In a time with a focus on increased productivity and reduced cost, more and more industrial and critical infrastructure are being exposed. IT and OT become increasingly interconnected, exposing critical infrastructure for new security threats and potential breaches.
Operational technology (OT) and industrial control systems (ICS) have long been isolated, disconnected, and separated from the organization’s traditional information systems, open networks, and information technology (IT). However, with the advent of Industry 4.0 and the Industrial Internet of Things (IIoT), IT and OT become increasingly interconnected. With this convergence, new security threats emerge.
Converging IT and OT: New Security Threats
Traditionally, IT and OT have played different roles within an organization. The IT department worked on the enterprise side of the organization and covered all technologies related to information processing. The OT department represented the part of the organization that was responsible for industrial systems and operational technologies. The two departments rarely crossed paths.
Today, IT and OT are combining forces to unlock the opportunities inherent in IIoT, the idea of connecting industrial equipment to the network. Modern sensors and industrial equipment often hold important information that can be transferred from the plant floor to key stakeholders in the organization for improved insights, enhanced automation capabilities, and advanced analytics. The convergence of IT and OT is an integral part of this operation and a prerequisite for seamless information flow.
However, the increasing dependence on digital technology in OT and the convergence of IT and OT makes asset and plant security more critical than ever. The Sans 2019 State of OT/ICS Cybersecurity Survey reveals that slightly more than 50 percent of the surveyed respondents perceive the level of OT/ICS cyber risk to their company’s overall risk profile as either severe, critical, or high.
People Pose the Biggest Risk for OT Security Breaches
According to the Sans survey, the three pillars for successful IT/OT convergence strategies, people, processes, and technology, are also the most widely known security risks. The survey reveals that people present the greatest risk for compromise to an organization’s operational technology and control systems – not surprising because the human element often lies at the heart of cybersecurity incidents and breaches.
Typical attack vectors, the survey reports, are physical access through USB sticks or direct access to equipment, remote access either through or bypassing intended architecture, and service maintenance consulting.
Laying the Foundation for Plant Security with Cybersecurity Standards
In light of the emerging cybersecurity threats, E&P and industrial companies will benefit greatly from implementing optimal cyber security strategies, policies, and routines. Familiarizing oneself with cybersecurity standards is a good place to start. These standards aim to improve the security of IT and OT systems, industrial networks, and critical infrastructures.
The following three cybersecurity standards are particularly relevant for industrial environments.
IEC 62443 is the standard for OT security and defines the necessary elements to implement cybersecurity systems for industrial automation and control systems. The standard aims to improve the safety, availability, integrity, and confidentiality of the components and systems used for industrial automation and control systems.
While the IEC 62443 is concerned with OT security, the ISO 27000 family of standards focus on IT security. The series explains how to implement information security management systems and includes a set of best practices on how to improve information security within organizations. The ISO 27000 family consists of 46 different standards, with specific standards covering everything from implementation requirements for information security management systems to information protection in the cloud and the GDPR.
NIST Cyber Security Framework
The NIST Cyber Security Framework provides a set of standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risks. The framework consists of three components:
- The Core: Provides a set of desired cybersecurity activities and outcomes. The Core aims to guide your organization in managing and reducing their cybersecurity risks in a way that complements your existing cybersecurity and risk management processes.
- Implementation Tiers: Provides context on how your organization views cybersecurity risk management. The Implementation Tiers can be helpful as a guide to consider the appropriate level of rigor for your cybersecurity program and as a communication tool in discussions on mission priority and budgets.
- Profiles: Provides an overview of your unique alignment of organizational requirements and objectives, risk appetite, and resources against the Framework Core. Profiles can be used to identify and prioritize opportunities for improving your organization’s cybersecurity.
Initiatives for Improved Cyber Security
The Sans 2019 survey reveals a growing maturity in identifying potential risk and detecting and remediating actual events. The survey lists six important initiatives for increasing OT, industrial control system, and network security. The following six initiatives can be used as a guide to steer your own cybersecurity implementation efforts:
- Increase the visibility into control system cyber assets and configurations.
- Perform security assessments or control system and network audits.
- Invest in general cybersecurity awareness programs for employees across IT and OT departments.
- Invest in cybersecurity education and training for employees across IT and OT departments.
- Implement anomaly and intrusion detection tools on control system networks.
- Bridge IT and OT initiatives.
Secure access to critical IT systems and ICT infrastructure operations at offshore and onshore installations have become a necessity. Cegal’s security platform Connect@Plant can help.
Connect@Plant is a complete security solution to control, protect, and log all access to onshore and offshore installations and plants. It reduces the need to rely on general IT operations to approve access to critical systems through automated tools for granting and terminating access, delegating approvers, and user management. Furthermore, it gives plant managers increased control over user access and permissions.
Connect@Plant can be implemented in a range of different plant environments, including offshore rigs, power plants, and other critical industrial systems.
Click to download our eBook: A short guide to the digital subsurface universe and the digital transformation of the E&P industry.