10 controls to improve security

Humans are expected to be the next target of cyberattacks on operational technology (OT) environments by 2025. It may sound like a sci-fi plot, but it is the assertion of a recent report from the Gartner institute. More than hacking into networks, stealing data, or bringing plant or critical infrastructure operations to a halt, as was the case involving the Colonial pipeline in the United States, hacker-initiated invasions will turn equipment, assets, and processes in OT environments into weapons to cause harm or kill people.

“Those responsible for managing security and risk in operational facilities should be more concerned about real-world dangers caused to humans and the environment, not information theft,” says Wam Voster, senior research director at Gartner. “Conversations with Gartner clients reveal that organizations in asset-intensive industries, such as manufacturing and utilities, are scrambling to define control frameworks appropriately.”

With the evolution of OT environments, smart buildings and cities, connected cars and autonomous vehicles, incidents in the digital world will have a much greater effect on the physical world as there are now risks, threats and vulnerabilities across a two-way cyber-physical spectrum. However, many companies are not aware of the so-called Cyber-Physical Systems (CPSs) already deployed in their environments, either because of legacy solutions connected to corporate networks by non-IT teams or because of new automation and modernization efforts.

Gartner defines CPS as systems designed to orchestrate sensor, computing, control, networking, and analytics actions that interact with the physical world (including people). These are activities that underpin IT/OT and Internet of Things (IoT) efforts where security considerations span the cyber and physical universes.

Gartner predicts that the financial impacts of attacks on CPSs resulting in fatalities will reach more than $50 billion by 2023. Of course, the value of human life is immeasurable. However, if losses in terms of compensation, litigation, insurance, regulatory fines, and reputational damage are taken into account, the values will be significant. Moreover, Gartner warns that most CEOs are likely to be held personally liable for such incidents.

“Regulatory and government agencies will react promptly to the increased number of serious incidents resulting from CPS protection failures, with more stringent rules and regulations,” comments Katell Thielemann, research vice president at Gartner. “In the US, the FBI, NSA, and CISA have already increased the frequency and detail provided on critical infrastructure threats. Soon, CEOs won’t be able to plead ignorance or preserve themselves behind insurance policies.”

Gartner recommends a framework of 10 controls to enhance the security posture and prevent incidents in the digital world from having adverse effects on the physical world.

1. Define roles and responsibilities – Appoint an OT security manager for each facility, who will be responsible for assigning and documenting security-related roles and responsibilities for all internal and outsourced employees.

2. Promote training and awareness – All OT professionals should have the necessary skills and be trained to identify security risks, the most common attack vectors, and what to do in case of an incident.

3. Implement and test incident responses – Ensure that each facility implements and maintains an OT-specific security incident management process with four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activities.

4. Backup, restoration, and disaster recovery – Establish adequate backup, restoration, and disaster recovery procedures, e.g., fire and high severity incidents.

5. Manage portable media – Create a policy to ensure that all portable data storage media are scanned, regardless of whether owned by an internal employee or a third party. Only media deemed free of malicious code or software may be connected to OT systems.

6. Keep asset inventory up to date – It is recommended to keep an up-to-date inventory of all OT equipment and software at all times.

7. Establish proper network segregation – OT networks should be physically and/or logically separated from any other network, both internally and externally. All traffic between an OT network and any other party should pass through a secure gateway solution, such as a demilitarized zone (DMZ).

8. Collect records and implement real-time detection – Appropriate policies or procedures should be used for automated recording and review of actual and potential security events. This should include clear retention time for logs and protection against tampering or unwanted modification.

9. Implement a secure configuration process – A secure configuration process should be developed, standardized, and deployed for all applicable systems in the OT environment.

10. Formal patching process – A process should be created to qualify manufacturers’ patches prior to deployment. Once qualified, patches can only be deployed on appropriate systems at a pre-defined frequency.