Bridge the IT, OT gap by bringing IT into acceptance testing
A key part of starting up a new industrial control system (ICS) or manufacturing application is the acceptance test. If information technology (IT) resources are not already involved, the acceptance test presents an excellent opportunity to bring them into your project. A successful implementation may solicit IT input on acceptance testing criteria and enlist their aid in performing the cybersecurity portions of the acceptance test. This will also help bridge the gap between IT and operations technology (OT).
An ICS should have cybersecurity requirements that can be addressed by IT resources during acceptance testing. These requirements could include guidelines for the changing of default passwords, disabling of unnecessary ports or DVD drives, and segmenting of the network (perhaps with firewalls or switches). Also, cybersecurity requirements should specify the access control for the various operating and managing users.
Additional requirements that might be beneficial for IT resources to address could be checking the proper assignment of IP addresses versus the documentation, looking at the proper configuration of any workstations (such as Microsoft Windows configuration), confirming that the latest (or appropriate) versions of software are being used, confirming that proper event logging is occurring, and confirming the proper operation of anti-virus software.
The IT team will be familiar with these requirements and testing procedures to verify the implementation. Further, it is likely that there are other requirements and tests that automation engineers and operations may not consider. For example, IT resources may be able to complete intrusion testing, during which your IT team attempts to defeat security mitigation steps using default accounts and passwords. They can also try connecting unauthorized devices to the network to test what access they are granted.
IT and OT are converging. The critical steps of the acceptance testing process should be a great environment to bring members from both backgrounds together to confirm that the system meets the requirements that were specified. Cybersecurity requirements can represent a common ground where both IT and OT can see and understand the requirements, perform the tests, confirm that the system is ready for operation in a production environment, and develop a shared understanding of systems, methods, and priorities.
Dirk Sweigart, CISSP, PMP is an MES solutions manager and cybersecurity expert at Applied Control Engineering in Newark, Del. He is also a member of the MESA Cybersecurity Working Group. This article originally appeared on MESA International’s blog. MESA International is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, email@example.com
See additional stories from MESA International linked below.