Preview and Context

Security is a critical attribute of the systems and resources deployed to manage safe and secure operations of the enterprise. There is an increasing level of complexity and functionality in sensors, hardware, software, networking devices, applications deployed. And the advent of digitalization and IoT leading to significant jump in connected devices and systems, it is imperative to build a secure operational environment and ecosystem.

Information Technology (IT)

The definition from Wikipedia says IT is the use of computers to store, retrieve, transmit, and manipulate data. Of course, in today’s world IT systems have become much broader in functionality and uses. The IT set of resources including people, process, and technology has become the backbone and a critical part of business irrespective of the size or the industry vertical.  IT typically today leads the charge in terms of digitally transforming the company. In some cases, a digital officer is appointed for this purpose.

Operational Technology (OT)

As per Gartner - Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.  These systems must be designed and deployed to protect individuals and organizations from the security threats that can cause harm or damage to equipment and/or the plant. OT components include sensors, instruments, equipment (PLC/SCADA/HMI/DCS), Historian, software and others. These have been in use for decades. The need for safe and secure deployment and operations has increased with digital transformation.

Differentiating OT and IT security

Availability of the system and integrity of the data are crucial for the normal operations in OT. OT systems also have a lengthier lifecycle (run for decades), and may not have been necessarily designed and deployed with security in mind. And because these systems are running 24x7 in production; updating or patching them on the fly is a challenge due to impact on operations and associated risk. And the typical IT tools used for perimeter monitoring like firewalls and intrusion detection are not sufficient. Specialized security tools are needed to monitor and safeguard the OT operations – in addition to deploying secure products.

IT systems are dynamic and are the first line of defence in an enterprise. OT systems are deterministic in nature; but play a critical role in realizing effective business operations. Traditionally, the focus for IT security revolves around data – protection and privacy. Whereas secure OT deployments are focused on protecting people, equipment and processes.

IT security is deployed both at the periphery and inside the shop floor; and enhances OT security when deployed in multiple layers and network segments. Typical devices like routers, firewalls, DMZ are common infrastructure for both IT and OT.  And because of the operational impediments, OT systems tend to be infrequently patched compared to IT equipment and software.

OT systems usually use proprietary protocols making it difficult to integrate in a system of systems architecture. End of the day, Confidentiality, Integrity and Availability is relevant for both IT and OT systems; however, Confidentiality and integrity takes precedence in IT whereas Availability is higher priority for OT systems.

In IIoT deployments, security aspects of both IT and OT are applicable and need to be addressed. The specifics depend on the system design and deployment solution architecture.

Security Management

It is important that products, solutions and services are designed and built securely right from conception. Incorporating a Secure Development Lifecycle (SDLC) program is essential. BSIMM  type of tools and company security policies can be used as baseline for secure product development and also for improvement of product security posture.

To secure your environment and mitigate risks, it is important to do a risk assessment, identify gaps and implement an action plan. It is recommended to adopt relevant standards like NIST, NERC CIP, or IEC 62443. Implementing security hygiene practices, doing threat modelling and risk analysis is crucial. Use of Microsoft tools like STRIDE and deployment architecture analysis can help bring visibility to security gaps in the system. A documented set of guidelines and procedures containing both technical and administrative guidance and controls must exist to aid the operational safety and security of the enterprise. For example, they can call out specific use (e.g., firewall, unidirectional gateway) and non-use (e.g., USB) as appropriate to the environment and based on the risk analysis.

Secure configuration and environment

Secure configuration (“hardening”) of instruments, equipment and software is critical. This is done by validating the default configuration and modifying it to suit the operational needs. User manuals and other product documentation contain details on how this is done. Make sure to securely configure weak passwords, open ports and services, third-party software, access control list. Review and modification of software environment variables and registry entries for both operating system and applications is required.

Secure Deployment

Components, be it hardware or software, need to be thoroughly tested during development before they are deployed - to prevent damage, downtime and financial loss. To make the SDLC testing phase effective, incorporate unit testing, module testing, system testing, penetration testing, and defence-in-depth assessment. In addition, provide for secure deployment guidelines.

Secure supply chain

Supplier and Vendors need to be sensitized about security requirements. It is also important to not violate any third-party intellectual property rights. In this context, end users can demand security evidence from suppliers – test reports, deployment guidance, and compliance to regulations or standards.

Vulnerability Management

Vulnerability management is a continuous exercise, and both suppliers and end-users need to be on top of it. End-users can drive suppliers to address the security concerns in their products. Refer to CERT and similar websites to track the vulnerabilities, their severities and remediation. You can use tools like Qualys and Nessus to get insights into the product and operating system vulnerabilities.

Monitoring and improvement  

The plant operations need to deploy Security Information and Event Management (SIEM) or an equivalent to centralize the monitoring. Review the alarm, events, and logs generated by the system. This will help in monitoring and remedial actions quickly. A formal security reporting and incidence program, defining the roles and responsibilities of individuals in the organization, should be put in place.

Security awareness sessions, training, and augmenting the employee skillset form a crucial part of continuous improvement program.

Disclaimer: