An evolving threat landscape for plant security is attracting more attention to the development of operational technology (OT)-specific cybersecurity programs, underlining the importance of collaboration and blurring the line between cyber- and physical security
Cybersecurity threats against critical infrastructure sites, including chemical process industries (CPI) facilities, have been expanding in frequency, magnitude and sophistication. CPI sites are among those being targeted specifically because of vulnerabilities related to several factors, including large numbers of employees, suppliers and third-party contractors, as well as complicated cybersecurity protection requirements. Meanwhile, the ongoing digital transformation and greater connectedness of plant assets has meant a closer integration of traditional information technology (IT) systems with plant operational technology (OT) systems. This integration opens a much larger possible attack surface for cyber actors to exploit.
Greater cyber risk, coupled with the unique requirements of OT-system security, has spurred the industry to shift toward a more proactive approach to cyber protection that faces the changing threat landscape by focusing on the unique characteristics of OT cybersecurity to create an OT-specific cybersecurity program. While the cybersecurity risks for OT environments are growing, significant progress is being made.
Evolving threat landscape
In decades past, OT systems were largely isolated, running proprietary control protocols and using specialized hardware and software. With the acceleration of the digital transformation, OT systems are increasingly adopting IT solutions to enable connectivity for process optimization and remote access capabilities. IT-standard computers, operating systems and network protocols are more integrated with OT environments, supporting a broad range of capabilities, but also complicating the task of securing OT systems.
FIGURE 1. The IT/OT convergence has enlarged the possible surface area for cyberattacks, with most attacks initiated through the IT system
“Nation-state actors and cybercriminals are increasingly targeting operational technology systems used in critical infrastructure sectors,” explains Eran Fine, CEO of NanoLock Security (Hod Hasharon, Israel; www.nanolocksecurity.com). The IT/OT convergence has introduced “vast new cyber risk exposure that organizations are still struggling to fully grasp and mitigate,” Fine says. “It demands rethinking how cybersecurity tools, controls and processes are implemented to maintain both information security and operational resilience.”
In leveraging the convergence between IT and OT systems, cyberthreat actors have grown their capabilities to carry out disruptive attacks on vital services, representing a concerning shift from previous years, Fine remarks.
Greg Hatcher, co-founder of White Knight Labs (Grand Rapids, Mich.; www.whiteknightlabs.com) confirms the cybersecurity challenge of IT/OT convergence: “Most cyberattacks are initiated from the IT space, and then attackers pivot to OT,” says Hatcher. “And companies generally lack network segmentation, which is needed to prevent hackers from moving from the IT system to the OT network.”
A recent study commissioned by Rockwell Automation and conducted by Cyentia Institute supports this, finding that over 80% of a set of 122 cyberincidents involving OT and industrial control systems (ICS) started with an IT-system compromise attributed to increasing interconnectivity across IT and OT systems and applications.
“Ransomware attacks have really taken off in terms of frequency over the past year,” comments Mackenzie Morris, senior industrial consultant at Dragos Inc. (Hannover, Md; www.dragos.com), so organizations are becoming more proactive about cybersecurity to get ahead of the curve. “Over the past year or so, we have been seeing an increasing commoditization of cyberattacks, with ransomware-as-a-service being offered by cybercriminals and many more smaller groups getting involved,” Morris says.
“The unfortunate reality is that it’s no longer a matter of ‘if’ a company will get attacked; it’s a matter of ‘when,’” says Tom Cottle, principal functional safety and cybersecurity consultant at AcuTech Consulting Group (Vienna, Va.; www.acutech-consulting.com). He points out that malware and attack strategies show an increasingly sophisticated understanding of OT-specific knowledge on the part of cyber-adversaries.
Not all cyberthreats originate outside the perimeter, however. The threat of insider attacks is growing in importance, especially among CPI facilities, because of the large network of suppliers, employees and independent contractors working on globally dispersed sites.
“Insider threats represent one of the most significant vulnerabilities facing industrial and critical infrastructure cybersecurity today,” NanoLock’s Eran Fine says. Insider attacks can be the result of intentional malicious actions, stolen credentials or even mistakes, Fine explains, but they have the potential to be highly damaging because insiders are likely have knowledge that those outside a company would not.
NanoLock recommends that organizations address credential abuse by monitoring and managing permissions, keys and passwords among employees and third-party contractors. “Privileged users, in particular, require additional safeguards and oversight to prevent unauthorized access, and insider privilege exploitation by contractors is an obstacle that must be overcome,” Fine says.
One additional challenge for OT cybersecurity is the compatibility of legacy devices and software with modern security tools. Older legacy systems may not be able to support protections designed for modern IT systems, Fine says.
A positive sign in addressing these concerns is that companies have seemed much more willing to collaborate with peer organizations in this area than has been the case in the past. “Cooperation among organizations in cybersecurity has really accelerated recently,” Dragos’ Morris says. “Especially when it comes to participation in ISACs [information sharing and analysis centers] that are specific to industrial-sector cybersecurity. This type of collaboration allows organizations to share threat intelligence and quickly paint an overall picture of industrial cyberthreats.”
An example of this is Dragos’ Neighborhood Keeper Collective Defense System, a free, opt-in, anonymized information-sharing network available to all those using Dragos’ cybersecurity platform for OT/ICS. Neighborhood Keeper is capable of detecting supply-chain risks and equipment threats, acting as a sort of collective defense while enabling industry and government partners to leverage the system as a cyber national-broadcasting service.
“Companies are much more willing to share tactics through third-party reporting organizations,” says Tom Cottle from Acutech. “The message — that companies need to ‘play nice’ with each other in this area — seems well received,” says Cottle. At one time, collaboration on process safety was a challenge, but now there is substantial cooperation on safety concerns — “the same will happen for cybersecurity,” he says.
Programmatic approach
A response to increased cybersecurity risk and increased cybersecurity regulatory attention (see section titled “Cybersecurity Regulations and Standards Updates”) on the part of CPI companies and other industrial entities, has been to adopt a more proactive strategy that aims to build a cybersecurity program specifically tailored to the characteristics of industrial OT systems.
James Goosby, executive-in-residence at the McCrary Institute at Auburn University (Auburn, Ala.; www.mccrary.auburn.edu), says over the past couple of years, “There seems to be a shift to a more proactive, ownership-based approach to OT cybersecurity.” It’s not optimal to holistically farm out OT cybersecurity to outside entities, Goosby says, because robust cybersecurity requires a close and detailed understanding of the assets and systems you are trying to secure. “To do that, you need a programmatic approach to cybersecurity risk mitigation,” he notes. “It’s not enough to rely on ones and zeros — you have to understand where all of your cyber assets are, which assets are connected to the network, as well as how those connections are made, and for what purpose.”
Chuck Tommey, digital connectivity executive at Siemens AG (Munich, Germany; www.siemens.com) agrees: “Companies need to make sure they have an OT-specific cybersecurity program. Many still don’t,” he says. A majority of companies have some cybersecurity-related tools in place, but lack an overall, holistic plan, and lack the personnel resources to execute it (see section entitled “Workforce issues”).
Tommey echoes the analogy between safety and cybersecurity: “Companies need a programmatic approach to OT cybersecurity that mirrors the one they have for safety. All industrial companies have a continuous improvement mindset for safety — the same thing needs to happen for cybersecurity.” Industrial facilities need to develop a culture of cybersecurity responsibility, Tommey says, including awareness training, disposal of used equipment and other areas.
As a path to begin operationalizing OT cybersecurity, “there has to be a board-level person who ‘owns’ OT cybersecurity,” Tommey continues. For example, someone should have the responsibility of maintaining and updating the OT cybersecurity program, once developed, and the OT security program needs an executive-level sponsor who can collaborate with IT personnel. There should be a cyberincident-response plan, and of course, Tommey continues, the program needs a budget.
Programmatic approaches include not only prevention of intrusions, but also response to security incidents. “Only about half of all companies in this space have an incident-response plan that is focused on the ICS and OT,” says White Knight Labs’ Hatcher. “Some have tried to ‘cut-and-paste’ IT-centric response plans, and use them in the OT space, but that generally does not work well,” Hatcher says.
Zero-trust
One cybersecurity concept that has been receiving a good deal of attention recently is that of “zero-trust” approaches to OT cybersecurity. Zero-trust refers to a cybersecurity paradigm that is focused on resource protection and that is based on the premise that trust must be continually evaluated, rather than implicitly granted. According to the U.S. National Institute of Standards and Technology (NIST; Gaithersburg, Md.; www.nist.gov), zero-trust architecture “is an end-to-end approach to enterprise resource and data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments and interconnecting infrastructure.” NIST says the initial focus should be on restricting resources to those with a need to access, and grant only the minimum privileges (such as read-only, write, delete) needed to perform the mission.
Zero-trust approaches represent a departure from previous network-protection schemes that focused on perimeter defense and where authenticated subjects are given authorized access to a broad collection of resources once on the internal network, NIST explains. In this situation, unauthorized lateral movement within the environment is a significant challenge.
“Zero-trust architectures that verify all users, limit access and protect critical data and functions are essential,” according to NanoLock. “There has been a growing push recently to take a device-level, zero-trust approach focused on prevention, rather than just detection,” NanoLock says. “OT networks differ in plant facilities and industries. OT security measures must account for this heterogeneity, and protect at the device level.
Cybersecurity risk assessment
The parallels between safety and cybersecurity are evident in the practice of risk assessment, which is also gaining more attention in cybersecurity contexts. AcuTech’s Tom Cottle says “We are now using a HAZOP/PHA [hazard and operability and process hazards analysis] model similar to what you would find for process-safety risk assessment and applying that method to assessing cybersecurity risk.”
“Previously, there was a large focus on the severity of a possible incident, where the worst-case scenario was imagined — for example, what if hackers obtained access to the ICS? — but it’s hard to say exactly how the severity of an incident would be reduced by the addition of a given cybersecurity measure,” Cottle explains. “Now, the focus is more on the likelihood of a cyberincident, rather than solely the severity. We can try to reduce the chances that an attack will be successful, and determine what measures we can take to realistically reduce the likelihood of a successful attack.”
As companies approach cybersecurity more holistically, the evaluation of risk improves. “In the past, some risk assessment efforts have had the effect of exaggerating certain risks, while missing others,” Cottle says. “Now we are better able to ask questions like, ‘How sophisticated would the attacker have to be to have this or that effect?,’ and ‘How much do they need to know about how our system works to affect it negatively?’”
Of course the “worst-cases” are still very much a concern, but we don’t want to focus on only the most potentially destructive and, by doing that, miss something less destructive, but much more likely to occur, Cottle explains.
New offerings
As the sophistication and scope of cyberthreats expand, the methods, strategies and products aimed at cyberdefense are also evolving.
For example, NanoLock’s OT Defender product is designed to address the increasing threats and changing security demands. It is a device-level, zero-trust solution that protects the integrity of programmable logic controllers (PLCs) against outside adversaries, supply chain actors and insider incidents, including human errors, the company says, whether they are connected to a network or offline, and whether they are new or legacy systems.
A recent development of the product includes features that respond to market demand. For example: audit trails to provide traceability for operational teams, support for multi-vendor PLC environments, a failsafe mechanism to ensure business continuity even in times of crisis, and more, NanoLock says.
In addition to growing its Neighborhood Keeper program, Dragos has been constantly updating both its cybersecurity platform and its professional services offerings. “We are continually updating the platform in response to customer requirements,” Morris says, and “conducting OT cybersecurity assessments coupled with penetration testing to look for specific vulnerabilities.”
White Knight Labs also offers penetration testing services, recently adding a “deep-fake-as-a-service” simulated attack that impersonates voices from recorded audio, as well as continuous threat exposure management, Hatcher says.
In other offerings, Siemens has introduced three software packages that were all developed, tested and used internally at the company before being offered more widely. “We’ve learned a lot about what works and what doesn’t work,” says Siemens’ Tommey. “For example, Siemens SINEC Security Inspector enables regular and comprehensive checks on the security status of entire OT/IT network environments to identify non-compliance with OT cyber policies and other potential threats at an early stage, which allows planning and scheduling the remediation, the company says. In addition, the company offers Vilocify, a vulnerability intelligence platform for both IT and OT networks, Tommey says.
Meanwhile, the McCrary Institute is developing and offering educational workshops on Cyber-Informed Engineering (CIE). CIE expands cyber “secure-by-design” concepts beyond the digital realm to the engineering of cyber-physical systems, McCrary says.
“CIE uses engineering expertise to evaluate and mitigate cyber risk early in the design stage, using engineering design and controls, not traditional cybersecurity tools,” the institute explains, adding that implementing CIE requires “a cultural shift for engineering and cybersecurity teams, and new approaches in research, design, operations, education and standards.”
Scott Jenkins
OT Cyber Workforce issues
One of the positive developments in OT cybersecurity has been the broader recognition in recent years of the OT cybersecurity community — individuals who have demonstrated knowledge and experience with operational systems and are focused on the unique needs of industrial control system (ICS) cybersecurity. However, there remains a stark need to bolster the ranks of this profession.
McCrary’s Goosby says the need is great for more professionals in this area who have expertise with OT systems and relevant cybersecurity practices. “There is definitely a workforce issue, where we need to publicize information about these career paths and how to access them,” he opines.
Tom Cottle, of AcuTech Consulting, agrees: “There is a real need for people with expertise both in control systems and cybersecurity to start to remedy workforce issues.” There has been more interaction between IT and OT in recently, and there is a growing recognition that IT and OT need to be integrated, especially when it comes to cybersecurity, Cottle says. Efforts to integrate IT and OT cybersecurity through shifts in organizational alignment are ongoing and improving, he adds.
“Folks with engineering backgrounds and also training in cybersecurity are rare, so most people working in this area have just fallen into it in more haphazard way, Dragos’ Morris says. “There’s no proper pipeline for education in this area at the moment, so there’s definitely a massive expertise gap. “What we have seen bear the most fruit is for companies to take young engineers and train them in cybersecurity,” Morris says.
The McCrary Institute is furthering its development of cyber-informed engineering strategies through a partnership with Tuskeegee University (Tuskeegee, Ala.; www.tuskeegee.edu). The university is fostering awareness of CIE and how it can be applied.
“We want to develop research opportunities with suppliers to bring them into the lab environment and inform the curriculum,” McCrary’s Goosby explains. “We are seeking to leverage knowledge in a collaborative fashion and teach students about what tools are currently used in real-world industry settings.”
Cybersecurity regulations and standards updates
As cyberthreats intensify, governments are wrestling with how to regulate cybersecurity and how to establish and enforce requirements for cybersecurity programs in a diverse field of industry sectors.
“Until recently, cybersecurity standards were essentially voluntary for operators of critical infrastructure,” explains NanoLock’s Eran Fine. “New regulations now call for the adoption of security measures more specific to OT assets and critical infrastructure. They explicitly require proactive, preventative security measures, such as zero-trust and device-level protections, rather than just detection controls,” says Fine.
In September 2023, NIST finalized a new revision of its special publication “Guide to Operational Technology Security” (NIST SP 800-82r3), which advocates “developing security policies, procedures, training and educational material that apply specifically to the OT system.” Among other items, the standard advocates separate authentiication mechanisms for OT and corporate networks, restricting physical access to OT devices and assets and restricting unauthoriized modifiication of data.
In July 2023, the U.S. Securities and Exchange Commission (SEC; www.sec.gov) issued rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incidents by public companies. Meanwhile, in Europe, an update to cybersecurity directive 2022/2555, known as NIS-2, significantly expands the types of organizatons within its scope, including manufacturers of chemicals, food processors and makers of medical devices. The law requires organizations to take technical, operational and organizational measures to manage risks to their network and information systems, and to minimize the impact of potential incidents.
The scope of standards and regulations for industrial cybersecurity seems to be widening in terms of the organizations involved, reflecting an acknowledgement that industrial cybersecurity must be more far-reaching than in the past. Siemens’ Chuck Tommey notes that transportation regulatory agencies are now thinking about industrial cybersecurity because of the far-reaching effects of a cyberattack on pipelines and shipping infrastructure (and more). Environmental agencies are looking at the potential implications of cyberattacks on air- and water-monitoring systems, The U.S. Coast Guard is looking at cybersecurity at ports and navigable rivers from the perspective of shipping resources and materials.