Why Asset and Plant Security is More Important Than Ever

As IT and OT become increasingly interconnected, new security threats emerge for critical infrastructure.
Published: 1 January 2020 Read Time : 3 minutes

In a time with a focus on increased productivity and reduced cost, more and more industrial and critical infrastructure are being exposed. IT and OT become increasingly interconnected, exposing critical infrastructure for new security threats and potential breaches.

Operational technology (OT) and industrial control systems (ICS) have long been isolated, disconnected, and separated from the organization’s traditional information systems, open networks, and information technology (IT). However, with the advent of Industry 4.0 and the Industrial Internet of Things (IIoT), IT and OT become increasingly interconnected. With this convergence, new security threats emerge.

Converging IT and OT: New Security Threats

Traditionally, IT and OT have played different roles within an organization. The IT department worked on the enterprise side of the organization and covered all technologies related to information processing. The OT department represented the part of the organization that was responsible for industrial systems and operational technologies. The two departments rarely crossed paths.

Today, IT and OT are combining forces to unlock the opportunities inherent in IIoT, the idea of connecting industrial equipment to the network. Modern sensors and industrial equipment often hold important information that can be transferred from the plant floor to key stakeholders in the organization for improved insights, enhanced automation capabilities, and advanced analytics. The convergence of IT and OT is an integral part of this operation and a prerequisite for seamless information flow.

However, the increasing dependence on digital technology in OT and the convergence of IT and OT makes asset and plant security more critical than ever. The Sans 2019 State of OT/ICS Cybersecurity Survey reveals that slightly more than 50 percent of the surveyed respondents perceive the level of OT/ICS cyber risk to their company’s overall risk profile as either severe, critical, or high.

People Pose the Biggest Risk for OT Security Breaches

According to the Sans survey, the three pillars for successful IT/OT convergence strategies, people, processes, and technology, are also the most widely known security risks. The survey reveals that people present the greatest risk for compromise to an organization’s operational technology and control systems – not surprising because the human element often lies at the heart of cybersecurity incidents and breaches.

Typical attack vectors, the survey reports, are physical access through USB sticks or direct access to equipment, remote access either through or bypassing intended architecture, and service maintenance consulting.

Read also: Access to G&G Applications From Anywhere with GeoCloud

Laying the Foundation for Plant Security with Cybersecurity Standards

In light of the emerging cybersecurity threats, E&P and industrial companies will benefit greatly from implementing optimal cyber security strategies, policies, and routines. Familiarizing oneself with cybersecurity standards is a good place to start. These standards aim to improve the security of IT and OT systems, industrial networks, and critical infrastructures.

The following three cybersecurity standards are particularly relevant for industrial environments.

IEC 62443

IEC 62443 is the standard for OT security and defines the necessary elements to implement cybersecurity systems for industrial automation and control systems. The standard aims to improve the safety, availability, integrity, and confidentiality of the components and systems used for industrial automation and control systems.

ISO 27000

While the IEC 62443 is concerned with OT security, the ISO 27000 family of standards focus on IT security. The series explains how to implement information security management systems and includes a set of best practices on how to improve information security within organizations. The ISO 27000 family consists of 46 different standards, with specific standards covering everything from implementation requirements for information security management systems to information protection in the cloud and the GDPR.

NIST Cyber Security Framework

The NIST Cyber Security Framework provides a set of standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risks. The framework consists of three components:

  • The Core: Provides a set of desired cybersecurity activities and outcomes. The Core aims to guide your organization in managing and reducing their cybersecurity risks in a way that complements your existing cybersecurity and risk management processes.
  • Implementation Tiers: Provides context on how your organization views cybersecurity risk management. The Implementation Tiers can be helpful as a guide to consider the appropriate level of rigor for your cybersecurity program and as a communication tool in discussions on mission priority and budgets.
  • Profiles: Provides an overview of your unique alignment of organizational requirements and objectives, risk appetite, and resources against the Framework Core. Profiles can be used to identify and prioritize opportunities for improving your organization’s cybersecurity.

Initiatives for Improved Cyber Security

The Sans 2019 survey reveals a growing maturity in identifying potential risk and detecting and remediating actual events. The survey lists six important initiatives for increasing OT, industrial control system, and network security. The following six initiatives can be used as a guide to steer your own cybersecurity implementation efforts:

  • Increase the visibility into control system cyber assets and configurations.
  • Perform security assessments or control system and network audits.
  • Invest in general cybersecurity awareness programs for employees across IT and OT departments.
  • Invest in cybersecurity education and training for employees across IT and OT departments.
  • Implement anomaly and intrusion detection tools on control system networks.
  • Bridge IT and OT initiatives.

Connect@Plant

Secure access to critical IT systems and ICT infrastructure operations at offshore and onshore installations have become a necessity. Cegal’s security platform Connect@Plant can help.

Connect@Plant is a complete security solution to control, protect, and log all access to onshore and offshore installations and plants. It reduces the need to rely on general IT operations to approve access to critical systems through automated tools for granting and terminating access, delegating approvers, and user management. Furthermore, it gives plant managers increased control over user access and permissions.

Connect@Plant can be implemented in a range of different plant environments, including offshore rigs, power plants, and other critical industrial systems.

Click to download our eBook: A short guide to the digital subsurface universe and the digital transformation of the E&P industry.

Click to Download: The Hitchhikers Guide to the Subsurface Universe

Share Cloud

Written by Henrik Skandsen

Henrik Skandsen has 15 years’ experience from the technology industry, and more than 10 years within information technology in oil and gas. With a MSc in Advanced Networking and a diverse background working as a consultant, advisor, project- and program manager and business- and product developer, he has built his competence within technology and trends for the exploration and production (E&P) industry. He currently holds the role of Cloud Portfolio Manager within Cegal, where his main technology verticals are focused around cyber-security, operational technology, infrastructure and cloud.

Find me on:

The GeoTech Blog

Where E&P and technology professionals go to learn new stuff and share their knowledge.

Sign up for email updates!

Latest

Most popular

Click to Download: The Hitchhikers Guide to the Subsurface Universe

Comments or questions?

Please post below, and a Cegal expert will reply