is everything they need to be secure.

Vital information is just one part of balancing the promise of the industrial Internet with risk. In follow-on columns, we will share insights from recent customer case studies to pinpoint three areas you can act upon to lead your operations securely into a more interconnected world.

Wurldtech's Nate Kube.

Wurldtech’s Nate Kube.

Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer, is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.



Leave a Reply

You must be logged in to post a comment.