OT Compliance : Navigating Regulations and Standards

Why being OT compliant is important ?

Enhanced Security :

In the age of the Fourth Industrial Revolution, where OT interfaces with IT more than ever before, security cannot be stressed enough. A compliant OT environment is not merely a well-guarded one but is also resilient against a spectrum of cyber threats. These threats aren't abstract; from state-sponsored attacks targeting critical infrastructure and industrial processes to ransomware crippling manufacturing plants, real-world incidents have shown the devastating impact of lax security, as demonstrated by these two attacks :

Stuxnet (2010):Stuxnet marked a watershed moment in cyber-espionage. It demonstrated the sophistication of state-sponsored cyber-attacks by targeting Iran's nuclear facilities. This malicious code intricately targeted industrial control systems, specifically Programmable Logic Controllers (PLCs), undermining the very core of Iran's nuclear ambitions. Stuxnet spotlighted the covert power of cyber-attacks, emphasizing their potential to inflict tangible damage on physical infrastructure.

Triton/Trisis (2017):Triton/Trisis ushered in a new era of concern, targeting safety instrumented systems (SIS) within a Saudi Arabian petrochemical plant. This attack penetrated the heart of operational safety measures, emphasizing how cyber threats can directly manipulate safety controls. While the attack was detected before causing harm, Triton/Trisis underscored the grave potential of OT attacks to cross the threshold from digital disruption to real-world peril.

Being OT compliant ensures a proactive stance against such emerging threats, safeguarding operations and assets.

Operational Reliability :

The vision for many operational technology systems is achieving "zero-downtime" — uninterrupted, efficient operation. Compliance standards often distill insights from operational environments worldwide, providing best practices that have been tried and tested. Adopting these regulatory requirements means learning from a global community of experts, dramatically reducing the chances of unexpected failures and upholding the principle of continuous operation.

Regulatory and Legal Obligations :

Many industries are subject to specific regulatory requirements, as mandated by regulatory bodies, that detail the security measures and operation of OT systems. Non-compliance can lead to hefty fines, legal penalties, and reputational damage. Being compliant ensures that businesses adhere to regional and international legal mandates and avoid such complications.

Economic Considerations :

While the initial steps towards OT compliance might seem costly, they are investments in the truest sense. The long-term cost benefits are manifold: from avoiding potential multi-million dollar lawsuits and penalties to reducing expenditure associated with rectifying breaches or ransomware. Furthermore, in an increasingly competitive global market, compliance isn't just about risk mitigation; it's a competitive edge in tenders.

Stakeholder Trust and Brand Reputation :

In a time when news of data breaches and system failures can spread globally within hours, brand reputation is fragile. OT compliance, including meeting regulatory requirements set by regulatory bodies, isn't just a backend security requirement; it's a front-facing brand promise.

Organizations that consistently uphold and communicate their commitment to OT compliance are signaling their dedication to excellence and security. This not only fosters trust among present stakeholders but also attracts future partners, clients, and top-tier talent.

What are the main OT standard ?

Operational Technology (OT) regulatory landscapes is wide but essential for ensuring that OT systems are secure, reliable, and adhere to industry standards and regulations. Here are three OT compliance frameworks:

ISA/IEC 62443 (International Electrotechnical Commission)

What the standard cover ?

ISA/IEC 62443 address cyber security for operational technology in automation and control systems. This international standard is widely used in manufacturing, energy, and other industrial sectors to secure industrial automation and control systems (IACS).

Historical Overview :

In the early 2000s, the ISA-99 standard evolved into ISA/IEC 62443. At that time, while information systems were known to be vulnerable, industrial systems seemed shielded due to their unique hardware, software, and limited external connectivity. Today, as more and more industrial setups become interconnected, they also become vulnerable to cyber threats targeting automation and control systems, jeopardizing the operational integrity and safety of assets and people.

Although the writing of this standard began several decades ago, it is still being written by an ISA working group under the aegis of the IEC, notably in order to adapt the standard to evolving technologies and security risks.

How the standard is structure ?

The standard contain 4 main parts :

General : This section lays out the foundational concepts, terminologies, and the overarching structure of the standard. It establishes the framework within which the rest of the parts operate, ensuring readers and implementers have a clear understanding of the standard's intent and scope.

Policies and Procedures : This second part emphasizes the importance of setting clear, comprehensive, and consistent cyber

security policies and procedures. It guides organizations in developing, documenting, and implementing practices that ensure the safety and security of their industrial systems against potential threats.

System : Here, the focus is on the security considerations for entire industrial control systems. This includes how they are designed, operated, and maintained. This section encompasses an end-to-end perspective, ensuring that the system as a whole is robust and resistant to cyber threats.

Components and Requirements : This part dives deeper into the specific components that make up an industrial control system, such as hardware devices, software applications, and other integral elements. It outlines the specific security requirements for each component, ensuring that every piece of the system meets a consistent level of cyber security rigor.

Defence in depth :

The standard advocates the "defense in depth" concept, which is a multi-layered strategy to protect industrial systems. Instead of relying on a single barrier, it employs multiple levels of security distributed throughout the system. This encompasses a variety of methods, ranging from network segmentation, authentication, encryption and several layers of monitoring. The goal is not just to prevent attacks, but also to swiftly detect threats and respond to them. This layered system ensures that if one defense fails, others are ready to step in.

NIST Cybersecurity Framework - SP 800-82 (National Institute of Standards and Technology)

What the standard cover ?

NIST SP 800-82 was published in 2015 and updated in 2021 by NIST and is providing best pratices and recommandations specifically dedicated to the safety of industrial control systems (ICS). The standard is applicable in various industries, including utilities, manufacturing, and transportation, to enhance the security of ICS and SCADA systems.

How the standard is structure ?

The document is divided into 6 chapters (version 2015 - last found version of the complete document)

Chapter 1 : Introduction

This chapter sets the stage by highlighting the significance of Industrial Control Systems (ICS) security and the surrounding context. It also outlines the guide's purpose and scope.

Chapter 2 : Overview of Industrial Control Systems

Delving into the intricacies of ICS, this section provides insights into their types, operations, historical evolution, and unique security challenges.

Chapter 3 : Risk Management and Assessment

Focusing on the importance of risk assessment for ICS, this chapter introduces methodologies for spotting, evaluating, and mitigating inherent cyber risks within these vital systems.

Chapter 4 : ICS Security Program Development and Deployment

Organizations are guided on crafting and rolling out a robust ICS security program. Topics like strategic planning, policy formulation, and security awareness are addressed.

Chapter 5 : ICS Security Architecture

Here, best practices and recommendations for designing and implementing a sound security architecture for ICS are discussed, ensuring protection against potential threats.

Chapter 6 : Applying Security Controls to ICS

This chapter delves into the practical application of security controls in ICS environments. It examines how these controls can be tailored to effectively safeguard these specialized systems.

Appendix :

The document also features numerous appendixes providing additional information on various ICS safety topics, such as case studies, definitions and references.

What were the update did in 2021 ?

The NIST regularly revises its standards, such as SP 800-82, to address technological advancements, new threats, incorporate feedback, adopt improved methodologies, and align with other international standards or regulations; these are the elements incorporated in the 2021 update :

• Expansion in scope of SP 800-82 from industrial control systems to control systems in general
• Application of new cybersecurity capabilities in control system environments
• Development of guidance specific to small and medium-sized control system owners and operators
• Updates to control system threats, vulnerabilities, standards, and recommended practices
• Updates to the control system Overlay
• Removal of material from the current document

CIS Controls for ICS (Center for Internet Security)

What the document cover ?

The document was written by the Center for Internet Security (CIS), a non-governmental organization specialized in information systems security. The document proposes a list of controls, designed and recommended by security teams, including specific security measures aligned with regulatory requirements, to secure industrial control systems.

Although not linked to certification, the "CIS Controls for ICS" are widely recognized in the industry as sound guidelines for reinforcing the safety posture of industrial systems, and are therefore widely used by a wide range of industries.

How the document is structure ?

The document details 18 controls, previously 20 in the 2019 version, each of which is broken down into sub-controls.

In the 2019 version, version 7.1, controls are categorized into three groups: basic, foundational, organizational.

In 2021, in response to the evolution of modern threats targeting systems and software, CIS launched version 8 of its controls. This update was prompted by the proliferation of cloud computing, virtualization, mobility, increased outsourcing and the move towards remote working, as well as new attack methodologies.

Furthermore, previously controls were based on specific roles, but this approach has become obsolete. In version 8, CIS has restructured controls according to tasks and actions, moving away from designations linked to device management. The focus is no longer on individual devices and fixed perimeters, but on a broader perspective of safety. This evolution in version 8 has not only changed the terminology and categorization of protective measures, it has also streamlined controls, reducing their number from 20 to 18.

This new version of the standard features 18 controls divided into several sections:

• An overview of the control
• Why this control is critical
• Tools and procedures
• Safeguards : each safeguard has a short description and is categorized by asset type (applications, data, network, etc.) and security function (protect, detect, respond, identify).

Get a deep dive of the Control 8 : Audit log management on this article

What are the implementation group within the document ?

Implementation groups are used to guide organizations through an incremental approach to security. Instead of trying to implement all controls at once, which can be overwhelming and often impractical, organizations can focus on a subset of controls that match their specific risk profile, resources and cybersecurity maturity.

• Implementation group 1 : This group primarily targets smaller organizations or environments with a low risk profile. The controls in this group are foundational and address the most common and pervasive threats.
• Implementation group 2 : Aimed at medium-sized organizations or those with a moderate risk profile.
• Implementation group 3 : Designed for larger organizations or those operating in high-risk environments, perhaps due to the critical nature of their operations or the sensitive data they handle.

Specific OT Standard for particular industries :

NERC CIP (Critical Infrastructure Protection)

The North American Electric Reliability Corporation (NERC) formulated the Critical Infrastructure Protection (CIP) standards to address the escalating cyber and physical vulnerabilities within the electric utility sector. Given the indispensable nature of electricity in contemporary society and the profound ramifications of its interruption, the CIP standards are designed to fortify the security and resilience of North America's primary electric network.

The NERC CIP mandates offer a robust framework to shield essential electrical assets from a spectrum of threats, encompassing both digital and tangible cyber risks.

API 1164 (Petroleum Industry)

Recognizing the need to strengthen cybersecurity in the pipeline industry API wrote in 2014 the firt version of API 1164 .

The standard applies to pipeline systems used for transportation, including the supervisory control and data acquisition (SCADA) systems, distributed control systems, and other types of industrial control systems.

The primary objective of API 1164 is to establish levels of cybersecurity controls to protect pipeline operations. It provides a framework for the development, implementation, and management of a cybersecurity program for pipelines.

ISA-95 (Manufacturing Industry)

Seamless integration of IT and OT systems in a manufacturing setting is crucial for enhanced efficiency, superior product quality, and prompt decision-making; ISA-95 standardizes this process, ensuring cohesive interoperability across various systems.

ISA-95, written by ISA, is focused on the integration between enterprise systems (like ERP) and control systems used in manufacturing and production. The goal of the standard is to provide consistent terminology and a standardized model for integrating the enterprise systems and control systems.

RTCA DO-326/ED-202 (Aerospace Industry)

The Radio Technical Commission for Aeronautics (RTCA) and the European Organization for Civil Aviation Equipment (EUROCAE) jointly introduced the RTCA DO-326/ED-202 standards to address emerging cybersecurity vulnerabilities in the aerospace domain. Acknowledging the paramount importance of flight safety and the mounting complexities of modern aviation systems, these standards endeavor to strengthen the cybersecurity framework for airborne systems and equipment.

The RTCA DO-326/ED-202 guidelines present a comprehensive blueprint that endeavors to safeguard aviation hardware and software components from a variety of cyber threats, ensuring both safety in the skies and the integrity of aviation data.

Conclusion :

The integration of Operational Technology (OT) and Information Technology (IT) brings forth both vast potential and cyber security complexities. Adhering to OT compliance is not merely a necessity; it represents organizational foresight, blending security, operational efficiency, and stakeholder trust.

Through the lenses of major OT compliance frameworks like ISA/IEC 62443, NIST SP 800-82, and CIS Controls for ICS, it's evident that embracing these standards signifies more than security—embracing these standards signifies compliance with regulatory requirements, representing more than security—it's an emblem of organizational commitment to innovation and resilience.

About Trout Software

Trout Software has developed tools to enable business and IT teams to strengthen the cybersecurity of their environments - both IT and OT - and to accelerate their certification processes (documenting security policies and collecting evidence). The company is based in France with offices in Dublin and New York, and works with customers such as Thales, Orange and Signal Iduna.