Today many energy suppliers are enjoying the benefits of fully connected operations. The ongoing convergence of operational technology with IT networks is providing greater control over each function in the energy supply process. This improved control is enabling decision-makers throughout an energy supply company to make more informed decisions that can improve reliability, safety and profitability.
At the same time, along with these new benefits arrive serious cybersecurity risks that threaten the newly connected operational environment of an energy supply company.
To reduce exposure to cyberattacks, the security controls of IT, ISC and SCADA platforms must be hardened. The process to harden these security controls is rigorous and complex. The collaboration of IT and OT departments as well as remote plants and the corporate offices is required.
Overall, the OT security management process entails three steps: First, establishing full visibility of all distributed assets; second, securely connecting to every asset; and third, protecting each asset with updated patches and antivirus signatures current, while being in the position to alert on policy violations and address vulnerabilities.
Inventory—Easier Said Than Done
OT security management process begins with creating complete visibility and building an accurate inventory of all connected operational technology assets.
On a regulatory level, the NIST Framework for Improving Critical Infrastructure Cybersecurity reinforces this need by making asset identification a key part of the core framework. ID.AM-1 states that “physical devices and systems within the organization are inventoried,” and ID.AM-2 states that “software platforms and applications within the organization are inventoried.”
Odd as it may seem, many operation managers across the energy supply industry do not have access to even a recent asset inventory. However, it is easy to see how this can happen.
Consider, for example, a small oil refinery that is 30 years old. The equipment in the refinery—pumps, crude oil desalter, air cooled condenser, fired heater and other equipment—each comes from a different specialty manufacturer. These devices are constantly updated and most likely some components have been replaced. Many of those changes may not have been properly documented, especially if they were done remotely by the equipment vendor and there was no automated audit trail to record what changes were performed. If ownership of this refinery changed hands, the exact device inventory and configuration may never have been recorded.
Just think how the complexity of this situation is multiplied for an energy supplier running a decentralized operation with a number of remote sites. This scenario and others like it actually play out every day across the industrial world.
Asset Discovery Challenges
Performing asset discovery manually might seem like an option. In reality, it would be a time consuming and cumbersome endeavor highly exposed to human error. Even if an inventory is done manually, the inventory mapping and list will be out-of-date almost as soon as it is completed as operational environments are dynamic. New devices are constantly being added and configurations are constantly being updated.
Accordingly, asset discovery and mapping must be automated with all changes from the baseline being documented and incorporated into a revised inventory. However, this too has its challenges.
First off, older equipment was not designed to communicate with network probes. As such, older equipment must be discovered using unobtrusive techniques in order to avoid disrupting their availability.
Currently, most industrial controllers are connected to host machines using either a Windows or a Linux operating system. An active scan can be used to ping an IP address to determine if a device is there. If there, the scanner can connect to the host device to collect the necessary information, including machine type, operating system version, hardware and software configuration details, status of antivirus software and similar details.
The host machines that control the ICS controllers are generally stable and can support an active scan. These devices are often the source of malware infections, which can get into the controllers and spreads to industrial machines. This is the reason why it is essential to know what vulnerabilities might exist on the host machines and to create a consistent security process to keep these devices patched and protected.
On the ICS side of the network, the PLCs are sensitive to pings, probes and network traffic. Risking that these devices become unstable or unavailable makes active scanning for these device types not an option. As a result, passive techniques are required to detect, identify and understand their communication connections. This too can be a challenge. The decentralized nature of ICS traffic flows, alongside the lack of capability of legacy network equipment, make the use of standard passive scanning technologies difficult. However, less intrusive methods that analyze traffic analysis can be used to discover and identify these sensitive devices.
Visibility and Inventory Benefits
An energy supply company’s OT security strategy and efforts must be based on a full and current inventory of assets in order to effectively protect the operational infrastructure from ongoing cyber-threats. Knowledge of what devices and equipment are connected to the networks and how they are configured and communicate is an absolute must to mitigate risks. This process should be automated and managed by the energy supplier’s cyber experts at the corporate office.
Only when the energy supplier has established a full understanding of its assets, can it then be ready to develop its OT security plan and implement hardening processes to secure its operational environment.
This article is the second in a series of four articles on OT security management in the energy supply industry. The first article presented an overview of the OT security challenges faced by energy suppliers connecting their IT and OT operations and offered three recommendations for improving the security posture of connected operational infrastructure. This article and the following two articles take an in-depth look at each of these recommendations. The next article will provide an analysis of options for establishing secure connectivity among connected operational assets.
About the Author: Shmulik Aran is the CEO of NextNine, a provider of security management solutions for connected industrial control system environments.