Attacks and Vulnerabilities
Control device security
Critical infrastructure
Cyber Informed Engineering
Features
Identity and Access Management (IAM)
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Risk & Compliance
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Creating cohesive OT risk strategy through cybersecurity measures and collaboration with engineering

December 03, 2023
Creating cohesive OT risk strategy through cybersecurity measures and collaboration with engineering

In today’s rapidly evolving technological landscape, the need to address a comprehensive approach to risk management is crucial at all levels of an organization. This imperative becomes even more pronounced in operational technology (OT) environments where different perspectives on risk prevail. While traditional risk management practices have primarily focused on physical and financial risks, the emergence of cybersecurity threats has necessitated a paradigm shift. Collaboration with engineering teams is not just desirable but necessary to incorporate cybersecurity risks into the risk register for OT environments.

Urgent action must be taken to align cybersecurity efforts with organizational risk management frameworks in OT environments. Failing to do so could expose critical infrastructures, such as power grids or manufacturing plants, to malicious actors seeking unauthorized access or control over these systems. The consequences of such incidents could range from financial losses and reputational damage to potentially jeopardizing public safety.

Evidently, a comprehensive approach to risk management is undeniably crucial at all levels of an organization, particularly when considering the multifaceted perspectives on risk in OT environments. With the ever-evolving threat landscape and growing reliance on digital systems, collaboration with engineering teams becomes indispensable in incorporating cybersecurity risks into the overarching risk register for OT environments. Engineers, armed with their technical expertise and intricate knowledge of system design and implementation, play a vital role in addressing the persistent cybersecurity gap during construction phases.

Exploring Comprehensive Risk Management Strategies for OT Environments

Industrial Cyber consulted with cybersecurity experts to assess how organizations can adopt a comprehensive approach to risk management that covers all levels, particularly in the context of OT environments. They have also examined the challenges that arise from the different perspectives on risk within OT environments and how these differences can be effectively addressed to create a unified risk management strategy.

Paul Smith, director of engineering at Honeywell and former CTO at SCADAfence
Paul Smith, director of engineering at Honeywell and former CTO at SCADAfence

Paul Smith, director of engineering at Honeywell and former CTO at SCADAfence, told Industrial Cyber that he would start with implementing a comprehensive risk matrix that addresses all OT assets under management that can capture process impact, safety impact, external connectivity, end-of-life for hardware/software/firmware, known vulnerabilities and exploits that are associated with versions currently operating and installed; and business interruption – revenue driver.

“Although this seems easily addressed most organizations fail to have full visibility into their current environments. Whether it be through multi-vendor products or due to acquisitions and mergers the list of managed assets continues to grow,” Smith detailed.  “Additionally, understanding the Business impact tends to be an Executive detail seldom communicated down to the operational staff. I believe there is a fundamental understanding of which systems and assets drive production and what downtime can cost an organization.” 

However, Smith felt that “no company has fully designed a detailed matrix to understand what a single compromised asset could really cost the business.”

Blake Benson, senior director for cybersecurity practice lead at ABS Group
Blake Benson, senior director for cybersecurity practice lead at ABS Group

One of the most overlooked aspects of risk management concerning OT is leveraging existing risk assessments to repurpose and identify potential consequences of interest that could arise from cyber-initiated events that might impact operations, Blake Benson, senior director for cybersecurity practice lead at ABS Consulting told Industrial Cyber.

“In general, many cybersecurity professionals and risk practices (especially IT-focused approaches) lack the operational exposure required to make sound judgments on where to prioritize resources to mitigate cyber-initiated risk in critical infrastructure environments,” Benson said.

To use a chemical industry example—one of several ways to repurpose existing safety/risk assessments to identify potential cyber risks could be leveraging an existing Process Hazard Analysis (PHA) or Layer of Protection Analysis (LOPA) to identify specific processes and functions that support critical functions and have a reliance on cyber-enabled technology within a given process or facility to safely interact with other systems or functions within the process safety environment. 

Benson identified that the single, easiest way to communicate risk and deliver results under a common lexicon is to leverage the existing risk assessments, place a cyber lens over them; and identify and communicate areas where OT has an outsized impact on the safe operation of components or systems without as many manual safeguards (as detailed in the LOPA, for example). “If risk experts can translate cyber dependencies and cyber risks into operational hazards and consequences, translating importance to C-suite executives or board members is more palatable in familiar terms,” he added.

Sinclair Koelemij, an ICS security professional, said that a multi-tier framework, typically consisting of three tiers, as seen in NIST SP 800-30, should be applied. “These tiers distribute tasks and responsibilities across the organizational/corporate level (tier 1), mission/business plant level (tier 2), and system level (tier 3). This holistic approach aligns various processes, ensuring a consistent approach throughout the company, regardless of the discipline. The benefits include improved awareness, training, and a consistent and familiar response to incidents,” he added.

Sinclair Koelemij, ICS security professional
Sinclair Koelemij, ICS security professional

“Currently, many companies treat OT security risk as an isolated discipline, whereas process safety risk and reliability risk disciplines are more effectively aligned,” Koelemij told Industrial Cyber. “In my opinion, this discrepancy is due to the lower maturity level of OT security risk management. While semi-quantitative risk analysis is commonplace in process safety and reliability engineering, it is rarely applied to OT security risk.” 

Additionally, risk analysis often focuses solely on the process automation system, overlooking the physical installation and missing opportunities to mitigate risk through non-traditional digital security measures.

Koelemij added that the quality of risk assessments should be enhanced. “Currently, many risk assessments do not incorporate the consequences of the physical process installation in their analysis. This omission results in a skewed representation of risk and fails to identify several critical hazards. Unfortunately, risk assessments are often treated merely as items to check off a list.”

Derek Anderson, OT cybersecurity professional
Derek Anderson, OT cybersecurity professional

“The first step in developing a comprehensive risk management approach would be conducting a risk assessment in order to identify and evaluate potential threats/vulnerabilities, then prioritize identified risks based on their potential impact on critical operations or critical assets,” Derek Anderson, an OT cybersecurity professional, told Industrial Cyber.

He added that obstacles will be encountered and pushback is usually from a financial perspective (security is a cost center), or due to a lack of resources to implement new initiatives. “In order to combat this, it is important to gain executive support to guide the program from the top down. Buy-in at every level is needed, and it is important for the remediation to be a collaborative effort. Communication and education need to be tailored at every level. Executives need to understand the value of propping up a security program, vs the impact of a breach. Engineers and plant personnel need to see the safety benefits and any other value added to new technologies or updated security measures.”

Blending Risk Management and Engineering Teams to tackle Cybersecurity Risks

The experts analyze how the changing nature of threats necessitates a collaborative effort between risk management and engineering teams to recognize and counteract cybersecurity risks in OT environments.

“With threat actors continuously learning and adopting new methods and strategies it becomes very apparent that we need to have a better communication channel between risk management and engineering,” Smith pointed out. “This has become very apparent with the inception of items such as ChatGPT and generative AI taking a major leap in the mass education of how little the requirements are to create major process impact.”

Benson expressed that “we place far too much importance on threats and far too little importance on why threats should matter in the first place. New threats in OT could represent a new technology, a new adversarial capability, or any number of innovations or iterations of known tactics, techniques, and procedures (TTPs), but they might not even be applicable to the environment you are protecting.” 

He added that the vast majority of collaboration should be focused on engineering teams understanding the digital and cyber-enabled assets in their operating environments and risk management teams identifying the relevant threats and contextualizing them to operations in a way where operations/engineering can understand the impacts and develop a recovery or mitigation strategy as necessary.

“In my opinion, it is not the changing nature of threats that necessitates a collaborative effort, but rather the required growth in maturity in managing OT security risks that demand such collaboration,” Koelemij indicated. “Managing OT security risk requires a multi-disciplinary approach, encompassing skills in process safety, process operations, process automation, cyber security, and risk analysis.” 

Unfortunately, such an approach is often lacking because many of today’s service providers lack a solid foundation in process automation, and departments within plants have been downsized to a level where they cannot provide these skills independently, according to Koelemij. “OT security risk is an integral part of process automation risk and should be treated as such.”

Anderson said that a collaborative effort is needed for several reasons. “First and foremost, the interconnected systems between the IT and OT networks increase the attack surface. A majority of OT malware and incidents are initiated on the IT side. Collaboration is needed to develop a comprehensive security approach that considers the interdependencies between IT and OT environments.

He added that the complexity of the landscape adds to the challenge of securing the OT environment. Increasing calls for data and the need for remote access also increase the attack surface due to the additional external connections. All individuals fully understanding the threat landscape, helps to drive home the potential impacts of bypassing security controls.

Examining Risk Perceptions, Strategies for Cohesive Organizational Risk Management

The executives examine how perceptions and understandings of risk differ at different organizational levels, as well as strategies for ensuring a cohesive and consistent approach to risk management across an organization.

“Risk from the operational teams is straightforward I feel as it is their daily job to keep production up and running. Tying this localized production to a grander scale is where we start to see differing views on risk occurring,” Smith mentioned. “At a site level, they are constantly monitoring issues, reporting requirements, and looking for increased budgets to address end of life/sale of hardware and software.” 

However, he added that when looking through globally distributed production, if a facility in Brazil has the same risk as a production facility in Germany but only produces a tenth of the production then the impact and budget should be focused on the German production.  

“This is where the breakdown usually occurs when addressing risk as both sites feel the need for a budget, but the executive team must allocate resources and funds according to revenue and potential business interruption,” Smith identified. “Having clear communication between localized teams and global executive groups can really aid in better risk hygiene and strategies for budgeting and mitigating risk.”

Risk management necessitates a holistic approach because multiple disciplines can contribute to risk through faulty processes and practices, Koelemij noted. “Therefore, a multi-tier framework that aligns risk management across various disciplines and decision-making is essential.” 

He added that one key differentiator between OT and IT is the presence of a physical installation and its many upstream and downstream dependencies. “A cyber-attack not only affects the functionality of the process automation system but also interacts with process dynamics. Additionally, the impact on upstream and downstream processes and various logistic and quality control processes makes a consistent and aligned risk management process necessary.”

Benson highlighted that perception of risk is always going to be skewed by the bias of who is asked about risk within the organization. “In operational environments, not unlike other risk environments, engineers and responsible security staff will generally have a feeling that their ‘slice of the pie’ is the most critical or most important function or system to protect.” 

The reality is that approaches like a crown jewels assessment or an asset criticality assessment—where objective and quantitative risk is married with subject matter expertise and qualitative judgments—are generally going to provide a much more stable platform or foundation from which to develop risk management approaches, according to Benson. Defending ‘the ocean’ of systems or threats in an operational environment is not a sustainable approach to implement in high-capital, high-hazard environments, he added.

Anderson identified that the perception and understanding of risk varies depending on an individual’s role and perspective. “At an executive level, individuals focus more on strategic risks, financial impacts, and overall organizational resilience. Helping executives understand the financial impacts and business disruptions that can occur from specific risks can help to ensure a consistent approach to risk management at their level,” he added. 

Strategizing Cybersecurity Alignment and Risk Management in OT environments

The executives analyze immediate actions to align cybersecurity efforts with organizational risk management in OT environments. They also explore the most effective ways for critical infrastructure organizations to incorporate cybersecurity risks into the risk register for OT environments, and identify potential challenges that may arise during this process.

Smith said that providing a well-documented risk matrix can help align risk management with cybersecurity needs. “This shows a deep understanding of what equipment is end of life/sale, currently sitting with multiple known exploits/vulnerabilities, and can address the need for compensating controls to ensure the denial of external/remote access to these high-risk pieces of equipment. This level of detailed knowledge is a must requirement for adopting into the risk register of OT environments”

He reiterated what he said before, “this is easier said than done but starting to plan to map the matrix is the first step.”

Koelemij listed that asset owners must first recognize the comprehensive nature of OT risk and the necessity of addressing it holistically. For example, isolated approaches to OT incident responses should be avoided, and these response processes need alignment with related incident response processes, such as those for process safety incidents. 

Secondly, Koelemij highlighted that OT security risk should be managed by multi-disciplinary teams to enable a more balanced approach to risk mitigation. In some cases, non-digital security measures can be more effective than adding a purely ‘digital’ solution. 

Finally, he added that organizations must realize that in the sequence of people-process-technology, technology is the final element. “Purchasing a technical solution is generally ineffective if there is no process to manage it. Processes are not effective if people are unaware of the hazards and lack the necessary training to reduce the risk.”

Benson noted that immediate actions include leveraging existing risk studies and involving cyber risk experts who can speak both languages, “otherwise you’ll end up with a bunch of threats and risks that have zero context to operational risk and operations at large or, on the other side of the coin, you’ll have zero cyber risks and engineers will claim the entire facility is hardened, air-gapped, or generally impervious to a cyber incident. However, the reality is usually somewhere in the middle,” he added.

“In order to align cybersecurity with organizational risk you need to first conduct a comprehensive risk assessment,” Anderson assessed. “The risk management team needs to be a cross-functional group of people with cybersecurity representatives from IT and OT, you should also have some executive leadership as sponsors who are willing to sit in on important discussions. With this team developed, it is important to establish roles and responsibilities for all involved.”

Anderson added that for incorporating cyber risks into the OT risk register, it is important to clearly define risk criteria where cyber risk exists in the OT environment. “Factors that include impacts to safety, operational disruption, and regulatory compliance should be brought to light. Challenges might come from different perspectives, but it is important to clearly articulate the perspectives of individuals from each group involved. Coming away with alignment helps to keep everyone on the same page.” he commented.

Balancing Urgency and Planning for Cybersecurity in OT Environments

The executives look into the measures that organizations can take to strike a balance between the urgency of addressing cybersecurity risks in OT environments and the need for comprehensive risk assessments and planning.

“I always come back to process and safety, if downtime or safety of human lives could be a product of a cybersecurity event then these events are no longer strictly a cybersecurity responsibility but fully a compliance and safety risk,” Smith detailed.  “These can be easily flushed out during a tabletop exercise by specifically focusing on the Cybersecurity risk and walking through an Incident Response plan.” 

At the end of the day, Smith said that it comes down to a scoring mechanism that can bridge the gap between cybersecurity and risk management. “Hence the criteria for a detailed matrix allowing the working groups to vote and assume risk based on their contribution to the overall risk profile of the company.”

Benson mentioned starting with the processes and equipment that are most critical. “Ask the right questions—what are the systems or functions that are most important for our facility or environment to continue operating safely and with optimal efficiency? What are the systems or functions that, if safety were to be compromised, would result in a catastrophic event?”

Typically, he added that it is much easier to invest in defending ‘ponds’ of criticality, rather than developing a comprehensive strategy to defend the entire ‘ocean.’

Security measures should always result from comprehensive risk assessment and effective risk management, Koelemij observed. “Therefore, the practice of implementing a series of security measures without adequate justification and proper risk prioritization should be discontinued.” 

“The first step should involve establishing robust risk management processes. Some security measures consistently enhance resilience, with two-factor authentication for all remote access being a crucial example,” according to Koelemij. “Additionally, it is essential to regularly patch and update antivirus signatures on all equipment that communicates directly with external networks. Furthermore, firewall configurations should be regularly verified to ensure compliance with minimum access principles.”

Anderson said that understanding asset criticality is one measure to balance the urgency of addressing cyber risk and the need for comprehensive risk assessment and planning. “Urgent cyber risk, on systems of low criticality can be accepted, while highly critical systems should seek more immediate remediation. Having teams that understand how to identify and triage the criticalities aids the risk management team in continuing forward with their risk assessment and planning,” he concluded. 

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems