Digital transformation has started making its way well into the energy and industrial sector. Organisations are adopting newer technologies to improve efficiencies, manage supply chains, and enable remote operations. While technology has many merits in improving the time to market, it is also instrumental in achieving the sustainability vision.
However, along with transformation, there are cyber threats too. Cybercriminals, threat actors, and state-sponsored hacktivists are targeting these sectors and the whole gamut of critical infrastructure. Operational Technologies (OT) have become a lucrative target for state and non-state actors, as attacking them can disrupt operations, damage equipment, affect lives, and stall economies. Hence, protecting these technologies and improving resilience have become a matter of national security and safety.
Use of legacy systems; lack of proper network segmentation; absence of robust governance, security policies, and monitoring; and unsecure remote access; are leading to increased cyber vulnerabilities of OT systems. As the life span of OT assets is high and some vulnerabilities continue due to legacy issues, a different strategy is required to secure and monitor these OT systems.
“For the industrial and energy sectors, both the internal and external environment are changing rapidly. Driven by the imperative to transform their businesses, run efficiently, and support decarbonisation, digital transformation is expected to become mainstream. At the same time, the geo-political environment is getting complex, which also brings critical OT systems in the radar of bad threat actors. OT systems are, by and large, complex, and so are the repercussions of a cyber-attack. It is important to have a robust strategy in place to secure these OT systems, and not let cyber risks become an impediment in the adoption of Industry 4.0 and the whole gamut of next-gen technologies”, said Santosh Jinugu, Executive Director, Deloitte India.
The report discusses a six-point framework that can be considered by organisations to secure their OT environment:
- In-depth security assessment to establish the security posture: Amidst greenfield or brownfield digital projects, a comprehensive security assessment helps understand security maturity levels and existing gaps. Moreover, it provides visibility on asset inventory across levels – field devices, process controls, supervisory, and enterprise IT network. This helps understand the current security levels and put the right OT security process and roadmap in place.
- Security processes, protocols, and controls: Following IEC 62443 standards (Cybersecurity for Industrial Control Systems) across policies, management, industrial IT, products, and components, is important. Security considerations include, but are not limited to, designing a secured network segmentation model and secured remote access, as well as managing privileged access, data backup, and passive monitoring for visibility of networked assets and activity. Any digital programme or third-party collaboration must have a “security-by-design” and “resilient-by-design” approach to be able to successfully mitigate risks. For products, systems, and the development lifecycle, third party assurance certifications complying with standards such as IEC 62443-4 are imperative. Periodical risk and vulnerability assessments and audits can help take the right step towards bolstering security, while providing the required security assurance.
- 24×7 monitoring via a robust next-gen IT-OT security operations centre (SOC)/threat intelligence centre: As both the environments integrate, it is pragmatic to have a common IT-OT SOC, using specialised OT security solutions that help in asset identification, visibility, anomaly detection, and monitoring. Having custom OT specific playbooks, use cases, and a common SOC empowers security teams to effectively join the dots and respond faster to threats.
- Incident response and cyber crisis management plan for the OT environment: Formulating a cyber incident response and cyber crisis management plan is imperative. The plan must undergo regular reviews of the board and others. The plan should address various scenarios affecting OT systems, including emerging threats and attacks such as ransomware. Industries should also focus on having table-top exercises for executives to prepare them towards various scenarios.
- Awareness and training: Training and awareness is one of the crucial aspects of OT cybersecurity strategy. It helps create an in-house team of OT security specialists (for example, with expertise in PLC testing and infrastructure testing) or provide awareness and hygiene training to employees that operate systems. Training is also important to create a security-first mindset to ensure that cybersecurity remains a key tenet of Industry 4.0 implementation within an organisation. This can also help prevent Shadow IT, which becomes a pain point in the effective management of security.
- Red Teaming: Red teaming is essential to test resistance and resiliency of OT environments to stay ahead of malicious threat actors. A robust mechanism should also be set in place to incorporate leanings, plug-in gaps, and enhance security.
Driven by the changing business priorities, regulatory environment, and the threat landscape, organisations with OT must look at embracing a cybersecurity strategy that puts OT security into perspective.