Incorporating cybersecurity awareness into OT

Using cyber situational awareness platforms to enhance control system personnel needs to be part of a greater design goal and should act as an invisible layer for an operations technology (OT) environment. Here are four tips for cybersecurity situational awareness, and six responses to zero-day threats.
By Anil Gosine January 2, 2017

It’s imperative that control system personnel be aware of design goals even more than developing software platforms as well as have a greater situational awareness for control systems that are tied to critical infrastructure. Courtesy: Anil Gosine, MG+ SoIndustrial control system (ICS) security is no longer merely about preventing hackers or having a strong physical perimeter. There is an underground digital economy that now offers multi-billion dollar incentives for potential corporate rivals or adversaries to exploit ICS vulnerabilities. And the influx of information technology (IT) into the OT further highlights the need for security by design rather than by association.

So it’s imperative that control system personnel be aware of design goals even more than developing software platforms. Users also need to have a greater situational awareness, particularly when it comes to control systems that are tied to critical infrastructure.

Aggregating digital data on an industrial network with situational awareness solutions allows for efficient correlation and analysis of information, which makes sharing information a lot easier. 

Cybersecurity awareness: Four tips

Cyber situational awareness tips include:

  • Proper awareness of a facility’s cyber network
  • In-depth understanding of the facility’s cybersecurity operations
  • Appropriate and ongoing assessments of the existing operations within the network to identify potential vulnerabilities
  • Continuous monitoring of unusual activity on the cyber network coupled with the ability to mitigate threats before they occur.

Data should be aggregated from multiple control systems, controllers, smart field devices, and network switches to enable efficient information correlation and analysis. Continuous monitoring and collecting real-time data will help detect unfamiliar activity. This provides owners and cybersecurity auditors unprecedented detection capabilities and visibility. 

Applying cybersecurity

Cybersecurity implementations should incorporate active machine learning and modeling that continuously learn the operational system, adapt to changes within it and detect operational and cyber threats in real-time. The machine learning process enhances the capability of a platform to provide early detection of incidents and enriches advanced detection algorithms for fast incident identification and alerting. This process minimizes human error and reduces downtime.

Enhancing operator security awareness applies to a variety of industries, including the industrial sector, aircraft manufacturers, automotive, and manufacturing. Control systems can produce a huge amount of data, based on their connected components and environments. Cyber-situational awareness provides a tool for users to better understand their environment, so they can make better decisions about defending themselves. Situational awareness solutions need to address three things to transform the data into awareness: perception, comprehension and prediction.

Control system solutions should allow users to run real-time incident analysis and provide complete visibility and control during the inventory and audit process. Integration with existing control systems should be seamless without impact on operations.

Many cybersecurity efforts focus on protecting assets against "known" threats that have been made public. However, attackers are developing exploits for vulnerabilities that have not been disclosed, also known as "zero-day" exploits. Users must have an understanding of the interactions among vulnerabilities, events, and baseline systems to be able to militate against these threats. It also can help them forecast potential security gaps and detect operational irregularities or breaches.

Six responses to zero-day threats

If a vulnerability remains unknown, the software affected cannot be patched, and anti-virus products cannot detect the attack through signature-based scanning. The typical zero-day attack lasts an average of eight months, which gives attackers lots of time to steal information and leave without being detected.

Companies can help secure themselves by:

  • Employing good preventive security practices
  • Having real-time protection that deploys intrusion-prevention systems
  • Having a detailed understanding of their environment
  • Planning incident response measures with defined roles and procedures
  • Limiting the connections and privileges to those required for business needs
  • Fostering collaboration in the security industry.

Executives should assume their firms have been compromised and that it will occur again if they do not have sufficient measures in place. Prevention can be limited, so they should invest in breach detection so that they can act on the compromises based on the processes in place. At the end of each week, there are spikes in malware distribution because attackers know that employees take their laptops home and connect their machines to Internet networks that aren’t secure. As a result, cloud-based security firms are seeing increased security alerts popping up on Mondays. Executives should understand the legal implications of cybersecurity risks, establish an enterprisewide risk management framework and have access to independent cybersecurity consultants that regularly participate on board or C-level meetings. 

Awareness is critical

With the growing dependency on digital devices and technology within critical infrastructure, owners and customers need to understand the environment in which they operate, and accurately predict and respond to potential problems; with the ability to anticipate what can occur on these systems, management can develop effective countermeasures to protect critical facilities.

Significant investment in data collection, management, and analysis is needed to continuously gain visibility of how the systems are operating. Having situational awareness of the OT environment and responding to the threat detected, security can be greatly improved from just relying on building a perimeter that is expected to endure attacks. Any change in security must be able to demonstrate security value to the business and comply with regulatory requirements.

Anil Gosine is global program manager at MG Strategy+. Edited by Chris Vavra, production editor, Control Engineering, CFE Media,


Key Concepts

  • Users need to have a greater situational awareness, particularly when it comes to control systems that are tied to critical infrastructure.
  • Cyber attackers are developing exploits for "zero-day" vulnerabilities that have not been disclosed
  • Investing in data collection, management, and analysis is needed to understand how the systems are operating. 

Consider this

What other steps can be taken to safeguard critical infrastructure?

ONLINE extra

See additional cybersecurity articles linked below and see the Control Engineering cybersecurity page.