Connected industrial operations are gaining momentum. Energy suppliers as well as other industrial enterprises around the world are creating significant operational benefits by merging their operational technology (OT) infrastructure, including their industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, with their IT networks. However, these connected industrial operations are also exposing energy supply companies to enlarged attack surfaces and related cybersecurity vulnerabilities.
OT environments are highly complex
Securing the OT infrastructure of an energy supplier or any industrial enterprise is a highly complex task. The important processes of securing an OT environment is complicated by the diversity of equipment and vendors, the shortage of resources and the lack of automated and integrated security procedures.
OT infrastructures typically contain thousands of field assets spread across numerous operational facilities. Many of these assets are in remote field locations of which some are even unattended to by a human. In general, these assets have been deployed by overlapping vendors during the course of many years. Older equipment is typically designed with proprietary hardware, software and communication protocols and often lacks any form of security capabilities.
Despite the fact that their OT infrastructure is increasingly connected with their IT networks, most energy suppliers have not yet defined integrated policies to secure and protect their operational assets and industrial equipment. At the same time, the roles and responsibilities among the plant facilities, operation and control teams, and corporate IT security staff are also not properly defined.
Of course, many energy supply companies have certainly invested in specific security systems and tools, although most still rely on manual security processes and are certainly not in the position to roll out integrated and automated procedures for protecting their OT infrastructure.
Top-down and integrated approach is the best approach
A top-down and integrated approach is the best approach to secure OT infrastructure. “Top-down” means that all policies, procedures and technology solutions are driven by the corporate operation and control team. “Integrated” refers to the fact that all the intersection points among IT and OT, remote plants and the corporate office, and involved third parties must be evaluated and considered when enforcing policies and executing procedures.
A prerequisite for facilitating an effective top-down security strategy is obtaining complete visibility and a full asset inventory and establishing secure connectivity among these operational assets.
Once these two essential items have been achieved, the following recommendations for a top-down, integrated strategy should be applied to secure the OT environment.
· Operation-wide policies and procedures for securing operational assets should be clearly defined by the head operation and control team
· Granular policies according to plant, asset and user identity should be an essential component of these policies
· Security policies should be deployed centrally and enforced locally in order to protect any network segregation
· Enforcement should be fully automated and include monitoring for policy violations
· If there is a policy breach, an incident alarm should alert security analysts and enable an investigation into the event to begin
· If an incident does occur, authorized personnel must be able to promptly access an operational asset for incident response
· Backup and restore procedures should allow for recovery from an incident
· Risk management and compliance reports should be run by the head office
This list of recommendations is logical and appears to be straightforward. However, this is a complicated task given the complexity of most multisite industrial environments.
Security essentials are the objective
The goal of OT security efforts should be to protect the field assets. These are the operational equipment that, if compromised, will pose the largest risk to operational safety, integrity and efficiency of an energy supplier.
To achieve this objective, energy supplier should focus on the security essentials. This means that the basic security activities should be done correctly through automated and repetitive processes that reach the entire OT infrastructure.
The following are examples of many security essentials that an energy supplier should perform in order to protect its OT environment.
· Schedule verification processes to check that qualified operating system patches and antivirus signatures are installed along with triggers to automate processes to install updates
· Schedule the collection and transfer of device logs to a centralized Security Information and Event Management (SIEM) system for correlation and alerting, if necessary
· Schedule the monitoring of ports, services and applications against the organizational whitelist and blacklist policies
· Manage remote access authorization, privileges and accountability
· Generate compliance reports to monitor that company and regulatory requirements are being met and determine if any fixes are required
· Schedule regular scans of IP address ranges and create alerts for any unexpected changes, such as a new device on the list or a device that is not acknowledging its presence
Security and compliance posture are improved
Given the scale of operations and severe consequences of a security breach, securing the OT infrastructure is a complex task and essential process for every energy supplier. An energy supply company should pursue a top-down, integrated approach for defining, automating and enforcing polices and procedures in order to improve its overall security and compliance posture. Those policies should focus on protecting the operational assets and their enforcement should be fully automated.
Energy suppliers must do the basic security essentials correctly — those security essentials that if implemented correctly will bring the highest security ROI. Once these essentials are covered, an energy supplier will then be in the position to implement and benefit from additional and more advanced security measures.
This article is the fourth and final article is a series on OT security management for the energy supply industry. The first article presented an overview of the OT security challenges faced by energy supply companies connecting their IT and OT operations and offered three recommendations for improving the security posture of a connected operational environment. The second article looked at the importance of network visibility and operational asset inventory and the third article analyzed approaches for establishing secure connectivity among operational assets.
About the author: Shmulik Aran is the CEO of Nextnine, a provider of security management solutions for connected industrial control system environments.