AI
Attacks and Vulnerabilities
Control device security
Critical infrastructure
Cyber Informed Engineering
ICS Security Framework
Industrial Cyber Attacks
ISA/IEC 62443
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
System Design & Architecture
The Skills Gap - Training & Development
Threat Landscape
Vulnerabilities
Zero Trust

New WEF paper lays down five guiding principles to bring about cybersecurity across OT environments

November 27, 2023
New WEF paper lays down five guiding principles to bring about cybersecurity across OT environments

The World Economic Forum (WEF) published last week a paper providing guidelines to ensure cybersecurity in the operational technology (OT) environment, at a time of increasing digitalization and convergence of the OT and IT (information technology) environments. Ensuring OT cybersecurity is fundamental for the continuation of industrial operations, which are essential for keeping global economies and infrastructures running. 

To this end, the WEF collaborated with partners from the electricity, manufacturing, and oil and gas industries, and developed a list of guiding principles and a set of best practices. These can help cyber leaders safeguard, maintain, and monitor their industrial OT environment as well as ensure business continuity. While many organizations may already have some measures in place to ensure a cyber-resilient OT environment, shared guidance can help manage cyber risks at the ecosystem level to increase systemic resilience.

The action group ‘Securing the OT environment’ convened cyber leaders from the electricity, manufacturing, and oil and gas industries around the topic of OT cybersecurity, and has developed a set of five guiding principles to help industrial organizations address cyber risks and build resilience as the IT/OT convergence continues. 

In its paper titled ‘Unlocking Cyber Resilience in Industrial Environments: Five Principles,’ the WEF listed

  • Principle 1: Perform comprehensive risk management of the OT environment
  • Principle 2: Ensure OT engineers and operators of installations have responsibility for OT cybersecurity
  • Principle 3: Align with top organizational leadership, strategic planning teams, and third parties to make security-by-design a reality
  • Principle 4: Make cybersecurity standards and best practices contractually enforceable on partners and vendors to build a cyber-secure OT environment
  • Principle 5: Run joint tabletop exercises to ensure preparedness in case of an actual incident

The WEF identified that to increase overall cybersecurity preparedness and reduce the potential and impact of cyberattacks, industrial organizations must take a comprehensive approach to risk management. This comprises risk assessment – identification of vulnerabilities and gaps that expose an organization to an attack, and of risks that could impede recovery and resilience – as well as mitigation and monitoring strategies. 

For risk management to be robust and complete, it is important that organizations identify and classify assets on the basis of their criticality, value, and sensitivity to the organization’s operations, and create an inventory of the ‘crown jewels,’ in their OT environment which, if compromised, could have a major impact. Once the crown jewels have been identified, organizations should identify how they connect to the network, data flows, etc. 

They must also detect security vulnerabilities and threats across the mapped assets and OT environment; identify the consequences that could result if the vulnerabilities are exploited; and prioritize mitigation accordingly, identify potential threats, including events and hackers that could target their OT environment; and establish an OT cybersecurity strategy aligned with the overall cybersecurity strategy, outlining the prevention, detection and response capabilities. It should be reviewed, evaluated, and updated regularly. 

WEF pointed to research that shows 95 percent of organizations will place the responsibility for OT cybersecurity under the Chief Information Security Officer (CISO) in the next 12 months. However, considering that cybersecurity is a shared responsibility, the IT team alone cannot have full control of OT cybersecurity; all stakeholders, at all levels of organizational management, need to do their part. 

To share responsibility for OT cybersecurity, OT personnel across industrial organizations need to understand when, how, and why a security breach might occur in the OT environment. Communications on security awareness should be carried out continuously for all OT personnel. They must also know who to contact in case of a security breach or suspicious activity, that is, who to get help from and who to collaborate with for support. 

Different threat detection technologies used by IT and OT could detect threats in the OT environment, the paper revealed. “Therefore, cooperation and communication between the IT and OT departments is essential to ensure that all staff have clearly and precisely defined roles and responsibilities for working together on incident response in OT. The vulnerabilities and risks (including inherited risks) that each connected device in the OT environment brings,” it added.

It further identified that OT personnel should build a relationship with the SOC and CISO teams to ensure the transfer of knowledge on security architecture and policies, including the prevention, detection, analysis, and response to cybersecurity incidents. Among the OT personnel, a ‘Cyber Champion’ should be appointed in each facility who can help with cyber issues during crises.

Addressing its third principle, the WEF paper recognized that most of the existing OT was not designed with cybersecurity in mind. Security-by-design is a process rather than a one-time ‘bolt-on’ effort and as such should go beyond integration of security during the design and development phase of a product/service. 

To enforce a security-by-design approach in the OT environment, organizations should raise cybersecurity issues and risks to corporate management to ensure that critical OT systems are safeguarded from potential risks and vulnerabilities from the outset by organizing executive briefings to highlight the impact of OT cyber risks on business operations, finances, and reputation. 

They must also develop and present risk assessments to communicate the interplay between OT cybersecurity breaches, operational downtime, and compliance penalties; while also sharing case studies illustrating real-world examples of cybersecurity incidents in the OT environment and the consequences experienced by organizations that were caught off-guard. Furthermore, they must encourage the integration of OT cybersecurity into the overall business strategy to ensure competitive advantage by demonstrating commitment to protecting critical OT infrastructure. It can help foster overall resilience across industry ecosystems.

Third-party suppliers and vendors differ in the way they approach cybersecurity. Nevertheless, they have to guarantee the security of their product or service and take responsibility for what is delivered. To build a secure OT environment and ensure successful collaboration with and enforcement of security standards by partners and vendors, industrial organizations should conduct thorough due diligence on both IT and OT cybersecurity posture before collaborating with any third-party vendors and suppliers. 

The assessment should cover how a cyberattack against a third-party vendor or supplier could impact operations by classifying and categorizing third parties according to their level and type of risk before they can access facilities, networks, and confidential information. They must also incorporate a list of baseline security requirements for third-party vendors and suppliers with access to facilities, network, and confidential information within the security framework, include OT cybersecurity requirements in contracts, and continuously audit vendor and supplier security performance to ensure they are adhering to previously agreed security controls. 

The WEF paper also called for running joint tabletop exercises to ensure preparedness in case of an actual incident. To ensure maximum preparedness and amplify its benefits, the tabletop exercise should include key personnel and should have clearly defined and achievable objectives. 

Organizations should use security scenarios based on real events, leverage and adapt existing crisis management procedures to the cyber context, engage the correct stakeholders that go beyond IT and OT personnel, and clarify the representation of OT cyber competence in incident response to ensure preparedness when a threat event occurs and explore whether operations can be run in the OT environment without the IT. They must also include OT sites across multiple geographies and consider the legal aspects that may arise; identify weaknesses/gaps in the incident response and include lessons learned in the post-drill analysis reports, and produce and continuously update the executives’ playbook with lessons learned from such exercises. 

Implementation of OT cybersecurity principles alone is not enough. Tracking their progress and continuous assessment of impact is key in order to ensure the effectiveness of the principles and that organizations are adapting to the new processes. To monitor the implementation of OT cybersecurity principles, organizations should perform regular audits to monitor compliance with the OT cybersecurity principles, conduct real-time monitoring to discover, identify, and assess devices and vulnerabilities within the OT environment, and develop a strategic roadmap and process for reporting to the corporate board about progress on OT cybersecurity. 

They must also send data regularly to the security operations center (SOC) to ensure timely detection, investigation, and response to security incidents, conduct physical walk-throughs and inspections of OT sites, review and define job and role descriptions to ensure cybersecurity roles and responsibilities for OT personnel and perform periodic benchmarking to assess maturity on OT cybersecurity principles. Additionally, organizations can ensure tabletop exercises are a recurrent activity to monitor progress on incident response, carry out threat hunting in OT, and seek indicators of potential compromise.

To address evolving cybersecurity challenges, companies must review and adopt proper governance measures considering that existing cybersecurity controls and standards may not be applicable to the use of new technologies in OT. The introduction of new technologies needs a skilled talent pool that possesses an understanding of both traditional OT systems and sophisticated new digital solutions. 

Other measures that can help organizations address some of the cybersecurity issues arising from the adoption of new technologies in OT include developing a clear change management program, introducing network segmentation, implementing layered security controls to mitigate vulnerabilities; and having accessible and updated documentation featuring cybersecurity best practices. 

The introduction of new security models, such as zero trust, is becoming increasingly relevant in the context of both old and new cybersecurity threats in OT, the WEF paper disclosed. “Research from 2022 shows that 88% of OT cybersecurity leaders in the US have already taken some steps to adopt zero trust. While the intent to deploy zero trust in OT may exist, successful implementation remains somewhat of a challenge due to a lack of internal knowledge, conflicting direction from leadership, and lack of resources,” it added. 

To allow for the application of zero trust across OT environments, organizations need to have ‘good’ awareness of the overall security model and define zero trust practices in OT environments, secure top management approval and sponsorship, establish a clearly defined zero trust strategy, and roadmap, decide on reasonable zones of zero trust deployment as opposed to total zero trust deployment, and be careful about vendor selection and question the “silver bullet” of the product offering. 

In its conclusion, the WEF paper recognized that the adoption of these principles in the OT environment is imperative to cope with cybersecurity risks and enable the longer-term benefits of the digitalization of the OT environment. “This should not be a plug-and-play exercise. It must be complemented with work in areas already embedded into the industry culture such as safety, and with significant investment in skills and in the workforce. Given the complex ecosystem, close collaboration and commitment from all public and private stakeholders across the industry is essential to ensure cyber resilience in the OT environment,” it added. 

Last month, the WEF published a white paper that lays out the response of the WEF Systems of Cyber Resilience: Electricity (SCRE) community. It focuses on addressing conflicts in cybersecurity requirements, identifying priority sectors and regions, evaluating international dialogues, reviewing ongoing global initiatives, and exploring regulatory reciprocity.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings