Why securing the OT environment against cyberattacks is vital

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Shunichi Miyanaga, Chairman of the Board, Mitsubishi Heavy Industries

• Despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases.
• Risks can open up during Factory Acceptance Testing, Site Acceptance Testing, shutdown maintenance and brownfield services.
• Here, we consider how these risks can be mitigated.

Despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases, such as Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), shutdown maintenance, and brownfield services, increasing vulnerability to cyber threats. CISA’s 2022 report highlights a 30% increase in OT system cyberattacks, with over 800 incidents. ENISA’s findings corroborate this, showing that 63% of critical infrastructures faced cyber incidents, 55% targeting OT systems.

The early months of 2023 saw notable cyberattacks: a ransomware strike on a U.S. water plant in January; a European power grid disruption in February; and, an Asian transportation company’s operational halt in March. These incidents emphasize the importance of stringent cybersecurity throughout the OT system lifecycle, especially in critical stages

Risks during the FAT milestone and proposed controls

During FAT, a pivotal stage in the OT system lifecycle, the system is tested in a controlled environment to confirm adherence to design requirements. During FAT, however, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope. It’s crucial to integrate essential high-level cybersecurity controls at this stage to prevent transferring risks or threats to the site post-FAT. This proactive approach is key to maintaining robust security throughout the system’s lifecycle. These controls include, but are not limited to:

• Security of the staging area

Staging areas, designated for pre-deployment system testing, require secure measures to prevent unauthorized access, thereby avoiding the introduction of malware or other threats into production environments.

• People

People are always the weakest point in any security system. It is important to educate employees about best cybersecurity practices. This includes training on how to identify phishing activities, handling sensitive project information, complying with cybersecurity requirements and identifying and reporting a cybersecurity incident.

Discover

How is the World Economic Forum addressing rising cybersecurity challenges?

The Global Security Outlook 2023 revealed that 43% of leaders polled believe that a cyberattack will materially affect their organization in the next two years.

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

Learn more about our impact:

• Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts. To date, we have trained more than 122,000 people worldwide.
• Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas, electricity, manufacturing and aviation.

Want to know more about our centre’s impact or get involved? Contact us.

• Asset lists

An asset list is a comprehensive list of all hardware and software assets used in a specific project. This list is the main pillar to detect and understand if any changes have occurred.

The asset list contains information about firmware versions, OS, IP addresses, MAC addresses, vulnerabilities, what was patched and what wasn’t, the latest updates to end-point security, etc. The list must be maintained and updated regularly to ensure that all assets are properly secured, as well as to enable effective vulnerability and patch management.

• Access controls

Access controls are essential to prevent unauthorized access to sensitive information and systems. This includes implementing strong password policies, multi-factor authentication and other mechanisms to ensure that only authorized personnel can access sensitive areas or functions.

• Secure configuration

Secure configuration involves implementing security best practices when configuring hardware and software systems. This includes disabling unnecessary services and ports, using strong encryption and implementing other security measures to reduce the attack surface of a system.

• Vulnerability and patch management

Vulnerability and patch management involves regularly scanning systems for vulnerabilities and deploying patches to fix known issues. This is critical to prevent attackers from exploiting known vulnerabilities to gain access to sensitive information or disrupt operations.

• Incident management

Incident management involves having a plan in place to respond to cybersecurity incidents when they occur. This includes identifying the scope of the incident, containing it and recovering from it, as well as conducting a post-incident analysis to identify areas for improvement.

All these controls must be implemented and documented during the FAT milestone to ensure that potential risks are not transferred to the site.

https://cdn.jwplayer.com/players/9psU3UfP-ncRE1zO6.html

Risks during the SAT milestone

Similarly, the SAT/shutdown maintenance window and brownfield services milestone also pose a cybersecurity risk to the OT system. During this milestone, the system is tested in its actual environment and any issues are addressed. These milestones, however, may require taking the system offline and cybersecurity controls may be relaxed to facilitate maintenance activities. Moreover, third-party contractors may not be familiar with the system’s cybersecurity controls, leading to potential cybersecurity problems with the completion of maintenance work and when the system/plant is brought online again to resume production. This can result in dozens of untraceable changes to the cybersecurity controls, which are either disabled or bypassed.

Proposed high-level controls

Apart from the high-level controls mentioned during the FAT milestone, additional controls need to be implemented during the SAT/shutdown maintenance window and brownfield services due to the dynamic SAT environment. These controls include:

• Environment integration

During SAT, the system is evaluated for its integration with the surrounding operational systems. This can identify vulnerabilities that might arise due to interactions with other systems or software.

• Network integration and firewalls

As the system is now in its intended network environment, SAT can assess how it interacts with firewalls, intrusion detection systems and other network security measures. It can uncover vulnerabilities, such as open ports, that shouldn’t be open or potential for unauthorized network access.

• Authentication and authorization

While these might be tested during FAT, during SAT, they’re tested in the context of the operational environment. For instance, how the system integrates with the enterprise’s identity and access management solutions.

• Red/blue team testing

Sometimes, organizations might choose to perform more aggressive penetration testing (red team exercises) during SAT to see how the system holds up against simulated cyberattacks in its actual environment.

• Incident response integration

During SAT, you might also test how incidents on the system integrate with the broader organizational incident response plan and tools.

How to mitigate these risks

To mitigate these risks, end-users, contractors, vendors and suppliers must establish and adopt a robust change management process that includes proper documentation, approval mechanisms, testing and validation procedures. This process should ensure that all changes, including those made during the critical and gap periods, are properly tracked, assessed for security implications and validated before the system’s commissioning. A more advanced and strict approach is to assign a dedicated cybersecurity officer to follow up and document all the changes made at different milestones.