Cyber Maturity in OT/ICS environments5 April 2021 | Arman Sayed and Dr. Grigorios Fragkos
In the next three years, every organisation and government entity in the UAE must ensure they are ready to meet this moment and use cybersecurity as the enabler to protect, transform and nurture our complex digital ecosystems. As we advance, CEOs and boardroom discussions must include the business risks involved beyond the typical IT/IS security posture. Decision-makers should prepare to step into understanding the bigger picture from cyber-threats that target OT environments, which most of the time are part of the nation's critical infrastructure. Established experience and expertise are crucial for performing deep-dive security assessments capable of assessing IT and OT environments against UAE IA Standards comprehensively. Digital14 is the leading company in the UAE when executing such complete, evidence-based security assessments across the spectrum of management and technical controls. Visibility-in-depth against cyber risks through the use of a measurable cybersecurity maturity scorecard becomes the 'driving force' for decision-makers towards excellence. Quote by: Joshua Knight (CyberDefence at Digital14)
Operational Technology (OT) assessments are very different and require a more tailored skillset. If the assessment is planned with an "IT-centric" approach instead of an IT/IS security mindset, it can cause a great deal of confusion, and the results may be highly ineffective. It is, therefore, necessary to understand the Industrial Control Systems (ICS) infrastructure and the supporting OT devices implemented in the environment before assessing the OT network/infrastructure.
Figure 1 – A quick and immediate gauge into OT organisation's readiness for cybersecurity
Digital 14 has introduced the OT Security Readiness Assessment to help organisations assess the security controls in place that safeguard OT environments from cyber-attacks. The key focus areas to consider are:
Industrial Control Systems are composed of a wide range of heterogeneous devices and components that play a specific role. To familiarise the reader, the most commonly seen devices within the ICS environments are listed below while providing some clarity about their role and purpose.
Understanding the OT environment in comparison to the IT can be not easy. Each OT environment has different set-ups and different devices suitable for the body of work intended. For that reason, it appears to be a gap in the knowledge base that is usually needed to secure OT environments when it comes to OT Security. Recent studies and on-the-ground security assessments have highlighted gaps in the security of OT environments which tend to originate from:
It is necessary to fully understand the ICS environment before starting with an assessment, have prior experience in both environments, and prepare to work closely with the audit client to capture the current holistic security posture fully. Every security flaw cannot be a finding or an issue in an OT assessment. The operating details of a given OT environment may depend upon specific business dependencies, challenges and limitation of isolated (air-gaped) environments.
It is not uncommon to see an absence of critical boundary protection devices on an OT network. As a best practice, it is good to familiarise yourself with the Purdue Model for Control Hierarchy logical framework, developed by the International Society of Automation (ISA99) Committee for Manufacturing and Control Systems Security, that forms the baseline for the ICS reference architecture.
In the 1990s, Theodore J. Williams, along with the Purdue University Consortium members for computer integrated manufacturing, developed the Purdue Enterprise Reference Architecture (PERA) as a model for enterprise architectures. The Purdue model does an excellent job of defining the different levels of critical infrastructure used in production lines and how to secure them. PERA was ahead of its time when it was introduced and, when implemented correctly, can achieve the "air gap" between Industrial Control Systems (ICS) or Operational Technology (OT) and IT systems.
Figure 1 – Different levels as per the Purdue model for Industrial Control Systems.
OT environments tend to use flat networks with production equipment from multiple vendors working together. While microsegmentation at the network level seems like a good idea, it is logistically challenging to implement physical devices inline in production environments. Device installation requires significant planned downtime and can also cause unplanned downtime due to factors like the age of the ICS systems and the proprietary protocols in use. Any security devices deployed inline in the communication path of ICS systems have to prove their reliability and are always subject to regulatory compliance. Above all, OT plant operations teams are not typically aware of IT best practices, let alone advanced network security concepts. An OT plant's goal is production, efficiency and uptime, and cybersecurity is a lesser priority, especially if it is complex and involves downtime.
High-level information for the different Purdue model levels are provided below (Figure 1):
Level 0: This layer contains fundamental OT devices that convert the analogue signals into digital, such as sensors, BCPU (Bay control protection unit) devices etc.
Level 1: This layer contains basic controlling devices containing configuration details such as the destination IP address and information routing details. It includes intelligent devices such as PLC, Intelligent Electronic Device (IED) and Remote Terminal Units (RTU).
Level 2: This layer manages the connectivity, transferring information from the RTU station towards the telecom control centre. This layer manages the integrity of information and controls related to the telecom team, such as ethernet switch, communication protocol, network monitoring system etc.
Level 3: This layer is all about the management of operational controls from the control centre. This layer ensures sufficient operational alarm are configured, fault logs captured and monitored, resolution of availability issues due to communication breakdown etc. Level 3.5 is a recent addition over the last decade; this level includes security systems, such as firewalls and proxies, to separate or air gap the IT and OT worlds. This is where the IT and OT worlds "converge," increasing the OT systems' attack surface. Many plants either do not have this layer or have minimal capabilities. The rise of automation leading to higher efficiencies has created an increased need for bidirectional data flows between OT and IT systems. This OT-IT convergence is ultimately creating a formidable competitive advantage for companies that are accelerating digital transformation.
Level 4 and 5: This layer is about the perimeter security controls. Layer 4 emphasises establishing DMZ (demilitarised zone) with relevant remote monitoring controls, patch management and SCADA application-related services. Layer 5 is where the actual boundary protection devices are placed, the perimeter firewall, IDS (Intrusion detection system), IPS (Intrusion protection system) etc.
The UAE IA Standards is recognised as one of the most comprehensive standards. Besides being a regulatory mandate for the region primarily for government entities, the UAE IA standard has a detailed list of controls that can also be used to protect ICS (Industrial Control System) Infrastructure. The table below provides a brief description for the reader to familiarise with the different OT standards such as NIST 800-82, NERC and ISA 62443:
Figure 2 – Brief description of different OT standards which are recognized globally.
The following bar chart maps international OT standards such as ISA 62443, NERC CIP and NIST 800-82 with UAE IA individually. Each standard has been compared with UAE IA controls. In the diagram, one can identify that UAE IA can be considered more adequate and contains holistic sets of OT controls to protect the ICS environment.
Figure 3 – Comparison of UAE IA Standards number of controls against other OT standards.
UAE IA provides few sets of critical controls that are not present in any other international OT standards. Following are the details:
When approaching an OT assessment using UAE IA, one needs to ensure that the following key differences between IT and OT network are understood and taken care off:
OT assessments' most significant challenge is the lack of understanding from the power station engineers on-ground. However, few essential myths around ICS environments can cause significant gaps during assessments if not demystified properly.
Truth: Firstly, non-windows OS is also vulnerable as they can be used to relay malware to windows OS. Secondly, several incidents/attacks on OT networks in the past were supported with Unix and Linux variants.
Truth: It is imperative to understand the various connections that are active in the OT network. The on-ground engineers, operators etc., will claim that their environment is isolated. However, the assessor needs to check critical points such as troubleshooting OT devices, management of SCADA applications, enhancements/upgrades etc. Also, check if there is a VPN connection with the ICS vendor, or if the internet is enabled in the control centre. Unless these parameters are not thoroughly reviewed, the ICS environment cannot be stated as isolated.
Truth: Another claim that OT personnel will make is that they have a contractual agreement with their vendor, and the vendor is renowned in the industry. Hence there is no risk related to vendor management. Lack of vendor review is very evident in OT networks; it has been proven that many OT networks provide point to point VPN connectivity to vendors, which are mostly not monitored due to the absence of monitoring solutions. In addition, authentication and accountability are also poorly managed.
Truth: The lack of emphasis on physical security is evident with OT environments due to the absence or inadequacy of CCTVs at critical locations, poor management or lack of implementation of building management system, lack of monitoring and review of physical access control rights, inadequate controls related to fire and equipment safety.
Truth: We all understand the importance of a good Governance, Risk and Compliance framework. The complacency on the part of OT personnel for GRC is again a cause of worry; lack of policies, procedures and supporting documents, no processes to ensure compliance with local regulatory and applicable OT standards and lack of risk management activities. All these issues are prevalent and need immediate focus.
From digitisation to digital transformation, leading to a 'Smart Cities' vision for the not-that-distant future, highly complex digital ecosystems will become the norm. The constant introduction of new technologies, the overwhelming need for interconnectivity, and the excessive use of IoT and IIoT, along with autonomous AI-based endpoints, provide only a glance of what the future will look like.
"Security by Obfuscation" is a skeleton of the past in the closet of Technology. "Security through Visibility" is the only way to allow IT and OT environments to operate securely in the future. Proper Security Architecture and Asset Management are of paramount importance, now more than ever. Quote by: Dimitrios Sarris (Director CyberDefence at Digital14)
In parallel, this "technological interconnectivity-boom", offers a considerably expanded attack surface for cyber adversaries of all kinds. The report, Smart Cities: the Power, the Risks, the Response, which Digital14 recently released, takes a look into the UAE's digital transformation and cyber resilience standpoint and suggests cyberattacks are expected to rise as the government and organisations adopt the benefits of smart city technologies.
The legacy of EXPO 2020 Dubai which opens its doors in October 2021 (after being postponed for one year due to the pandemic), is called District 2020. It will be a smart and sustainable urban environment with cutting-edge physical and digital infrastructure. EXPO will stretch at new levels the collaboration of previously heterogeneous networks and endpoints into a new era of co-existence, which requires operating under a unified umbrella of cyber resilience.
Our digital ecosystems are constantly evolving towards highly complex and dynamically scalable hybrid environments, composed of different technologies that include, but not limited to, ICS, IIoT, smart IoT, Cloud-based solutions, sensors, autonomous systems, and a variety of automations. The cybersecurity resilience of such interconnecting digital ecosystems is not a trivial task, especially when these are the fundamental components for building the smart cities of the future. Quote by: Dr. Grigorios Fragkos (vCISO EXPO 2020 Dubai and Director CyberDefence at Digital14)
The ICS environment's evolution has already started. This will only increase with time, while unsupported, legacy and outdated devices will be replaced with updated ones that come with advanced features and enhanced interconnectivity (IIoT). Ensure a well-through OT governance model is divided, applicable regulatory and legislative requirements are adhered to, monitoring and review solutions are implemented, and most importantly, vendor management controls are effectively implemented.
In recent years, the systemic blend between IT and OT networks has opened up modern ICSs to new risks, expanding the threat surface. Autonomous propagating malware that targets critical infrastructures through ICS vulnerabilities is already happening at scale.
It is of utmost importance to understand the current status and any inherent gaps by performing a thorough evidence-based security assessment. Digital14 can help to safeguard complex OT environments by clearing up the chaos and increasing visibility by setting the stepping stones for a cyber-resilient future.
Connect with us