Industrial cybersecurity company Applied Risk organized Thursday its NightWatch 2021 online event that hosted the OT (operational technology) security community to discuss and learn from experts, analyze research findings, and share established strategies from the field. It allowed participants to learn and get involved in discussions focused on cyber risk mitigation for critical OT, SCADA (supervisory control and data acquisition), and industrial IoT assets.
Analyzing the role of built-in cybersecurity in the Open Process Automation Forum (OPAF), Camilo Gomez, global cybersecurity strategist of Yokogawa’s U.S. Technology Center, said at one of the session’s of the NightWatch 2021 event that the vision of OPAF is to build an open standards-based, interoperable, secure process control architecture that leverages the advances in technology to move the processing of control to the inner edge closer to the physical process, with the premise that the security of the system starts with the security of the components.
OPAF defines the policies that govern the operation of the Open Group O-PAS (Open Process Automation Standard) Certification Program by outlining what can be certified, what it means to be certified, and the process for achieving and maintaining certification. These policies also define the obligations on product suppliers, including a requirement for the supplier to warrant and represent that the product meets the applicable conformance requirements, which include conformance to the applicable O-PAS standard as interpreted by the OPAF.
The OPAF comes with its secure-by-design objective and the O-PAS standard that supports the architecture helps businesses to lower capital and lifecycle costs and puts pressure to increase profitability from operations, Gomez said. It also helps integrate new capabilities to make data more accessible, and the need to make cybersecurity more than just an afterthought. The forum aims to change to an open process control architecture, he added.
The aim of the O-PAS standard is three-fold. Improved operations by adopting certified software and hardware component interfaces, allow multi-vendor interoperability, and make cybersecurity pervasive, Gomez said. In addition, he recommended design and integration from the beginning through a holistic framework. The focus of the O-PAS standard is to define the elements and interfaces that would allow the asset owner or end-user, and the SI (system integrator) to build an open, heterogeneous and secure multi-vendor control system.
Published in June, the O-PAS Version 2.1 Preliminary Standard developed by OPAF enables greater interoperability and portability in manufacturing control systems. It defines a reference architecture and information model that will enable a distributed and heterogeneous ecosystem of industrial process automation resources to interoperate. The O-PAS standard, once fully defined, will allow for the construction of safe, reliable, secure process automation systems that are scalable from very small to very large, which do not require system shutdown to perform updates and extensions, and which can be applied to existing systems and new construction.
The standard has been built in seven parts. In line with the OPAF vision, each part is based on one or several reference standards, where Part 2 is using IEC 62443 standard as the overarching reference standard for the cybersecurity framework. Since O-PAS is only defining the interfaces for the elements comprising the architecture, not all of the 62443 standard series or parts are directly relevant, Gomez said.
O-PAS certified products aim to provide a foundation of consistent cybersecurity capabilities that the system integrators and asset owners can put to work when designing, building, and maintaining the industrial automation systems, he added.
Eric Byres, CTO of aDolus Technology analyzed in his keynote address at the NightWatch 2021 event how the convergence of threat and technology will reshape how the industrial sector operates and secures critical infrastructures, and how security professionals need to respond, as 2021 has seen OT both in the bullseye and under the microscope in ways never seen before. He concentrated on the Colonial Pipeline attack, Executive Order 14028, the Oldsmar water plant hack, EKANS, the National Security Memorandum, and the TSA security directive for pipelines.
Speaking at another session at the NightWatch 2021 event, Mike Firstenberg, director of industrial security at Waterfall Security, highlighted three innovative cyber risk management approaches and scrutinized their effectiveness against the pervasive threat of targeted ransomware with particular attention on the risk of the operations. He defined a simple and robust approach to managing OT cyber risks, including Security PHA Review (SPR), Consequence-Driven, Cyber-Informed Engineering (CCE), and Secure Operations Technology (SEC-OT).
As targeted ransomware emerges as a key threat to industrial operations and OT systems, the trend is only likely to worsen since targeted attacks use tools and techniques comparable to those used exclusively by nation-states only a half-decade ago, according to Firstenberg. OT cyber risk manages cyber threats to physical operations. Some enterprise security mechanisms are very costly to apply in OT systems because of extended safety, equipment protection, and other OT risk management programs, he added.