Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
Malware, Phishing & Ransomware
Management & Strategy
Risk & Compliance
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape

Building foundations for cyber risk management from the ground up across OT, ICS environments

August 27, 2023
Building foundations for cyber risk management from the ground up across OT, ICS environments

Increased connectivity across the industrial landscape through the convergence of IT and operational technology (OT) environments has produced previously unheard-of levels of automation and efficiency in today’s hyperconnected organizational environments. These technological advancements come wrapped with unprecedented cyber risks that can disrupt critical operations on a massive scale. Navigating this intricate landscape requires a comprehensive cyber risk management approach that starts from the ground up, ensuring the resilience of these environments against ever-evolving threats.

In the dynamic environment of OT and ICS (industrial control system) frameworks, the essential foundations of cyber risk management must be rooted in the operational landscape. Meticulous assessment of the interconnected systems, identifying vulnerabilities, potential entry points, and critical nodes susceptible to cyberattacks must be adopted. Unlike traditional IT environments, the focus extends beyond data confidentiality to encompass operational continuity, safety, and process integrity. This assessment-driven approach enables organizations to tailor their strategies to the unique characteristics of OT and ICS structures, laying the groundwork for a proactive defense.

As organizations are faced with an increasing number and complexity of cyber threats and attacks, implementing a robust framework becomes paramount. A holistic strategy encompasses technical measures, personnel training, and process redesign. In a landscape where the digital and physical converge, the journey towards comprehensive cyber risk management across OT and ICS environments is both a necessity and a responsibility.  

By beginning with a meticulous assessment tailored to the unique demands of these systems and proceeding to implement a multi-pronged strategy, organizations can mitigate threats at their core. The synergy of technological fortification, process refinement, and human vigilance will determine the resilience of critical infrastructure in the face of an ever-evolving cyber threat landscape, ensuring that the heart of industrial progress beats securely and uninterrupted.

Industrial Cyber reached out to industrial cybersecurity executives to evaluate the extent to which the ‘world view’ of various stakeholders, including those in automation, OT cyber, and IT, shape their understanding of cyber risk and its potential consequences. They also examine whether there is a commonly agreed-upon definition of cyber risk among these stakeholders.

Dave Purdy, Regional Vice President of Sales, North America at TXOne Networks
Dave Purdy, Regional Vice President of Sales, North America at TXOne Networks

Dave Purdy, regional vice president of sales for North America at TXOne Networks, told Industrial Cyber that the perspective of the stakeholders referenced can indeed shape their understanding of cyber risk and its potential consequences. 

On the influence of each ‘world view’ on understanding cyber risk, Purdy said that each stakeholder group probably has a different perspective and priorities when it comes to cyber risk. “For example, automation stakeholders will almost always focus on protecting industrial control systems and minimizing the impact on operations. OT Cyber stakeholders might emphasize protecting critical infrastructure and the potential physical consequences of cyber attacks. IT stakeholders might prioritize securing network infrastructure and sensitive data.”

He added that these different ‘world views’ can result in contrasting assessments of cyber risk and shape the actions and strategies each group takes to address it.

Addressing the agreement on a definition of ‘cyber risk,’ Purdy said that while there are various definitions of cyber risk, there isn’t a universally agreed-upon one among all these stakeholders. “Definitions will differ depending on the industry, context, or individual perspectives. Generally, ‘cyber risk’ refers to the potential harm or adverse effects that may arise from cyber threats, vulnerabilities, or attacks. This harm could include financial loss, reputational damage, operational disruptions, or compromised data. As a result, These stakeholders will perceive cyber risk(s) differently.”

Ilan Barda, founder and CEO at Radiflow
Ilan Barda, founder and CEO at Radiflow

Ilan Barda, founder and CEO at Radiflow told Industrial Cyber that while each professional has their focus within an organization, instilling a cybersecurity worldview into a company’s culture can have a huge impact on a company’s security posture. “After all, business risk is what unifies team members, along with the cybersecurity definition.”

However, Barda added that it is known that cyber security priorities are different for IT and OT people. For the IT people, confidentiality and integrity are critical, while for OT and automation people, it is about availability and uptime.

“So it’s recommended that there would be an OT cybersecurity team or focal person championing the initiative,” according to Barda. “They should have a discussion with all stakeholders mapping the various cyber risks and mapping them to loss scenarios which have clear priorities from the executive team. Without a definition set by the go-between or liaison, the basis for OT risk management is probably misaligned and the resulting risk assessment and mitigation planning would be wrong.”

Yair Attar, CTO and co-founder at OTORIO
Yair Attar, CTO and co-founder at OTORIO

Cyber risk interpretation can vastly differ among stakeholders due to their varied backgrounds and responsibilities, Yair Attar, CTO and co-founder of OTORIO, told Industrial Cyber. “Automation teams are often more focused on ensuring the smooth running of operations and equipment. IT teams are typically more concerned with securing data and maintaining the network infrastructure. Therefore, defining a unified definition of cyber risk is challenging. However, the essence is clear: it’s about ensuring safe operational continuity,” he added.

“Collaboration, communication, and shared responsibility between IT and OT cyber teams are essential for effectively managing and mitigating cyber risks across the organization,” Attar mentioned. “Site personnel (automation, maintenance, OT cyber teams) will usually focus on security maintenance and risk resolution, while IT security teams will focus on early detection and incident management. Both sides of risk should be addressed in collaborative and cohesive joint work.”   

Attar also highlighted that industry-specific regulations and compliance requirements related to cybersecurity should play a significant role in shaping and impacting the OT security strategy of organizations. “The enforcement of industry standards and the creation of internal cyber risk policies create a strong framework for conducting risk assessment and proactively mitigating cyber risk. OT security strategies must align with these requirements and undergo regular compliance audits to demonstrate adherence to the established guidelines,” he added.

The executives look into how control system and automation engineers identify cyber risks, and how often these mechanisms are reviewed. They also investigate how IT/OT professionals interpret cyber risks in the production environment. They further analyze whether their outlook and understanding of OT cyber risks have evolved, and if so, what are the reasons behind it.

Control system and automation engineers typically identify cyber risks by conducting thorough assessments of the control system infrastructure and its vulnerabilities, Purdy said. “This may involve analyzing system components, network architecture, access control mechanisms, and potential attack vectors. They may also review industry standards and best practices to understand emerging cyber threats specific to their domain.”

“The frequency of these assessments and reviews can vary based on factors such as the criticality of the system, industry regulations, and the evolving threat landscape,” Purdy noted. “Generally, control system and automation engineers aim to perform regular and ongoing assessments to proactively identify and address vulnerabilities. This can involve periodic assessments, penetration testing, vulnerability scanning, and continuous monitoring.”

He added that the interpretation of cyber risk by IT/OT professionals in the production environment depends on their respective roles and perspectives. “In the past, there has been a divide between IT and OT teams, with OT professionals primarily concerned with operational reliability and safety, and IT teams focused on information security. However, in recent years, the understanding of OT cyber risk has evolved, and there has been an increasing recognition of the interconnectedness between IT and OT systems.”

“Factors driving this evolution include the convergence of IT and OT systems, with more interconnectedness, and the adoption of common technologies,” according to Purdy. “These two forces have become a catalyst for collaboration between IT/OT professionals.”

Barda said that when “you are putting IT and OT together, it’s about the end game– does it impact my machines and how do we work toward continuous uptime? First, it’s important to recognize that their tasks are very different in achieving an organization’s security goals,” he added.

He highlighted that they must work together to identify initial access and which people and systems can reach the critical assets, build the full attack flow, and detect vulnerable points. 

Also, Barda said that IT will ask questions that fit their understanding of cybersecurity in a dynamic matter. They’ll pull resources from known databases and threat intelligence activities that relate to their specific site. They’ll map how team members access facility devices, and review employee permissions who have access to critical assets.

“The nature of OT facilities means that there is no quick on-off switch. For this reason, routine maintenance may only be conducted once a year, creating a small window of opportunity to identify issues,” Radiflow’s Barda said. “So it is best to bring in IT early in the procurement stage to mitigate risks, not after the implementation of new systems.”

Attar disclosed that control system and automation engineers often spot cyber risk through methods such as system vulnerability evaluations, network monitoring, and logging of key events. “These are reviewed and updated frequently in response to the ever-changing cyber threat landscape. From an IT/OT viewpoint, cyber risk is often associated with potential disruptions, data breaches, and operational downtime.”

“As IT/OT convergence has accelerated in recent years, both IT and OT professionals have experienced an evolution in their understanding of OT cyber risk,” according to Attar. “High-profile cyber attacks targeting industrial organizations have raised awareness of the potential consequences of OT cyber risk. Incidents like Hydro Norsk, Colonial Pipeline, and JBS have demonstrated that cyber threats can directly impact physical processes, leading to production disruptions and safety risks.” 

Attar mentioned that IT and OT professionals now recognize that their common goal is to protect the overall business and critical operations. “This shared purpose has fostered a more unified approach to cybersecurity, where both IT and OT perspectives are valued in developing holistic risk management strategies.”

“It is now more widely understood that protecting interconnected IT and OT systems requires a holistic security strategy and unified risk management framework that all stakeholders can benefit from,” Attar added. “This paradigm shift is further motivated by increased cyber-attacks targeting industrial systems.”

The executives examine the strategies commonly employed by OT cybersecurity practitioners to adapt to the constantly evolving threat landscape. They also assess how the organizational structure impacts the level of cyber risk awareness and preparedness among OT practitioners.

TXOne’s Purdy said that OT cybersecurity practitioners commonly employ several strategies to adapt to the changing threat landscape. He pointed out that key strategies include risk assessments, defense-in-depth approach, patch management, access control and authentication, continuous monitoring, and security awareness and training.

“Conducting periodic risk assessments to identify vulnerabilities, threats, and potential impacts on OT systems. This helps prioritize and focus efforts on critical areas,” Purdy said. “Implementing multiple layers of security controls to create a robust defense system. This includes network segmentation, access controls, intrusion detection systems, firewalls, endpoint protection, and other preventative controls. Regularly applying security patches and updates to mitigate known vulnerabilities in OT systems and devices. Emerging solutions for ‘virtual patching’ at the network layer. (Virtual patching addresses the disruptive and labor-intensive overhead associated with doing physical patch management),” he added.

Implementing strong access controls and authentication mechanisms to ensure only authorized personnel have access to critical systems, Purdy pointed out. “Performing continuous monitoring and anomaly detection to detect and respond to potential cyber threats in real-time. Providing regular training and awareness programs to educate employees about best practices, social engineering attacks, and other cybersecurity risks.”

Regarding the impact of organizational structure on cyber risk awareness and preparedness among OT practitioners, Purdy highlighted that the critical factor is ‘leadership.’ “The support and commitment from top-level management in prioritizing cybersecurity initiatives significantly impacts the level of awareness and preparedness among OT practitioners.”

“As a result of the OT/IT inter-reliance we need to understand IT’s dynamic view of cybersecurity vs. OT’s static view,” according to Barda. “In other words, IT prefers to mitigate vulnerabilities, managing them at all times. On the other hand, OT prefers to not disturb their systems unless absolutely critical since any pausing or updates may create a misalignment between facility machinery and impact production. So, IT teams should always try to handle emerging threats without disturbing OT cybersecurity operations.” 

He added that the proposed process would be to conduct network mapping as a joint IT/OT exercise and understand the business importance of the OT assets and zones. “Once you have this information the CISO team should create an offline model to reevaluate risk. New threat information should be simulated on the offline model and the information should be escalated to the OT team only if a new critical attack flow was found,” according to Barda.

“The most common strategies OT cybersecurity practitioners employ include vulnerability management, security control assessments focusing on segmentation, continuous monitoring, and overall security posture analysis,” OTORIO’s Attar said. “When it comes to the influence of organizational structure, a siloed structure can restrict the overall understanding and preparedness for cyber risks.” 

In contrast, Attar added that a more integrated structure can enhance cyber risk awareness through better information sharing and collective decision-making. “It fosters a shared operational picture where stakeholders across the organization can work together to manage evolving cyber risks.”

The executives investigate how these risks are communicated to higher levels of management. They also assess any changes or developments in the evolution of these interfaces over time.

Purdy said that communicating cyber risks to higher levels of management is crucial for ensuring understanding, support, and resource allocation for cybersecurity initiatives. There have been changes and developments in the way these interfaces have evolved. 

He outlined some common practices and trends including risk reporting, business alignment, key performance indicators (KPIs), and executive dashboards. 

“OT cybersecurity practitioners sometimes prepare risk reports to present the potential impact and likelihood of cyber risks in business terms. These reports typically highlight key vulnerabilities, threat trends, potential consequences, and recommended mitigation strategies,” Purdy said. “Effective communication of cyber risks involves linking them to business objectives and impacts. This helps management understand the potential financial, operational, and reputational consequences of cyber incidents, making a business case for cybersecurity investments.”

Purdy added that developing KPIs for cybersecurity enables management to measure the effectiveness of cybersecurity initiatives and track improvements over time. KPIs could include metrics such as the number of vulnerabilities remediated, incident response time, or user awareness training completion rates. “Providing executive-level dashboards that display concise and relevant cybersecurity metrics in real-time. This allows management to quickly assess the state of cybersecurity posture and make informed decisions.”

Barda identified that risks to higher-level management need to be communicated in terms of business. “The key points of communication should be: what is the risk to business operations, what will be the financial impact, and explain the importance of each production site alongside its risk probability for each loss scenario.”

From there, Barda detailed that the executive management can decide on the risk appetite according to several business parameters such as it may impact the most profitable machine (production, packing, etc.) in the organization; the site produces something that’s unique in the market. Being taken offline will create a window of opportunity for competitors to gain market share; component creation for a critical customer – can’t risk losing the contract with a customer; and brand impact depending on the industry, attacks may be common or can be catastrophic.

“In addition to the evaluation of the business risk, it’s very useful to evaluate your risk posture compared to the industry benchmark – If you were penetrated by state-sponsored hackers then there’s not much you can do,” according to Barda. “However, if it was done by someone who exploited a known but unmitigated vulnerability then that will have a greater reputational impact. If it’s a simple attack and all peers have already mitigated it except for you, then it will look much worse and impact brand perception.”

“Over time, we’ve seen that the interface between risk management and higher management has evolved, driven by a growing understanding of the serious business implications of cyber risks,” Attar said. “Turning cyber risk data into actionable insights aligned with business priorities has become a key focus for C-suite executives. There is a growing understanding of the difference between IT-related and OT-related risks. OT cyber risk involves protecting physical systems and personnel and business impacts like downtime, financial loss, reputational damage, and regulatory non-compliance.” 

Attar added that a paradigm shift to quantify these risks in business terms empowers informed decision-making and strengthens the risk appetite of the entire organization. “Through regular reports and committee meetings, key stakeholders gain a comprehensive understanding of the OT cyber risk and security posture, ensuring a clear overview.” 

He also pointed out that C-level executives are vital in championing OT cybersecurity initiatives, driving a security culture, and ensuring the organization is adequately prepared to protect its critical infrastructure and operations from cyber threats. “C-level executives often report to the board of directors on cybersecurity matters, including OT security risks and the organization’s cybersecurity posture. It’s critical that they are always aware of potential threats and the measures being taken to address them,” Attar concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems