“…organizations must assume in their planning of not only a malfunctioning or inoperative control system, but a control system that is actively acting contrary to the safe and reliable operation of the process. Organizations need an OT resilience plan...”
U.S. CISA, Alert (AA20-205A)
Industrial control systems (ICS) and operational technology (OT) were hot targets in 2020. Mid-year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued alert AA20-205A to “reduce exposure across operational technologies and control systems” in response to “the increase in adversary capabilities and activity” and a “time of heightened tensions.”
The increasing frequency and sophistication of successful OT cyber-attacks serve as a wake-up call to all network administrators and cybersecurity teams, IT and OT alike: the smallest hole in today’s cyber defenses gives adversaries a vector for attack. It’s time to ensure critical processes and operations are resilient to today’s cyber threats. And to help, Mission Secure collaborated with guest authors from various perspectives to share their insights on what’s next for OT cybersecurity and what organizations need to consider as they plan their 2021 cyber-protection strategies and beyond. This series covers three key topics: the threat landscape (Part I), risk management (Part II), and protection.
In Part III, Julian Clark of Ince, an international legal and professional services firm; Steve Mustard of the International Society of Automation, a non-profit professional association and standards organization; and Mission Secure’s Don Ward discuss the future of OT cyber protection, regulations, standards, and recommendations for a robust and resilient defense. Check out their responses organized by topic and see how operations may bolster their OT cyber protection and risk management in 2021 and beyond.
Question: Will 2021 see any changes in regulations or standards? What will be the top OT cyber protection priorities for organizations in 2021? Any recommendations for organizations as they start 2021?
OT Protection Trend #1: Regulations are evolving.
Steve Mustard, 2021 President of the International Society of Automation (ISA): The demands of COVID-19 management during 2020 required a rapid shift towards more remote working — limited access to the operational site for personnel and limited access for vendors, especially those working internationally. This shift involved a combination of new technology and new processes. It is not clear that these changes have taken advantage of the clear guidance on secure design and risk assessment from the ISA/IEC 62443 series of standards.
While some of these changes may have been intended to be temporary, it is possible that many practices implemented in 2020 will continue even after widespread vaccination programs are complete. ISAGCA is helping to provide guidance to help asset-owners implement ISA/IEC 62443-based solutions, and there is no doubt that remote working will be feature prominently. It is also possible that regulatory bodies may need to review their rules in light of changes made in 2020.
Don Ward, VP of Global Services at Mission Secure: Fortunately, whether it’s the IMO Guidelines, NERC CIP, NIST 800-53, ISO 270001, ISA/IEC 62443, TSA Pipeline, DHS CFATS, or ISA S99 — most of these specifications point directly to the NIST Cyber Security Framework (CSF). It harmonizes previously splintered industry or sector-specific security controls and molds them into a single framework for measuring the current state of security controls. Companies should start by defining their desired cybersecurity target state. That means taking the ‘alphabet soup’ of industry and sector OT cyber control frameworks and distill it down to what’s important.
Companies should go through a questionnaire to figure out their current state. The need to do a comprehensive assessment — with pen-testing and data capture analysis along with the NIST CSF questionnaire — is absolutely necessary for most companies so that gaps can be accurately and comprehensively addressed with appropriate security policies and controls.
Julian Clark, Global Senior Partner at Ince: The regulatory framework is involved in a chase to catch those engaged in cyber threats. There can only be greater regulatory control and compliance requirements as we head into 2021 and beyond.
“There can only be greater regulatory control and compliance requirements as we head into 2021 and beyond.”
Julian Clark, Global Senior Partner at Ince
OT Protection Trend #2: Priorities — the time to act is now.
Don Ward, VP of Global Services at Mission Secure: 2021 conditions are ripe for a perfect storm: ICS and OT systems are longer proprietary or isolated; they look more like IT business systems – as they are more connected and integrated with LAN/Internet/Wi-Fi/OT protocols encapsulated in TCP/IP; and ICS and OT systems lack the IT cybersecurity controls such as AV, EDP, authentication, encryption and certifications, logging, monitoring, incident response (IR), and repeatable restoration processes.
Julian Clark, Global Senior Partner at Ince: For me, we are way past the point of thinking about what we are going to do to protect our OT. We have no option and must act now. A top priority will be to find an efficient, cost-effective, and secure way in which to audit our existing procedures and systems and then implement a true and tested security protocol that has the ability to modify and upgrade as risk changes and threats are enhanced.
Steve Mustard, 2021 President of the International Society of Automation (ISA): The message for all organizations is that cybersecurity is a constantly evolving challenge. Organizations are always catching up to new tactics, techniques, and procedures. Despite this, there are some things that never change and some actions that can be taken to manage the risk.
“The message for all organizations is that cybersecurity is a constantly evolving challenge…Despite this, there are some things that never change, and some actions that can be taken to manage the risk.”
Steve Mustard, 2021 President of ISA
OT Protection Trend #3: Establish a robust OT cybersecurity program.
Don Ward, VP of Global Services at Mission Secure: 2020 was the year of Coronavirus and heightened cybersecurity attacks. In 2021, companies should establish their OT cyber programs by implementing a multi-phase approach. This approach should cover:
Conducting onsite and remote IT/OT cybersecurity assessments — both technical and policy-based site assessments.
Defining and adopting an OT/ICS/SCADA security standard and architecture.
Properly training system administrators, users, and operators on the cybersecurity standards, architecture, and processes.
Deploying OT cybersecurity solutions for protections and detections such as firewalls for segmentation; secure internal and remote access and auditing; authentication; endpoint protections; logging; and monitoring or SEIM setup.
Periodic re-testing like internal or external pen-testing and vulnerability assessments and updating or tuning security controls based on new findings.
Steve Mustard, 2021 President of the International Society of Automation (ISA): Organizations should review these areas and consider how well they are addressing them:
Awareness — Organizations need to ensure everyone in their supply chain understands cybersecurity risk and the part they play in mitigating that risk. Many organizations focus their efforts on limited groups, such as those involved with critical equipment. However, everyone has a part to play, and everyone needs to be aware that, no matter how much technology an organization deploys in its defenses, those defenses are only as good as the actions they take: people are the weakest link, but they are the first line of defense. While poor awareness can result in a security incident, good awareness can result in the prompt action needed to avert such an incident.
Policies — In IT environments, it is possible to implement network-wide controls that can take the place of written policies, e.g., preventing someone from using removable media on a workstation. In OT environments, this is more challenging, especially in established facilities with legacy equipment, and so organizations are more dependent on written policies and training. Ownership of the cybersecurity risk in OT environments often rests with IT teams, who may not realize the importance of written policies. However, the OT team can apply experience from the safety culture to ensure that security policies are defined and managed.
Secure design — The ISA/IEC 62443 standard provides comprehensive guidance on how to properly design a secure IACS environment. In an ideal world, new facilities can be designed with security built in. While it is always more challenging to retrofit security to existing facilities, organizations should ensure they assess their risks (using ISA/IEC 62443 for guidance) and implement mitigations as needed, whether they be technical or procedural. Organizations should not rely entirely on network perimeter security or IT network monitoring to mitigate the risk to the OT environment. Defense in depth is a timeless concept that should always be followed.
Incident response — Organizations will have good incident response plans in place for fire, storm, flooding, and other physical disasters, but many do not have good plans in place for cybersecurity incidents. Even fewer have plans that they test periodically to ensure they will work when called upon. A good incident response plan considers likely scenarios, what actions are to be undertaken, and who needs to be involved through the entire supply chain.
Finally, organizations should consider joining ISAGCA to ensure they can get the most up-to-date guidance on implementing ISA/IEC 62443-based security solutions.
“Organizations should not rely entirely on network perimeter security or IT network monitoring to mitigate the risk to the OT environment. Defense in depth is a timeless concept that should always be followed.”
Steve Mustard, 2021 President of ISA
Autonomous vehicles, drone delivery, smart cities, AI, and machine-learning — the outlook of connected devices and a more interconnected existence looks nearly certain. As operations across industries digitally transform, they leave critical OT networks exposed and vulnerable.
Over 12 months, 74% of OT organizations reported a data breach, and costs ran well over $1 million due to lost production, clean up, and recovery expenses. In the maritime industry alone, only 42% of organizations protect vessels from OT cyber threats. Yet, the sector experienced a 400% increase in cyber-attacks since February 2020, including an IMO attack. Cyber-attacks on OT networks are not just becoming the norm — they are the norm. And organizations need to address the sophistication, frequency, and risk just as they do other factors for operational resilience.