Knowing the safety barriers is another important aspect of domain expertise. The example above lacks several safety features that would be mandatory in most locations. These features include having a passive pressure-relief system that works without the involvement of any digital technologies.
In many locations, it is also mandatory to have a process shutdown system comprising a control system with separate sensors, PLCs, and networks. This shutdown system intervenes to prevent the potential accident by using actuators installed purely for safety. This arrangement aims to avoid common cause failures between normal production systems and safety-critical systems. Being unaware of such systems can sometimes lead to OT security experts exaggerating, in good faith, the probability of the most severe consequences.
“So, it pays to make friends with domain experts. By involving the right domain expertise, you can get a realistic picture of the physical consequences of a scenario,” says Olsen.
Step 3: Plan responses with the industrial context in mind
As with an enterprise IT system, defending an industrial system against cyber-attack requires an incident response plan, but one that also takes the operational context into account. A key difference, though, is that for physical plants, the response plan may involve taking physical action, such as manually opening and closing valves. Obviously, this needs to be planned and exercised. If welding will be needed to handle the incident – for installing a new valve bypass, for example – coordinating with the industrial operations side has to be part of the incident response playbook.
Even attacks that do not affect OT systems directly may lead to operational changes in the industrial environment.1 “This bears lessons for us all. We need to think about how to minimize impact not just after an attack, but also during the response phase, which may be quite extensive,” says Olsen. “Scenario-based playbooks can be of immense help in planning and executing responses. The playbook should describe the scenario in sufficient detail to estimate affected systems and ask what it will take to return to operations if those systems will need taking out of service.”
The latter question would be difficult for an OT security expert to answer, he adds: “Again, you need domain expertise. In terms of the cyber incident response plan, you need information on who to contact during the response, who has the authority to decide when to move to the next steps, and so on. For example, if you need to switch to manual operations, say turning a valve, to continue with safe recovery of control system information and communications technology, this has to be part of your playbook.”
Even when viewing the challenges from an OT perspective, it is important to continue addressing the CIA triad: “We still need to ensure only authorized personnel have access to our systems. We need to ensure we protect data during transit and in storage, and we need to know that a packet storm is not going to take our industrial network down. The key message is that we need to articulate better the consequences of security breaches in the OT system,” concludes Olsen.
Summary: A three-step approach to securing OT/IT against cyber risk
Step 1: Know what you have. It is often not enough to know what IT components are in your system. You also need to know what they are controlling. This is important for understanding the risk related to a compromise of the asset, but also for planning how to respond to an attack.
Step 2: Make friends with domain experts. They can help you understand if a compromised asset could lead to a catastrophic scenario, and what it would take for an attacker to make that happen. Domain experts can also help you understand independent safety barriers that are part of the design, so that you do not exaggerate the probability of the worst-case scenarios.
Step 3: Plan your response with the industrial context in mind. Befriend and use the insight of domain experts to make practical playbooks – that may include physical actions that need to be taken on the factory floor by welders or process operators.
1 ‘Aluminum producer switches to manual operations after ransomware infection’, C Cimpanu, zdnet.com, 19 March 2019 [online]
Read more about DNV cyber security services