Cybersecurity and the rise of IT-enabled OT systems
Information technology strategies can help combat new cybersecurity vulnerabilities and deploy a solid cybersecurity program for operational technology use for industrial control systems, remote terminal units, supervisory control and data acquisition systems, as Industrial Internet of Things deployments increase.
- Understand the summer 2020 cybersecurity advisory, risks, infrastructure.
- See cybersecurity risks and rewards of integrated IT and OT for.
- Review risk management modeling, automation, tools.
Exploitation of resources has been a concern to mission operations since the dawn of the industrial age. Cybersecurity concerns have increased, as well. With advancement of information technology (IT), opportunities to compromise, corrupt, and disable networks and systems has exponentially grown, creating new development of malicious mechanisms.
Although the first cybersecurity patent was registered in the early 1980s, the enablement of business needs and protecting mission operations are increasing priorities for national security and intelligence agencies. Cybersecurity within IT has seen exponential growth over the last three decades, but security of traditionally standalone, non-connected systems in the operational technology (OT) space continue to lag behind due to the independent nature of their functionality. OT systems include industrial control systems (ICSs) such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs). With the onset of the Internet of Things (IoT) as applied to OT, the Industrial IoT (IIoT), more attention has been given to cybersecurity.
During the past decade, there has been a major increase in the demand for connected OT utilization with multiple deployments of advanced technologies requiring connectivity for operations and maintenance of equipment. This use of IT-enabled OT systems and components has led to increased vulnerabilities where the security characteristics, due to the convergence of IT and OT, have exposed new opportunities for cyber-attacks.
Summer 2020 cybersecurity advisory
In July 2020, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) issued an alert to American corporations they should take immediate actions to reduce vulnerabilities and exposure across all of their OT and ICSs.
The advisory, “NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems,” (U/OO/154383-20 | PP-20-0622 | July 2020 Rev 1.0), stated: “Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against Critical Infrastructure (CI) by exploiting Internet- accessible OT assets. Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived U.S. aggression.”
This critical warning establishes a call to action for U.S.-based utility companies that do not adhere to federally-regulated security guidance leaving much of their CI potentially compromised. The implementation of cybersecurity approaches and the prevention of vulnerability exploitation is one of the largest concerns for most CI manufacturers, policy developers, and federal leadership.
Connectivity, critical infrastructure, cybersecurity risk
Imagine a CI manufacturer or a utility supplier without a clear understanding of the security implication on critical services, such as energy, water, and/or food. Imagine unintentionally, or intentionally, propagating a virus on a large-scale complex system that supports U.S. transportation communications, and/or emergency services infrastructures and not knowing or understanding the multiple vulnerabilities opportunistic hackers can exploit on U.S. operational network through the U.S. defense industrial base (DIB).
This is why applying the maturity and automation of cybersecurity to CI could provide comprehensive identification and assessments of vulnerabilities while employing a security and risk culture among federal, state and local decision makers. This includes protection from inappropriate accesses to CI systems and reduction of data disclosure, compromise, and/or loss through the optimization of these assessment via automation.
DHS: Three infrastructure areas
The Department of Homeland Security divides infrastructure into three areas.
- Physical infrastructure:Cable fiber, dams/reservoirs/treatment plants,corporate institutions, delivery sites, farms/food processing plants, government facilities, hospitals, nuclear power plants, power plants/production sites, railroad/highway bridges/pipelines/ports
- Critical infrastructure/key resource:Agriculture and food, banking/finance, chemical, commercial facilities, communications, dams, defense industrial base, emergency services, energy, government, information technology, monuments/icons, nuclear, postal and shipping, public health, transportation, water
- Cyber infrastructure:Control systems, hardware, information services, software.
Integrated cybersecurity risks, rewards
Because everything is connected, unpatched vulnerabilities, misconfiguration or application weakness can subvert connected systems and put everything at risk.
The linking between IT and OT systems expands daily as new technologies are introduced; organizations extend their customer bases and the CI grows. The energy production sector is among many CI areas experiencing this cross-over of IT and OT inter-mixtures of technologies, hardware and software combinations to benefit organizations, companies, agencies, and corporations that use these connected components and systems.
Converging safety, security and dependability requirements shows the immense need for a holistic approach for CI and the various control systems contained across the domains for risk understanding. This multi-faceted view is needed in all CI sectors. As IT is being used to support OT operations, the merging of these two technologies brings new risk factors into the operations and maintenance of each area.
The IT employee now has machine-level communications and connections with OT-based data. Its IT security components are not designed to sense and monitor, using networking protocols not familiar to the monitoring activities, with the attendant risks being transmitted and received on a daily basis. This can, and often does, lead to unidentified vulnerabilities in the IT devices and applications which result in breaches, failures and unexpected negative results.
IT data structure impact on OT
OT systems are being installed, implemented and deployed with connections and monitoring from the IT side. IT inputs to OT systems are not designed or configured to handle these new and different data types and structures. IT and OT differences cause OT to react in unknown and unexpected manners, causing the OT to operate in less-than-optimal ways. This can exert critical impacts on the services that affect our way of life, such as energy delivery, water delivery and other areas.
To produce and support the converged OT with the IT, we need to understand and work with the areas of concern these systems perform. There are risks to our operations, products, services and activities. Risk is developed when a threat, taking advantage of a weakness or discrepancy within the system, produces an adverse impact on the system, activity, or organizational process. These issues can cause loss of revenue, loss of data (resulting in loss of profits due to regulatory fines), loss of customers, loss of reputation, even possible loss of market share; all of which affect the organization as a whole, not “just” IT or the cybersecurity teams.
Risk management applicability to OT/CI
To address cybersecurity concerns in OT/CI, the following question should be addressed:
- What are the components relevant within the OT and CI?
- How are they connected?
- What data is stored and/or in transit between each component and any external entities?
- What are the risks, threats, and vulnerabilities within the system?
- Where do you find them?
- How are they uncovered?
The system analysis and curiosity begin the process of “risk modeling.” Figure 1 outlines the standard approach to modeling risk within OT, according to National Institute of Standards and Technology (NIST), which defines risk as “risk is a function of the likelihood of a threat event’s occurrence and potential adverse impact should the event occur.”
How to analyze OT cybersecurity risk
Unique to OT cybersecurity, there are multiple approaches that can aid cybersecurity professionals with analyzing risk to comprehensively develop the appropriate response(s).
- Performing risk modeling
- Isolating and containerization of components
- Defining OT attack patterns
- Establishing and implementing a secure supply chain.
These techniques help the organization determine the high areas of risk, as well as what needs to be protected and monitored to prioritize the security efforts for the OT under consideration. Figure 2 provides the scientific lens that all risks, explicitly cybersecurity risk, should be viewed, according to NIST Special Publication 800-30, rev.1 (2018), page 12.
This process produces quantifiable risk calculations for each area and allows the organization to produce areas of prioritized risk for mitigation and to drive decision-making actions.
OT risk management modeling, automation
This type of tool can take the model-based systems engineering (MBSE) approach and extends the analysis capabilities to assess cybersecurity postures based on components, elements, information exchanges, and data flows. Automated risk accelerators were developed based on the unified architecture framework (UAF) to widen breadth and depth of analysis to address evidence-based cybersecurity and risk assessment. A tool like this provides a comprehensive view of current, relevant cybersecurity guidance from international and national standards organizations, such as NIST. Figure 3 outlines the features and nuances of such a tool’s approach to cybersecurity and cyber-risk automation.
The second approach, isolation and containerization of components, allows for OT components isolation that blocks exposure to the outside risks present in the OT operating environment. Figure 4 shows the ability to graphically model a physical container representative of the authorization boundary in an OT environment.
In the third approach, the automated risk modeling tool graphically displays a schematic diagram of the attack patterns/paths that are assessed by the tool. Although Figure 5 provides a small graphical representation of a multi-tiered attack tree, a secure supply chain requires additional features to itemize attacks, focus on specific areas, and analyze the type of attack, the assets impacted, and the individual attacker(s).
In the fourth approach, secure supply chain produces an operating activity that is secure throughout the environment, which provides a reduced risk arena for the OT and connected IT to work. This provides the organization to reduce and manage risks which provide secure OT based actions and activities. Such techniques offer critical insight and cybersecurity analysis results in the proactive protection of OT components for the system of interest, which presents a cost-effective and efficient management of cybersecurity operations.
Cybersecurity integration, behaviors, impacts
The scalability of system modeling and cybersecurity analysis through MBSE is needed to understand the integration points, possible emergent behaviors, and impacts of cyber-threats across the critical infrastructure of interest. MBSE creates the opportunity to study the cybersecurity threats and physical impacts of cyber-attacks against ICSs. Virtual models of CI can establish the ability to understand the differences in CI design, the verification and performance requirements for unexpected behaviors, (such as fuzz testing, multi-variant vulnerability analysis) and technical uncertainties vs. variabilities of each component.
Steven Seiden is the president of Acquired Data Solutions. Leighton Johnson, CISSP, CISM, CMMC-AB Provisional Assessor L-3, is a senior cybersecurity engineer at Acquired Data Solutions. Dr. Tony Barber, CSEP, RMP, is a system engineering executive at Acquired Data Solutions. Djenana Campara is president of KDM Analytics. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
KEYWORDS: Industrial cybersecurity, IT/OT convergence
Has your IT/OT cybersecurity risk management advanced to meet the needs of advanced automation and IIoT?