Ensuring OT cybersecurity
Every week, almost like clockwork, it seems there is a story on the news about a newly discovered hack or data breach often made possible by poor cybersecurity practices. Many of these incidents are focused around stolen data, which resides in our information technology (IT) infrastructure.
However, the breaches that affect systems and devices that monitor and manipulate much of the world around us have real-world health and safety consequences if they are compromised. These extremely important systems and devices are known as operational technologies (OT). OT controls many of the processes we rely on every day such as including traffic signals, power distribution, hydroelectric dams, water treatment, building HVAC, oil and gas distribution, nuclear power plants, and many varieties of manufacturing.
The most important characteristic of OT is their ability to reach out from the digital world and manipulate the physical world where we humans reside. It’s not difficult to imagine some of the disasters that could occur if these critical OT processes were to be compromised because of poor cybersecurity practices.
What’s the problem with securing these devices? Not so long ago, OT systems were built using proprietary hardware and software and their operational details were not well known. Today OT leverages many of the same technologies originally created for IT such as networking, the internet, operating systems, user management, USB ports, and web servers. Because of this shared technology, it’s easy to assume any type of cybersecurity technology could be implemented to protect OT, but this is not the case.
For example, cybersecurity devices that filter unauthorized network traffic on an IT network could cripple an OT network simply by preventing important data from reaching its destination, and, in some cases, can cause failures just by delaying data. Software used to scan a network for vulnerabilities may send unfamiliar messages to OT devices and can cause them to fail, which is especially bad if the device is actively controlling a process. Even something as simple as antivirus software can have a detrimental impact on the performance of these critical systems and may be impossible to implement altogether.
Standards and guidelines detailing best practices for protecting IT and OT have already been produced by industry, trade groups and government agencies. One thing they are missing is guidance that describes how to balance those protections with potential negative impacts they may have on performance. Guidelines, test methods, metrics and tools based on measurement science and standards to give industry the confidence it needs to effectively apply cybersecurity protections on their systems without negatively affecting their performance, safety or reliability are being produced.
This work has resulted in a manufacturing profile for the Cybersecurity Framework, which outlines a risk-based approach to help manufacturers implement, manage, and improve their cybersecurity posture using industry standards and best practices. It will be used to protect robotic and process control testbeds under many different configurations and scenarios while measuring the performance impacts to the system.
Timothy Zimmerman is a computer engineer with the NIST Intelligent Systems Division. This article originally appeared on ISSSource.com, a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.