Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Secure-by-Design
System Design & Architecture
Threat Landscape

Intensifying need to strengthen cybersecurity controls throughout OT lifecycle, mitigate risks

January 08, 2024
Intensifying need to strengthen cybersecurity controls throughout OT lifecycle, mitigate risks

In a recent post for the World Economic Forum (WEF), Qusai AlRabei, senior OT cybersecurity leader for governance at Schneider Electric, identified that despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases, increasing vulnerability to cyber threats. Risks can open up during Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), shutdown maintenance, and brownfield services. The agency also laid down a plan to consider how OT cyber risks can be mitigated.

AlRabei highlighted that the early months of 2023 saw notable cyberattacks: a ransomware strike on a U.S. water plant in January; a European power grid disruption in February; and, an Asian transportation company’s operational halt in March. These incidents emphasize the importance of stringent cybersecurity throughout the OT system lifecycle, especially in critical stages.

The WEF post said that during FAT, a pivotal stage in the OT system lifecycle, the system is tested in a controlled environment to confirm adherence to design requirements. During FAT, however, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope. It’s crucial to integrate essential high-level cybersecurity controls at this stage to prevent transferring risks or threats to the site post-FAT. This proactive approach is key to maintaining robust security throughout the system’s lifecycle. 

Controls include, but are not limited to security of the staging area, people, asset lists, access controls, secure configuration, vulnerability and patch management, and incident management. 

AlRabei said that staging areas, designated for pre-deployment system testing, require secure measures to prevent unauthorized access, thereby avoiding the introduction of malware or other threats into production environments. People are always the weakest point in any security system. It is important to educate employees about best cybersecurity practices. This includes training on how to identify phishing activities, handling sensitive project information, complying with cybersecurity requirements, and identifying and reporting a cybersecurity incident.

The asset list includes a comprehensive list of all hardware and software assets used in a specific project and is the main pillar used to detect and understand if any changes have occurred. It contains information about firmware versions, OS, IP addresses, MAC addresses, vulnerabilities, what was patched and what wasn’t, the latest updates to end-point security, etc. The list must be maintained and updated regularly to ensure that all assets are secured, as well as to enable vulnerability and patch management.

When it comes to access controls, AlRabei identified that these measures are essential to prevent unauthorized access to sensitive information and systems. This includes implementing strong password policies, multi-factor authentication (MFA), and other mechanisms to ensure that only authorized personnel can access sensitive areas or functions. Secure configuration involves implementing security best practices when configuring hardware and software systems. This includes disabling unnecessary services and ports, using strong encryption, and implementing other security measures to reduce the attack surface of a system.

Vulnerability and patch management involves regularly scanning systems for vulnerabilities and deploying patches to fix known issues. This is critical to prevent attackers from exploiting known vulnerabilities to gain access to sensitive information or disrupt operations.

Incident management involves having a plan in place to respond to cybersecurity incidents when they occur. This includes identifying the scope of the incident, containing it, and recovering from it, as well as conducting a post-incident analysis to identify areas for improvement. AlRabei detailed that all these controls must be implemented and documented during the FAT milestone to ensure that potential risks are not transferred to the site.

When it comes to SAT/shutdown maintenance window and brownfield services, milestones also pose a cybersecurity risk to the OT system. During this milestone, the system is tested in its actual environment and any issues are addressed. These milestones, however, may require taking the system offline and cybersecurity controls may be relaxed to facilitate maintenance activities. 

AlRabei also detailed that third-party contractors may not be familiar with the system’s cybersecurity controls, leading to potential cybersecurity problems with the completion of maintenance work and when the system/plant is brought online again to resume production. This can result in dozens of untraceable changes to the cybersecurity controls, which are either disabled or bypassed.

In addition to the high-level controls discussed during the FAT milestone, AlRabei outlined additional controls that should be implemented during the SAT/shutdown maintenance window and brownfield services, taking into account the dynamic SAT environment.

These controls include environment integration, network integration and firewalls, authentication and authorization, red/blue team testing, and incident response integration. 

As the system is now in its intended network environment, SAT can assess how it interacts with firewalls, intrusion detection systems, and other network security measures, AlRabei wrote. “It can uncover vulnerabilities, such as open ports, that shouldn’t be open or potential for unauthorized network access.” 

When it comes to authentication and authorization, AlRabei said that while these might be tested during FAT, during SAT, they’re tested in the context of the operational environment. For instance, how the system integrates with the enterprise’s identity and access management solutions. Sometimes, organizations might choose to perform more aggressive penetration testing (red team exercises) during SAT to see how the system holds up against simulated cyberattacks in its actual environment.

To mitigate these risks, AlRabei said that end-users, contractors, vendors, and suppliers must establish and adopt a robust change management process that includes proper documentation, approval mechanisms, testing, and validation procedures. “This process should ensure that all changes, including those made during the critical and gap periods, are properly tracked, assessed for security implications, and validated before the system’s commissioning. A more advanced and strict approach is to assign a dedicated cybersecurity officer to follow up and document all the changes made at different milestones,” he added.

In November, the WEF published a paper providing guidelines to ensure cybersecurity in the OT environment, at a time of increasing digitalization and convergence of the OT and IT (information technology) environments. Ensuring OT cybersecurity is fundamental for the continuation of industrial operations, which are essential for keeping global economies and infrastructures running.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation