Many accept the principle of security risk management: you must first understand what your real assets are, to be able to identify what the threats, vulnerabilities and risks to them are likely to be.
However, from an Industrial Control Systems (ICS) perspective, this is often easier said than done. Due to the protracted evolution and complexity of these systems, organizations struggle to fully define their complete estate and its inter-relationships to determine the risks within.
The recent Ukrainian power grid hack was a stark reminder that this lack of understanding of the full picture is potentially dangerous, presenting an enormous risk to the organizations and their shareholders’ value. When expanded to encompass critical national infrastructure (CNI), this risk is potentially extended to the entire nation.
Don’t Panic!
Whilst every organizations’ security posture might not be where it should be, there’s still no need to panic and certainly no rush to close off network connections to the national estate. Neither should organizations feel pressured to purchase the latest firewall, diode or encryption technology in a bid to solve the problem.
Whilst these technical innovations might be part of the eventual solution, there are a number of things that must first be done to reduce and mitigate business risk, or even justify that the spend is being invested correctly.
There are three key elements that organizations need to establish in order to understand their risk, plan their protective approach and to look to reduce the threat of attack and risk of damage.
First, the organization must determine what its objectives are, then what the key assets are that are required to deliver these objectives and finally understand the threats and vulnerabilities associated with them. Once you have this level of comprehension you have the focus needed to take the necessary steps to secure what is, to all intents and purposes, the organization’s ‘crown jewels’.
That said, looking at this in isolation can be misleading as the organization’s key assets are unlikely to be a single physical or technological service, but instead a network of systems and assets that together are critical to the delivery of the business’ objectives.
From an Operational Technology (OT) perspective, the fundamental principle is the same - you cannot mitigate risks to assets you do not know exist, do not know how to find and don’t understand their place in the network. For that reason, it is critical that the organization has processes and technology to ensure that it knows what its complete OT estate looks like.
So, how do we do that?
This can be achieved at a superficial level using any one of a number of technological solutions that identify network signatures and attempt to present a picture of the OT network architecture based on this passive sensing.
This is a good starting point as it does allow an initial basic understanding of the network architecture and, with considerable further analysis and risk evaluation, this baseline can be used to understand individual vulnerabilities and threats. What it does not give, though, is a holistic picture of the network, nor does it consider the risks associated with the interaction between physical systems and technology. By that we mean it is unable to predict what might happen if a certain process or piece of machinery were to fail, i.e. what else is connected, and therefore vulnerable too.
To properly appreciate the risks that are inherent in the network, it is important to understand both what the critical assets are in the business, and equally what the critical processes and networks are. This will provide a clear signpost to where key business, security and the potential safety risks exist.
This complete picture essentially begins with the creation of an extensive process map, tracking as well as mapping assets and activities across the organization. This intelligence is then shared amongst the key stakeholders – from operational staff on the plant floor who understand the processes and objectives used, to the IT team and management, so all can collaborate to comprehensively complete the current interrelationships, and agree any required amendments.
Known risks can be captured at any point during this mapping activity. Once the process map is complete and everyone agrees, there should be one, or a series of, risk workshops to consider the various components and determine any and all associated risks, which are then mapped against each part of the process.
This sound understanding of the processes around the ICS environment allows businesses to gain a much deeper understanding of their network assets and associated control systems risk, but also how they might mitigate them allowing countermeasure activities to be recorded and planned. This approach to understanding OT risk gives the organization the best position to mitigate and protect itself.
However, it should not be considered the utopia or indeed the only solution that is needed to solve the challenges that control system security presents.
In addition to understanding the process risk, it is also extremely important that those staff working with control systems understand what is needed from them to minimize risk and behave in a secure manner. A comprehensive and effective training program should be developed and combined with a general communications campaign that outlines the common critical risks - such as the risk posed from flash drives so they understand why these devices must first be subjected to an assurance process before being used with OT equipment, or the risk from abused credentials so that login credentials and/or admin accounts are never shared, even with other employees and colleagues.
Once the key processes - and the risks associated with them - are understood, organizations can then look at remediating this risk across its processes and networks. A further benefit of mapping process and risk in the approach described above is that it also allows a clear architectural picture of the ICS environment to be developed.
Having understood the process architecture, and where the critical risks to the business sit, this then allows better design and targeting of the protective monitoring activity.
The development of an ICS Security Operations Centre (SOC) remains an aspiration for many organizations, though it remains a challenge that evades most. Having a clear architectural map helps the design of the SOC, so that it can focus its activity on the key areas of the organization.
Industry, government and the public increasingly recognize the role that control systems play in the delivery of our CNI, and by association understand the need to protect them. In tandem, advances are being made that allows control system risk to be better managed, and it doesn’t need to cost the earth or disrupt the operational world to ensure the safety and security of the OT environment.
There is still more work needed across the board - from precision manufacturing, transportation, logistics, and the communication systems depended upon in every aspect of our lives, to ensure that the ICS SOC is truly effective, but there is much to be optimistic about.