Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
Industrial Cyber Attacks
ISA/IEC 62443
IT/OT Collaboration
Malware, Phishing & Ransomware
Management & Strategy
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Supply Chain Security
Threat Landscape
Vulnerabilities
Zero Trust

Compelling need to build ICS resiliency across OT and ICS environments in 2023

January 08, 2023
Compelling need to build ICS resiliency across OT and ICS environments in 2023

The growing prevalence of cybersecurity incidents targeting critical infrastructure environments, at times resulting in operational downtime, loss of production from destructive malware, or malicious insider activity, makes it imperative for these organizations to work on and structure their ICS resiliency framework. This year, as organizations continue to use OT (operational technology) infrastructure to monitor and control physical processes, operational environments remain at high cyber risk, as a result of global competition and geopolitical tensions.

The OT sector is largely defined to include operations across the 16 critical infrastructures currently outlined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with businesses with a ‘brick and mortar’ presence. These structures operate with many of the same connected and communicating electronics and subsystems, such as ICS (industrial control systems), HMI (Human Machine Interface) workstations, SCADA (supervisory control and data acquisition) systems, which define critical infrastructure sectors. These installations are emerging as extremely vulnerable businesses, with rising digitization and connectivity across OT and ICS environments leading to the widening of organizational threats and attacks

OT environments also play a critical role in the supply chain. As these systems face an increasing number of cyberattacks, presenting a real threat to safety and production, and economic impact on a manufacturing organization. 

Given the critical role of OT and ICS frameworks, organizations need to establish and build their ICS resiliency to understand the impact of a potential cyber-attack, recognize the measures required to prevent, survive and recover from such an attack, and be able to assess and understand its real threat model. Additionally, enterprises must integrate and bring together people, technologies, procedures and policies to prevent cyber attacks from disrupting the course of operations. Their ICS resiliency plan must focus on the business recovering after a successful attack whilst keeping the impact of such an attack to the minimum.  

The urgency of putting these measures in place is further heightened with Mario Greco, chief executive at insurer Zurich having warned in December that cyber attacks, rather than natural catastrophes, will become ‘uninsurable’ as the disruption from hacks continues to grow. “Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn,” he added.

This follows a decision by Lloyds of London last August covering state-backed cyber-attack exclusions in standalone cyber-attack policies. The company said that it is set to introduce cyber insurance exclusions to coverage for ‘catastrophic’ state-backed attacks from 2023, as cyber-attack risks involving state actors have additional features that require consideration. While the insurance firm stated that it ‘remains strongly supportive of the writing of cyberattack cover,’ it recognizes that ‘cyber-related business continues to be an evolving risk.’

Industrial Cyber reached out to industrial cybersecurity experts to outline the key challenges that the OT sector will face in 2023, and how these can be overcome as organizations work towards building their ICS resiliency. 

Pascal Ackerman, senior cybersecurity consultant for OT at GuidePoint Security
Pascal Ackerman, senior cybersecurity consultant for OT at GuidePoint Security

“The pressure is up, with the government putting out more mandates and insurance companies adjusting their policies, the burden of securing their environment will continue to pile on for ICS owners,” Pascal Ackerman, senior cybersecurity consultant for OT at GuidePoint Security, told Industrial Cyber. “Knowing the current landscape of the state of current ICS cybersecurity, most companies will have to concentrate (still) on the fundamentals; Architecture, security monitoring, and response practices, those disciplines are lacking across the board.”

Tom Smertneck, managing principal at Energy Aspects LLC, outlined to Industrial Cyber three key challenges that the OT sector is facing or will continue to face in 2023. These include bolstering IT or building new OT cybersecurity resources via workforce development or finding, recruiting, and hiring capable ICS (OT) cybersecurity resources; investigating and documenting the status of their present cybersecurity posture in both the enterprise (IT) and OT operational segments; and addressing the probable need for organizational restructuring to enable, as soon as possible cybersecurity improvement to their OT environment. 

Tom Smertneck, managing principal at Energy Aspects 220
Tom Smertneck, managing principal at Energy Aspects 220

He suggested workforce development by partnering with a local university or one of the emerging cloud-based cyber ranges/pen-testing companies or enrolling their resources in the OT cybersecurity training and certification program known as ISA/IEC 62443, which is a comprehensive program about the global now-horizontal-cybersecurity standard that can train a spectrum of management, IT and controls engineers to be more effective organizationally, operationally and in hardware and software product development.

“This may be challenging for the OT side of operations as many cyber ranges, which have been created and built to attract IT/enterprise networking security specialists, are also in the emerging mindset of building OT architectures, schemes, and penetration testing scenarios with which to attract subscribers or, in the case of universities/colleges and tech-schools, students and adjunct professors,” according to Smertneck. “Another challenge for owners of OT operations is the ability to find, vet and secure with operational confidence service providers who can truly assist or deliver master service provisions (MSP) in ICS cybersecurity.”

Smertneck also highlighted assessing, documenting, and identifying asset status, while also documenting the history of CVEs that have been cleared/rectified and those still needing to be resolved along with actions plans and timetables for those resolutions. “Establish a program for modernizing OT SCADA operations to include new analytical processes that can independently monitor large data changes that can indicate potential infiltration and control system takeover. This modernization is being referred to as ‘ML’ for Machine Learning and ‘AI’ for Artificial Intelligence, and often mentioned together as ML/AI,” he added.

He further added, “OT cybersecurity resources in product development firms (hardware or software) would be instrumental as leaders or contributing team members more prone to understand and synthesize the ability to ‘design security-in vs. strap-on’ from following ISA/IEC 62443 guidance in Section 3 (Systems 3.1-3.3) and Section 4 (Components 4.1-4.2).”

The OT sector is caught in a convergence of cybersecurity risk drivers, Ian Bramson, global head of industrial cybersecurity at ABS Group, told Industrial Cyber. “Attacks are becoming more frequent and potent. Digital dependence on OT is increasing, and regulations are expanding. The Purdue Model is starting to collapse, as IIOT devices are being integrated into operations that have direct connectivity to the internet.” 

Ian Bramson, global head of industrial cybersecurity at ABS Group
Ian Bramson, global head of industrial cybersecurity at ABS Group

Bramson highlighted that insurance is becoming stricter and senior executives are starting to be held more directly accountable for their actions, both before and after a cyber event occurs. “All of these drivers are creating immense pressure on an OT cybersecurity environment that is under-resourced, under-staffed, and far less mature than the IT counterparts,” he added.

“In 2023, the risk is accelerating, and executives in critical infrastructure will either need to take meaningful action to build an ICS resiliency program or run the risk of being held accountable for a significant OT cyber incident,” according to Bramson. “This means going beyond simply doing gap assessments and implementing the risk controls to identify, protect, detect, respond, and recover from cyber incidents.”

Bramson also said that this also means that boards of directors will need to be much more educated and decisive on the specific risks and management of the ICS environment. “Although cyber is often discussed at the board level, there are too many misconceptions, miscommunications, and lack of tangible actions taken to build strong ICS programs. OT cyber needs to step out from behind the IT vail and have board members clearly understand the cyber risks to safety and operations.” 

The experts analyzed the role that the OT workforce plays, as organizations work towards improving and strengthening their ICS resiliency. They also assess if organizations have the necessary capabilities, and required budgets in place to build ICS resiliency, as attackers get closer and closer to OT environments. 

Ackerman said that in his opinion the OT workforce needs to start working closely with the IT workforce of an organization. “From experience, the companies that have their IT and OT team working closely together or even have a dedicated IT/OT team, are the companies that do ICS cybersecurity the most efficiently and effectively,” he added.

Smertneck said that if understood and enabled by the CISO or lead CISSP who’s become OT cybersecurity capable, the ‘OT workforce’ would likewise need to be conversant in IT network fundamentals and HTTP/HTTPS fundamentals, as at certain levels of an OT architecture, they also apply and can be a layer of defense. “The OT resources could play a leading role in structuring cyber range exercises to help their IT cousins to become more enlightened and capable in architecture, connectivity, equipment additions or other strategies, and vice versa,” he added.

“OT architectures are likely to need approaches with Defense-in-Depth where their IT cousins can assist in formulating appropriate MFA and Zero-Trust approaches being deployed at the Enterprise level,” Smertneck said. “These can be mapped into OT operational architectures without much impact on data latency or process operations integrity as they are primarily targeted to login authentication and similar fundamental cybersecurity tactics. This is the teamwork most mid- and large company organizations may be in-process of arranging now. Again, it’s the small manufacturer who falsely believes they’re not a big enough target to offer hackers or ICS conversant infiltrators to take the time nor make the effort.”

Addressing budgets, Smertneck said that this is another aspect of a company’s risk assessments with creating and forming a Business Impact Analysis (BIA) once the status of existing assets and vulnerabilities are complete. “Clearly, OT Control System resources can play a leadership or sounding board roles in any existing Enterprise Security Team for cross-training as well as ideations, innovations or migrations toward fulfilling a Corporate Sustainability Program,” he added.

“When it comes to OT, cyber has traditionally been in the middle of a proverbial game of kick-the-can. Operations had claimed cyber was an IT responsibility, and IT had claimed it was an operational issue,” Bramson said. “No one wanted to pick up the ICS resiliency cause, because there was only risk and cost, with little direct benefit. As attacks increased, most companies have turned to the IT departments and mandated they lead the charge. This has not only led to friction between IT and operations but has left the OT workforce in a quandary.” 

According to Bramson, IT doesn’t have the necessary skills, experience, or understanding to directly manage an OT environment. “The OT workforce, on the other hand, does not have the cyber expertise, time, or resources to build an ICS resiliency program. The result is confusion, friction, and limited progress,” he added.

However, Bramson cautioned that there is a powerful role for the OT workforce to play. “Most operations in critical infrastructure have mapped and prioritized the risks to their operations. Many have built detailed bow-tie risk models that clearly show the impact and dependencies of device and equipment failure. They already speak the language of risk and have procedures for managing the impacts to safety and operations. Thus, instead of approaching OT cyber as an IT challenge, it would be better to look at is an operational and safety risk.” 

“The consequences of a cyber attack in OT impacts the same equipment and devices that OT has mapped,” Bramson said. “There might be different, digital methods to impact those devices, but the consequences are often the same (e.g., opening a valve, overheating a piece of equipment). Understanding and mapping the cyber-physical consequences of an attack mirrors the efforts that the OT workforce has already performed. Additionally, the prioritization is already done. The biggest impact that the OT workforce can make in improving cyber resiliency is incorporating cyber into their operational risk management. They need to take the lead, with IT and outside experts supporting the effort.”

Bramson further added that OT owns the risk and should drive the solution.

With cyber-attacks potentially becoming ‘uninsurable,’ the experts analyze the ICS resiliency measures that ICS and OT environments must adopt to deal with rising cybersecurity incidents. Additionally, they also look into how swiftly these action plans are put into place. 

Ackerman suggests that ICS and OT environments adhere to a cybersecurity framework to help guide the process (NIST CSF is recommended), as this takes care of the program development. He also proposed training staff to be more security aware, implementing resilient architecture, and building a cybersecurity monitoring infrastructure and response team. Lastly, Ackerman advised these environments to continuously improve with pretests, red/blue/purple team exercises, tabletop exercises, training sessions, etc.

Smertneck said that he believe ‘uninsurable’ would only be a temporary measure as insurance companies are in business to make money, therefore they cannot ultimately turn their clients and market segments completely away despite the recent news that indicates more ‘war powers acts’ and no coverage for infiltrations and data exfiltration tagged as perpetrated by nation-state actors.

He added that the insurance industry is becoming more IT/OT knowledgeable and conversant to the point of restructuring their policies with new compliance requirements that enable continued coverage, and with new policies and levels of coverage depending upon the risk level they assess from the client’s reporting of IT and OT cybersecurity status, posture, improvement plans, resource staffing, etc.

“In terms of resiliency measure, beyond what has been previously mentioned, are taking a proactive approach with their insurance broker and even primary carrier(s) for property and casualty policies with evidence and possibly desired policy/contract language that indicates their current, near-future and long-term IT/OT cybersecurity efforts to rectify, improve and bolster personnel resources, capabilities and continuous training plans,” according to Smertneck. “Likewise, insurance companies also need to improve their segmentation of ‘Carrot & Stick’ approach to policy language and support.”

Smertneck also commented that “to achieve better policy offerings, and outcomes, there needs to be collaborative, cooperative and integrated support from various federal agencies involved with cybersecurity and insurance to give insurance companies and policy writers guidance on workable solutions for both the risk-takers and those needing cybersecurity risk avoidance (clients). This would include CISA, Federal Insurance Office (FIO) of the Treasury Dept, Board of Governors in the Federal Reserve System, and the like, which sounds like an extremely large task given the lack of cooperation between them historically.”

“Industrial cybersecurity has caused the insurance industry fits for years. It is incredibly hard to underwrite since this traditionally requires historical data that can effectively predict future events,” Bramson said. “It is also hard to validate claims, as industrial cyber attacks can easily be confused with non-cyber operational failures. Attribution of a cyber attack is also nearly impossible to definitively determine. As a result, the insurance industry has put in exceptions, limited liability, and made obtaining insurance a long and arduous process,” he added. 

Furthermore, cyber is now starting to creep its way into D&O insurance, Bramson said. “Senior executives are starting to be held directly accountable for cyber breaches. This raises the stakes and drives the need to develop robust cyber resiliency programs.” D&O insurance provides cover for the personal liability of directors and officers arising due to wrongful acts in their managerial capacity.

Bramson advised ICS and OT environments to keep it simple. “When building an ICS resiliency program for OT environments, start by asking the basic questions. Do I know what I need to protect (Asset inventory and management)? What are the holes in my protection and defense (vulnerability management)? Can I see if someone has breached our OT environment (Monitoring)? Can I get them out (Response)?” he added. 

By addressing the basics, companies can start reducing their cyber risk, improving their insurance posture, and protecting their executives, Bramson concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience