Skip Ribbon Commands
Skip to main content
< BACK

​​​Building a sustainable defence: How to secure your operational technology (OT) environment​


Hacked power stations, crashed airplanes, or dark streets would be a direct result of compromised process control systems. If you were in charge of security, how would you deal with this?

There was a time where remote access to a factory network wasn’t possible and control engineers addressed security issues with air gapping (air gapping is when you physically isolate a secure network from unsecured networks). Air gapping as a strategy however, now seems questionable. Similarly, back in the day when China constructed the Great Wall of China - a line of fortification protecting the Chinese from raids and invasions from the north, it made good sense. Today though, this fortification does not provide much protection and somewhat analogous to air gapping, the Great Wall of China was impressive and may have seemed impenetrable back then, in the end was ineffectual against new warfare tactics and technology.

Back in 2011, the German government conceived a term to describe the growth of integrating machines used in industrial settings with Internet connected sensors and software that collect data from machines, examine the data and then apply it to operations to improve efficiency; they called it industry 4.0 - the fourth industrial revolution. The motivation was the ever increasing usage of IT within the industrial solutions and the motivation of course, is a more digital supply chain where products are delivered faster and at lower cost. IoT, cloud, BYOD, industry 4.0 or whatever you call it, is here to stay so we better figure out a secure way to integrate this technology. This same observation was made by Gartner when they estimated in late 2014 that manufacturing, utilities, and transportation would be the top three verticals using IoT in 2015.


IT versus OT

As mentioned, network connected devices in the OT environment within the factory introduce new demands to security. However, securing an operational technology (OT) environment is different than securing a traditional information technology (IT) environment. Where IT tends to focus on digital information protection, OT focuses on people and physical asset protection. Take, for example, an airplane. A confidentiality breach of its data system may result in a hacker getting his hands on a passenger list or similar documents. Yet, an integrity breach of the airplanes control system could severely affect the pilot’s ability to control and operate the airplane. Therefore, secure solutions specific for OT requires an industrial mindset, purpose-built technology, and specific OT security expertise.

During a recently held Danish ICS conference (IT security in the energy and supply sector/ IT sikkerhed i energi og forsyningssektoren ) is was concluded in the final panel debate, that the best advice for a given company, going forward,  is to assess the current matu rity and plan from there. Maturity of what, I might ask. Normally, maturity is evaluated in respect to policies, processes, and procedures as part of a management system so which management system is most appropriate to use in the OT environment? Companies operating within critical infrastructure or which have an in-house production line often struggle with the implementation of an OT security program and even though they can follow ISO27000, NIST SP800-53/82, or ISA-99, none of these offer any guidance on how to implement an OT management system.


Where to start

As with the example given earlier, the integrity and availability of the control systems in the airplane are far more important than confidentiality and this change of priorities when compared to typical IT is important to understand when facing the production. The solution therefore is to establish a risk based security program for the OT environment to co-exist with the IT/IS security program. Select a management frame work, such as IEC62443 which includes a risk based management system. Yet, the controls and architecture recommendations are selected and recommended with root in Safety, Integrity, Availability, and Confidentiality - in that order. A good way to start is to:

  • Establish an OT Security program similar to e.g. an ISO27000 information security program. Yet the OT security program will use IEC 62443 and scope includes only the OT environment

  • Identify your critical production assets. Typically this is the production units or production trains

  • Follow up with a complete risk assessment rooted in the production assets and identify the path to a balanced security approach which mitigates identified unacceptable risks

  • Rethink the OT architecture production-wide, moreover, introduce an architecture which separate the critical assets and which furthermore include areas which continue to be air gapped, semi air gapped, and fully opened, to include cloud and IoT

  • Separate the users from the production systems wherever possible and gain the advantages typically offered by IT (e.g. a secure remote access solution, for all the users)

  • Streamline the data streams. This often goes hand in hand with the OT architecture. When the data streams has been organized, it will allow you to use the more advanced security offerings(such as IDS/IPS operated by a SOC/SIEM

  • Continual governance of the OT environment the same way as you would do in a typical IT security management setup


Complicated? Perhaps, but basically it is a governance framework similar to what is already used within IT, to ensure that threats will be identified and effectively addressed in the OT environment. Only by doing this we can ensure that our planes do not crash in the future and the streets will remain lit at night. 

______________________________________________________________________________________

About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at itmanagement@nnit.com if you want to know more about how NNIT can help your business increase its information security level.

 

 

Helge Skov Djernes+45 30758868hfsd@nnit.comInformation Security Management Consultanthttps://www.linkedin.com/in/helgeskovdiernaes/Helge Skov Djernes

 

 

VR Cybersecurity Traininghttps://www.nnit.com/cybersecurity/Pages/VR-Cybersecurity-Training.aspxVR Cybersecurity Training
Cyber Defense Centerhttps://www.nnit.com/cybersecurity/Pages/Cyber_Defense_Center.aspxCyber Defense Center
The Fine Art of Aligning Business Strategy and Information Security Strategyhttps://www.nnit.com/OfferingsAndArticles/Pages/The-Fine-Art-of-Aligning-Business-Strategy-and-Information-Security-Strategy.aspxThe Fine Art of Aligning Business Strategy and Information Security Strategy
COWI Upgrades its IT Securityhttps://www.nnit.com/OfferingsAndArticles/Pages/COWI-Upgrades-its-IT-Security.aspxCOWI Upgrades its IT Security
Breach Preparednesshttps://www.nnit.com/OfferingsAndArticles/Pages/Breach Preparednes.aspxBreach Preparedness
NNIT Cybersecurity Summit 2019https://www.nnit.com/Pages/NNIT-Cybersecurity-Summit-2019.aspxNNIT Cybersecurity Summit 2019
Digital Work Placehttps://www.nnit.com/advisory-services/NNIT_Academy/Pages/Digital-Work-Place.aspxDigital Work Place
Control Your Security & Privacy in the Cloudhttps://www.nnit.com/OfferingsAndArticles/Pages/Control-Your-Security-Privacy-in-the-Cloud.aspxControl Your Security & Privacy in the Cloud
Cloud Securityhttps://www.nnit.com/cybersecurity/Pages/Cloud-Security.aspxCloud Security
Managed Securityhttps://www.nnit.com/cybersecurity/Pages/Managed-Security.aspxManaged Security