Operational technology (OT) and industrial control systems (ICS) have long been isolated, disconnected, and separated from the organization’s traditional information systems, open networks, and information technology (IT). However, with the advent of Industry 4.0 and the Industrial Internet of Things (IoT), IT and OT become increasingly interconnected. With this convergence, new security threats emerge.
Traditionally, IT and OT have played different roles within an organization. The IT department worked on the enterprise side of the organization and covered all technologies related to information processing. The OT department represented the part of the organization that was responsible for industrial systems and operational technologies. The two departments rarely crossed paths.
Today, IT and OT are combining forces to unlock the opportunities inherent in IIoT, the idea of connecting industrial equipment to the network. Modern sensors and industrial equipment often hold important information that can be transferred from the plant floor to key stakeholders in the organization for improved insights, enhanced automation capabilities, and advanced analytics. The convergence of IT and OT is an integral part of this operation and a prerequisite for seamless information flow.
However, the increasing dependence on digital technology in OT and the convergence of IT and OT makes asset and plant security more critical than ever. The Sans 2019 State of OT/ICS Cyber security Survey reveals that slightly more than 50 percent of the surveyed respondents perceive the level of OT/ICS cyber risk to their company’s overall risk profile as either severe, critical, or high.
According to the Sans survey, the three pillars for successful IT/OT convergence strategies, people, processes, and technology, are also the most widely known security risks. The survey reveals that people present the greatest risk for compromise to an organization’s operational technology and control systems – not surprising because the human element often lies at the heart of cyber security incidents and breaches.
Typical attack vectors, the survey reports, are physical access through USB sticks or direct access to equipment, remote access either through or bypassing intended architecture, and service maintenance consulting.
In light of the emerging cyber security threats, E&P and industrial companies will benefit greatly from implementing optimal cyber security strategies, policies, and routines. Familiarizing oneself with cyber security standards is a good place to start. These standards aim to improve the security of IT and OT systems, industrial networks, and critical infrastructures.
The following three cyber security standards are particularly relevant for industrial environments.
IEC 62443 is the standard for OT security and defines the necessary elements to implement cyber security systems for industrial automation and control systems. The standard aims to improve the safety, availability, integrity, and confidentiality of the components and systems used for industrial automation and control systems.
While the IEC 62443 is concerned with OT security, the ISO 27000 family of standards focus on IT security. The series explains how to implement information security management systems and includes a set of best practices on how to improve information security within organizations. The ISO 27000 family consists of 46 different standards, with specific standards covering everything from implementation requirements for information security management systems to information protection in the cloud and the GDPR.
The NIST Cyber Security Framework provides a set of standards, guidelines, and practices for organizations to better manage and reduce cyber security risks. The framework consists of three components:
The Sans 2019 survey reveals a growing maturity in identifying potential risk and detecting and remediating actual events. The survey lists six important initiatives for increasing OT, industrial control system, and network security. The following six initiatives can be used as a guide to steer your own cyber security implementation efforts:
Secure access to critical IT systems and ICT infrastructure operations at offshore and onshore installations have become a necessity. Cegal’s security platform Connect@Plant can help.
Connect@Plant is a complete security solution to control, protect, and log all access to onshore and offshore installations and plants. It reduces the need to rely on general IT operations to approve access to critical systems through automated tools for granting and terminating access, delegating approvers, and user management. Furthermore, it gives plant managers increased control over user access and permissions.
Connect@Plant can be implemented in a range of different plant environments, including offshore rigs, power plants, and other critical industrial systems.