Learning to Navigate OT Security Risks

Tuesday, April 14, 2015 @ 04:04 PM gHale


By Frank Marcus
There is no doubt the industrial Internet holds great promise for improving efficiency, productivity, and most importantly, human safety. However, the level of network connectedness required to gain these benefits makes operational systems security more essential than ever, especially in Oil and Gas and other energy sectors.

While critical infrastructure security is already recognized by regulators and compliance leads (see NERC CIP regulations), there are further opportunities to truly strengthen an industrial facility’s security posture. Here are some of the key points I shared with Oil and Gas executives at a GE conference in Florence last month. These points are the result of my experience and current role in performing security assessments across industrial facilities worldwide, from wind farms to oil rigs.

RELATED STORIES
Finding a Balance: Managing OT Cyber Risk
Employee Training Boosts Security
Cyber Attacks Top Continuity Threat
Complex Security Should be Easy

What most companies don’t realize is simply having the right view into different types of information can speed your ability to fix common problems. Think about traveling on a city’s subway system as a good analogy. Of course, you need the basic information like which stop is closest to the address you’re visiting, and what subway line goes there. However, there are additional details that could vastly change how quickly and efficiently you arrive, such as which trains are local and which are express. One might pass right by the stop you need. Yet another level of information – real-time schedule data – might tell you which lines end up affected by delays, helping you determine another way to travel all together.

The same thing can be said of the path to secure critical infrastructure – it can be seamless and fast, as long as you have the right perspectives and information.

Along those lines, the most obvious example is companies only monitoring IT protocols, thus missing the depth and richness OT protocol visibility can provide. Indicators of compromise specific to control systems (such as unexpected control set point changes, logic updates, and administrative settings like date/time) are only available to systems capable of understanding how control systems communicate, and most importantly, with the context to interpret what those signals mean.

Many organizations have not prepared adequately for critical infrastructure and operational technology (OT) risks. It is a delicate balancing act between automating and interconnecting formerly closed systems and mitigating risks. Implementing critical infrastructure security into existing operations is essentially helping organizations to affect change – changing its People, Process and Technology to meet security requirements not there when the operation originally commissioned. Companies can approach security methodically, focusing on three primary areas: Visibility into their security posture; building security into workflows; and hiring and training qualified OT personnel.

To better illustrate the People, Process, Technology approach, I’ll share the type of efforts we completed for a Major Oil Producer to benchmark their security practices relative to a new international standard specific to OT Security.

People
General awareness training was available to various employee types, which helped the organization then appoint personnel responsible for security implementation and risk management. Why is the People component so critical?

Consider an oil spill or another kind of physical accident. Generally speaking, most employees in the Oil and Gas sector know how to successfully respond to handle such a situation. The same cannot be said about cyber security issues. Not everybody recognizes a Phishing attack email or knows how to deal with suppliers who want to use USB sticks to transfer configuration information. And even if they do, chances are things will change the next month due to new viruses or breaches.

Starting with education across a spectrum of workers, it will increase how quickly and well you can handle the new information and risks prevalent across more connected industrial facilities.

Process
A cyber incident response program helps define clear roles and responsibilities, offering personnel a robust mechanism for effectively containing threats as they occur. Today, the Major Oil Producer regularly conducts risk assessments to understand their security posture as it relates to the evolving threat landscape. In addition, a process is in place to help those newly educated employees act on what they see and monitor.

Technology
While companies think about technology in terms of what to buy, operational facilities answer another question – how to secure and manage legacy systems with long operational lifespans. The goal here is to develop technical requirements to adopt security technology compatible with their legacy equipment and process workflows. We determined how they should evaluate technology to find the right fit for their systems. In some cases, this means an upgrade is the most efficient path. But, as our subway analogy explained, with all of the assessment information at hand, sometimes the path is to supplement workstation patching with additional compensating controls for vulnerabilities in the controls equipment proper.

Results
This company is now well down the path of establishing a “Culture of Security,” analogous to the Culture of Safety that drives the everyday behavior of those working in the field and managing physical risk. Also, the organization understands the trade-offs they need to make between securing existing operations and replacing outdated equipment with new solutions that have the ability to support modern security requirements.

New perspectives into information, and working across People, Process and Technology, has delivered an actionable framework to mitigate risks as the producer further connects to more systems, workers, and vendors.
Frank Marcus is the director security technology at Wurldtech. He is responsible for product security architecture. He is an industrial control security analyst for brownfield and greenfield applications primarily in oil and gas, power and water, factory automation, and ICS-specific vulnerability research. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.



Leave a Reply

You must be logged in to post a comment.