Keeping the Wheels of Industry Turning

27 March 2018

Principal Consultant, Anthony Enoh, considers the security implications for industries reliant on Operational Technology – those systems monitoring and controlling the processes that drive a country's critical national infrastructure.

As much of the world continues on its trend towards greater dependence on technology, the use of interconnected physical and virtual systems will be commonplace for most organisations in the near future. Critical business processes will rely on these systems to maintain their:

Confidentiality – to protect IPR, trade secrets and customers’ personal/private information
Integrity – to ensure physical assets respond to commands as intended (e.g. breaks)
Availability – to ensure the services are available and responsive when the business requires.

In order to protect the confidentiality, integrity and availability, organisations must consider how best to integrate cyber security controls into Operational Technology (OT) in order to reduce risks to their business.

The UK’s National Cyber Security Centre defines OT as “Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events”. Operational systems include production line management, mining operations control, and oil & gas monitoring.

Industrial Control Systems (ICS) – systems used to monitor and control industrial processes
Supervisory Control and Data Acquisition (SCADA) – a system made of software and hardware that: enables the control of industrial processes; monitors and processes real-time data; and directly interacts with end devices such as sensors, valves, pumps, and motors etc.

Challenges to Organisations

Often, when an organisation is successful in its focus on growth and achievements, little attention is paid to threats from emerging technologies. This is perfectly understandable as such threats have not hindered the day-to-day operations or gains. Such organisations have previously remained under the radar and out of reach from cyber threats that would be keen to exploit their vulnerabilities.

The significant rise in cyber-attacks since 2013 has led many organisations to focus on their internal IT. Many organisations have taken advantage of technology advances implementing to integrated networks to reduce the cost of production and services, while generating growth. By doing so, these organisations also begin to bridge the network gap that their security may have previously relied on.

Security Implications

Whilst integrating OT networks with the business network and the wider internet bring benefits, this process is also a threat multiplier which presents further operational risks:

Additional threat actors – The biggest cyber security threat to an isolated network are the administrators and engineers who have super user permissions in order to carry out their tasks. By integrating OT networks with business networks, this provides system access to regular users (data analysis, performance analyst etc.)
Proprietary – Since many SCADA and ICS systems were designed pre-2000, many products and underlying protocols were proprietary. This has served as a defence within an isolated network as the attack would first have to gain access to the isolated environment and also have specific knowledge and experience with the proprietary systems, protocols and services to launch an attack. This is known as ‘security through obscurity’; by keeping the technology a secret, it would be substantially harder (and less attractive) to attack. Proprietary systems lack the review and scrutiny of open standards. Without this, there may be technical security flaws in the way the system, protocol or service was designed and implemented which would be unknown to the suppliers.
No security design – The concept of cyber security wasn’t widely understood at the time of the system design and implementation. These systems were not designed to be integrated into a wider network. Therefore, they were not designed to be resistant to misuse of the underlying technology. This has left these systems connected to a very hostile global network with very little native counter-measures to protect information and business processes.
IP conversion – Most OT networks run on legacy infrastructure – often circuit switches and serial-based connectivity. In order for the OT network to interconnect with other networks, an OT environment must be IP-enabled. By interconnecting OT equipment with other networks, this exposes these proprietary systems to the outside world which could lead to unknown vulnerabilities being exploited by an attacker with an IP-enabled connectivity.

Security threats to Operational Technology

Gartner defines OT Security as practices and technologies used to:

Protect people, assets and information
Monitor and/or control physical devices, processes and events
Initiate state changes to enterprise OT systems.

The function of IT is to harness data to generate useful information that enables business decision making with the use of applications, databases, networks and systems. Although OT utilises information, its function is not to utilise this information for decision making, but to alter the state of the environment around the device or change the state of the device itself. Based on this, OT and IT often take very different development paths. This has led to deviations in hardware, software and protocols used in both type of environments.

A result of these differences means traditional security controls have to be re-thought and adapted to this static landscape. The IT practice of rapidly applying security patching to plug holds in technical vulnerabilities is a practice that could ultimately cause more negative effects to an organisation than an attack potentially could. A specific type of cyber security must be practiced in the world of OT; one that understands the unique context the technology finds itself in.

A culture of Engineering Security

Organisations such as Leonardo can assess technical vulnerabilities on OT systems and offer advice on how best to mitigate the risk of attackers exploiting weaknesses, which present risks to an organisation. This methodology, known as a Cyber Vulnerability Assessment (CVA), centres on the identification, management and mitigation of Cyber Enterprise Risk across all socio-technological elements of an organisation.

The CVA is designed to provide a holistic picture of risk for the identified scope, whether that is an organisation with multiple interacting systems/services, an individual system with multiple complex sub-systems from different suppliers, or a supply chain with complex webs of interaction. It therefore takes into account more than just technology, recognising the complex interactions between people and technology/process and the criticality of those interactions to risk.

Securing the Future of Operational Technology

A CVA approach will enable organisations that rely on the functions of OT to have a firmer understanding of cyber socio-technical risks they are exposed to.

Retrofitting cyber resilience onto legacy technology can begin to reduce the risks. However, a CVA approach will introduce Secure by Design concepts at the design and deployment phases of new OT. With this, organisations can begin implementing resilience planning to ensure that when an attack takes place, critical business functions remain at an adequate level, minimising the impact of the attack and keeping the wheels of industry turning.

Top 10 Memorable Moments in Nature Captured by Leonardo Thermal Imaging Technology for the BBC

Leonardo celebrates first official community day of volunteering

An introduction to digital Active Electronically Scanned Array (AESA) radars

Tracey Maclean

Becky Piper

Flying Start Challenge Regional Final Winners Announced