Why securing OT ICS Systems is critical ?
Explore 10 essential steps for effectively securing ICS/OT systems, addressing their unique challenges in this detailed guide. Read now !
This10-Step Strategy article, designed to guide industrial companies in significantly enhancing their cybersecurity measures, and ensuring their resilience
21,000 industrial sites at risk of closure in the next five years across Europe and North America due to escalating cyberattacks. This situation is exacerbated by the rapid integration of advanced technologies and a notable shortage of skilled cybersecurity professionals. Our white paper responds to this profound challenge with a comprehensive 10-Step Strategy, designed to guide industrial companies in significantly enhancing their cybersecurity measures, and ensuring their resilience.
The scale of cyber threats targeting industrial systems has escalated to unprecedented levels. In 2022 alone, an alarming 90% of industrial organizations experienced cyberattacks, leading to significant disruptions in their production and energy supply. This worrying trend is accelerating, evidenced by an 87% increase in cyber incidents involving Industrial Control Systems (ICS) and Operational Technologies (OT) from 2021 to 2022. Forecasts suggest that these attacks might result in the shutdown of approximately 21,000 industrial sites over the next five years.
The stakes extend beyond traditional IT security, directly impacting vital infrastructures like energy and transportation. Successful cyberattacks on these systems pose not only immediate physical risks but also have the potential to inflict critical economic downtime, affecting both individual companies and national economies. In the last few weeks alone, Australian ports have been blocked, and critical infrastructure in Denmark has been badly hit, demonstrating the scale of cyber attacks on critical infrastructure.
Industrial companies are left with a few core challenges:
How can I build the foundation of my assets cybersecurity with limited resources ?
Which stakeholders - internal and external - should be involved in these projects ?
How can I prioritize efforts across environments, known and unknown ?
In 2023, the cyber threat landscape remained relentless, impacting businesses of all sizes, from small and medium-sized enterprises (SMEs) to large corporations. Significant incidents include:
In parallel to these hacks and disruptions, legal frameworks have been introduced. Notably, the National Institute of Standards and Technology (NIST) in the United States has published NIST SP 800-82. This document provides comprehensive guidelines for securing Industrial Control Systems (ICS), which are vital components in critical infrastructures. Additionally, at the European Union level, the Network and Information Systems (NIS) Directive has been implemented. This directive focuses on bolstering the cybersecurity of networks and information systems across the EU. It encompasses specific requirements for operators of essential services, a significant number of whom rely on ICS, thereby ensuring a more robust and standardized approach to cybersecurity in these critical sectors.
To ensure the protection of industrial environments, it is crucial to start the process with a comprehensive risk assessment. This evaluation aims to identify the assets that could be impacted by a cyberattack, including hardware, systems, laptops, data, and intellectual property.
As highlighted by NIST SP 800-82, conducting a risk assessment in the context of Industrial Control Systems (ICS) requires additional considerations that are not present when assessing the risks of a traditional IT system. Due to the potential impact of a cyber incident on an ICS, which can produce both physical and digital consequences, it is vital that the risk assessment incorporates these potential effects:
This holistic approach ensures a comprehensive understanding of vulnerabilities and the necessary measures to enhance the resilience of industrials systems against cyber threats. We recommend using a simple matrix in these assessment like the one below.
Example of a risk matrix of a ski resort:
🏗️ What to do:
To ensure the security of industrial environments, network segmentation is an essential step. *As defined by Tech Target, network segmentation is an architectural design that divides a network into multiple segments (subnets), each operating as a smaller, independent network.* This effective strategy allows for the restriction of traffic in or to segments based on their location, as well as controlling where traffic can and cannot flow, including based on the type of traffic, its source, and destination. This approach is crucial for limiting the spread of a malicious attack, by confining the attack to a single segment.
To effectively implement network segmentation, it is recommended to follow the guidelines of the ISA/IEC 62443 standard which introduces the concepts of “zones” and “conduits”:
The standard requires that ICS networks should be segmented into zones based on criteria such as functionality, security level requirements, and risk to specific processes. This segmentation is key to isolating systems and assets with different security needs. It emphasizes the control of data flow between zones through conduits. Data flow should be restricted and monitored to ensure that only necessary and authorized communications occur between different zones. Each zone is assigned a security level (SL), and the standard provides guidance on the types of security controls to be implemented at each level. The segmentation should reflect these security levels, ensuring adequate protection for zones with higher security requirements.
🏗️ What to do:
Network access control is a key aspect in enterprise environments, specially with the increasing interconnectivity required by modern business, ICS networks face heightened risks. This interconnectivity, including operations technicians accessing machines, vendor support, and the need for business data, breaks down the old isolation of ICS networks and opens up potential vulnerabilities to unwanted or malicious traffic. This situation highlights the necessity for strong access control measures.
NIST describes access controls as the process of managing requests for information and system access. The NIST SP 800-53 standard offers practical guidance on this. It includes policies and procedures for authorizing system resource usage, managing system accounts, and handling issues such as role separation, limiting user access only to necessary information (least privilege), and managing user sessions.
To simplify, imagine team members Alice and Bob in Team 2. According to these guidelines, they are authorized to access certain assets during specific times. This kind of clear, role-specific access management is what the NIST standard aims to achieve.
Furthermore, the CIS Controls document provides an easy-to-understand set of guidelines for Access Control Management. It acts as a useful benchmark for setting up and maintaining robust access control systems in an organization.
🏗️ What to do:
Regular software updates and patch management are fundamental for cybersecurity in industrial environments. Their primary function is to address security vulnerabilities and protect against emerging cyber threats. While these updates are crucial for maintaining system integrity and reliability, especially in industrial settings where failures can lead to significant disruptions, they also enhance overall system performance and ensure compatibility with new technologies.
Incorporating software updates and patch management into traditional IT processes is essential. This approach acknowledges the unique challenges in Operational Technology (OT) systems, such as difficulty in determining what elements to update due to vendor lock-in and the reliance on older operating systems no longer supported by vendors. Despite these challenges, integrating these practices into centralized IT processes ensures a more streamlined and effective management of cybersecurity risks.
Overall, a systematic, well-documented, and responsible approach to patch management in ICS environments is vital. This approach should be integrated into the organization’s broader IT strategy, ensuring a comprehensive, secure, and efficient management of cybersecurity risks across all digital assets.
🏗️ What to do:
Enhanced security stands as the primary motivator for businesses of all sizes to educate their employees, across all levels, about the importance of safeguarding against "human exploits" and cyber attacks. The ultimate objective of this training is to establish a robust human firewall capable of countering cyber threats. This is especially pertinent considering that, according to the Verizon 2021 Data Breach Investigations Report, 85% of data breaches in 2021 were attributed to the "human element." To mitigate these risks, numerous compliance regulations, including HIPAA mandate cybersecurity training for all employees. Additionally, certain insurance requirements also stipulate the need for such training. This emphasizes that cybersecurity is not just a technical issue but also a human one, where informed and vigilant employees play a crucial role in maintaining the overall security posture of a company.
To enhance employees' knowledge in cybersecurity, non profit organization like such as The Global Cyber Alliance provide comprehensive training modules. These modules are accessible for most companies, from small to large. For instance, GCA has designed a unique kit for small and medium-sized businesses (SMBs), which encompasses crucial areas like software update protocols and business security measures, development of robust passwords coupled with two-factor authentication, and strategies to safeguard enterprise against phishing attacks.
🏗️ What to do:
In Operational Technology (OT) settings, the implementation of IDS/IPS firewall systems is essential for enhancing network visibility, identifying threats, and ensuring resilient operations. These systems, designed to monitor and analyze network traffic, area great tool to secure industrial environments.
Intrusion Detection Systems (IDS): These systems monitor network traffic and alert you if they detect suspicious activity or known threats. Think of IDS as a security camera, watching over your network and warning you of potential intruders. • Intrusion Prevention Systems (IPS): These go a step further than IDS. Not only do they detect threats, but they also actively work to block them. IPS is like having a security guard who not only notices intruders but also stops them from entering.
In terms of architecture, entreprise should break from a purely perimeter based approach to IDS/IPS and integrate these systems within different zones and conduit, as defined in the step 2.
Layer 5: Enterprise Zone
-------------------------
- Enterprise Network (Business and Logistics Systems)
- **IDS/IPS for monitoring and protecting enterprise-level network traffic**
Layer 4: Manufacturing Operations and Control
----------------------------------------------
- Site Manufacturing Operations Systems (Production scheduling, etc.)
- **IDS/IPS for monitoring traffic to/from lower layers and enterprise layer**
Layer 3.5: Demilitarized Zone (DMZ)
------------------------------------
- Data Historians, Middleware
- **IDS/IPS specifically for DMZ to monitor and control traffic between enterprise (Layer 4)
and manufacturing zone (Layer 3)**
Layer 3: Manufacturing Zone
----------------------------
- Supervisory Control Systems (SCADA, MES)
- **IDS/IPS for monitoring internal manufacturing zone traffic**
Layer 2: Area Supervisory Control
----------------------------------
- Control Systems (PLCs, RTUs)
- **IDS/IPS for monitoring communications to/from control systems**
Layer 1: Basic Control
-----------------------
- Sensors, Actuators, Intelligent Devices
Layer 0: Process
----------------
- Physical Processes (Motors, Pumps, Valves)
🏗️ What to do:
Due to the often sensitive nature of the data processed by ICS, notably proprietary business data and personally identifiable information (PII), encryption is essential to preserve confidentiality and protect against intellectual property theft and privacy breaches in the event of cyber-attacks.
Yet, the integration of encryption within industrial environments is not without its challenges:
Addressing these challenges necessitates an agile approach to review “data flows”. Mapping these flows and which systems and conduits are involved will allow companies to validate if data is encrypted, at-rest and in-transit.
🏗️ What to do:
In Operational Technology (OT) environments, the importance of robust backups and well-crafted disaster recovery plans cannot be overstated. Essential for maintaining system uptime and safeguarding data integrity, these strategies necessitate the regular creation of secure and accessible backups. Such backups should cover data and system configuration, enabling a rapid restoration in case of a cyber incident.
On the other hand, disaster recovery planning should, according to Tech Target, describe how an organization can quickly resume work after an unplanned incident. It involves identifying and prioritizing critical systems and processes, establishing clear roles and responsibilities for disaster response, and ensuring adequate resources are available for recovery efforts. This planning should also include regular testing and updating of the disaster recovery plan to ensure its effectiveness in the face of evolving threats and technological changes. It's crucial to have a clear communication plan in place to keep stakeholders informed during and after a disaster, thereby minimizing confusion and enabling a coordinated response.
This comprehensive approach, integrating both proactive recovery planning and a structured disaster recovery plan, ensures that all critical elements of incident management are effectively addressed. This strategy not only enhances the resilience of OT environments but also bolsters the capacity of the company to respond efficiently to incidents.
🏗️ What to do:
Continuous monitoring for OT and ICS systems is essential for maintaining resilient operations. Across the 8 steps mentioned above, controls should have been identified and if possible automated, to detect threats early. Developing a continuous monitoring strategy aligned with the organization-level strategy involves (according to NIST 800-53) :
In more practical terms, companies should be able to answer the following questions:
We also recommend running regular pen testing exercice to ensure that systems are secured and automated detections are in place across assets.
🧠 🔴 Red Team Pen Testing:
🔵 Blue Team Pen Testing:
🟣 Purple Team Pen Testing:
In addition to intrusion detection systems, organizations must also have regular security audits in order to identify vulnerable processes before threats emerge. The goal of the periodic audit is to determine that the system is performing as intended, identify area of optimization and implement them. Monitoring efficacy and continuous optimization is among the pillars of most compliance frameworks, starting with ISO.
The results from each periodic audit should be expressed in the form of performance against a set of predefined and appropriate metrics to display security performance and security trends. Security performance metrics should be sent to the appropriate stakeholders, along with a view of security performance trends.
According to NIST SP 800-82, periodic audits of the ICS should be performed to validate the following items:
🏗️ What to do:
In 2022, 57% of industrial organizations faced cyberattacks, with an 87% increase year over year in incidents involving industrial systems. To tackle this growing problem, we suggest ten simple steps:
By adopting this strategy, industrial entities can significantly reduce their cyber risk exposure, maintain operational integrity, and protect critical infrastructure against the growing sophistication of cyberattacks.
Detailed list of all regulations, frameworks, and standards previously cited:
Trout Software has developed tools to enable business and IT teams to strengthen the cybersecurity of their environments - both IT and OT - and to accelerate their certification processes (documenting security policies and collecting evidence). The company is based in France with offices in Dublin and New York, and works with customers such as Thales, Orange and Signal Iduna.
Explore 10 essential steps for effectively securing ICS/OT systems, addressing their unique challenges in this detailed guide. Read now !
Explore key OT security strategies and best practices for your manufacturing sites and protect your environment from cybersecurity threats...
This guide provides an analysis of the OT security concept, highlighting the unique challenges of protecting industrial systems.
Receive an email when our team releases new content.