Managing operational technology security in a changing business environment
A changing business environment
Organizations are seeking to transform their businesses through digitalization, improving work flows and processes, adapting organization culture and changing supply chain relationships. Realizing digitalization requires organizations to create a greater openness between system boundaries. This openness can be seen through increased connectivity between information technology (IT) within the business domain and operational technology (OT) within the production domain. In addition, the introduction of the Industrial Internet of Things (IIoT)/Industry 4.0 creates an openness beyond traditional system boundaries though connecting sensors and systems within the organization to external cloud-based applications. Although Digitalization can deliver significant value for organizations, it also increases the threat surface which, if not effectively managed, can create significant cyber security risks for industrial environments.
It's time to comply
Ignoring or paying limited attention to cyber security of operational technology assets is no longer an option for most organizations these days.
In August 2016 the NIS Directive came into force as the first EU wide legislation on cyber security. Within the UK the National Cyber Security Centre (NCSC) published 14 high level principles which must be implemented by Operators of Essential Services (OES) through a Cyber Assessment Framework (CAF). NIS compliance is monitored through audits by Competent Authorities such as the Department for Business, Energy & Industrial Strategy and Health and Safety Executive (HSE) for the Oil and Gas Energy sectors.
in 2017 the HSE published Operational Guidance Note 86 (OG86) for Cyber Security for Industrial Automation and Control Systems (IACS). The guidance note is to support HSE inspectors to assess the cyber security risk of IACS at COMAH facilities within the UK. Owners of COMAH facilities are required to demonstrate to HSE inspectors their adequacy of cyber security management systems and appropriate countermeasures for Industrial Automation and Control Systems (IACS) within their facilities and organizations. In 2018, a second edition of the guidance note was published to represent the HSE interpretation of current and developing standards and to support inspectors in monitoring NIS directive compliance.
Addressing the security risk challenge
Effective cyber security risk management is not just about technology, it is also about people and processes working securely and effectively together. For successful security of the OT domain it is essential that organizations ensure equal emphasis on the development of security controls for people (organization), processes (policies, procedures) and technology.
An organizations OT cyber security maturity can be measured against 5 levels (see illustration). For many organizations level 1 or 2 is often the starting point for the development of an OT security program. The journey from level 1 to 5 can take many years within an organization and once achieved it needs to be maintained through a continuous lifecycle management plan.
Functional Safety Management & Security; what can we learn?
For organizations who are familiar with functional safety management, they will note that from a risk perspective the fundamentals of industrial safety risk management and security are effectively the same. Essentially both are designed to protect assets from hazards or threats whilst aiming to create safe or secure conditions. There are however, nuances which distinguish them and organizations who currently manage functional safety will benefit from their culture and organizational practices when they begin to develop an OT cyber security organization.
Establishing and Maintaining a Cyber Security Organization
Establishing and maintaining an OT cyber security culture will require continuous management and leadership. To ensure effective management it is essential for an organization to adopt a cyber security framework. A security framework is a series of processes that are used to define policies and procedures around the implementation and ongoing management of OT security controls in an enterprise environment. A Framework provides a common language and systematic methodology for managing a cyber security program and associated risks.
There are many security frameworks available for organizations to consider. One of the most commonly used frameworks is the National Institute of Standards and Technology (NIST) SP 800 framework. It contains several publications which were developed to address and support the security and privacy needs within organizations. Other frameworks for consideration are the Cyber Security for Industrial Automation and Control Systems (IACS) framework (illustrated) or the NCSC Cyber Assessment Framework (CAF).
Contact us for more information on our cyber security risk management services.