Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operational technology cybersecurity

Similar presentations


Presentation on theme: "Operational technology cybersecurity"— Presentation transcript:

1 Operational technology cybersecurity
A vision for the industrial sectors

2 As more industrial companies turn to digitization of their facilities to achieve greater operational efficiencies through system connectivity and improved data access, the need to focus on cybersecurity resiliency becomes even more critical to help mitigate new potential cybersecurity threats and safety issues. Operational technology (OT) cybersecurity begins with understanding the risk landscape to the industrial assets and the business. Cybersecurity offerings should only be implemented once the key risks and threats that have the greatest impact to business have been identified and prioritized. The number of cyber incidents involving industrial control systems (ICS) reported to the DHS (Department of Homeland Security) increased by 74%, from 140 to 243, between fiscal years 2011 and Today’s OT environment cybersecurity is governed by assessments to help identify risks and vulnerabilities. While useful to help establish a current state maturity baseline, there is a need to extend beyond assessments to have in-depth visibility in real time to the operational effectiveness of the OT environment. 4 out of 10 ICS security practitioners lack visibility or sufficient supporting intelligence into their ICS network.2

3 Information technology (IT) vs. operational technology (OT)
The key difference between IT and OT is best illustrated by how these two environments align to the InfoSec CIA Triad of Confidentiality, Integrity and Availability. IT is primarily focused on confidentiality, ensuring corporate assets are secure from being compromised, stolen or altered. Conversely, OT is primarily focused on availability and safety of the operational assets, ensuring uptime of the production line. For this reason, cybersecurity has not always been a priority in OT. However, the world of traditional information technology has morphed greatly over the years into nontraditional roles such as supporting manufacturing and process control systems. As technology advances, so too must the skill sets, roles and responsibilities of IT professionals. Companies’ heavy reliance on IT and the evolution of skill sets required to support process manufacturing has outpaced the current skill capabilities and range of IT professionals. This evolution has given rise to a new role, operational technology. The OT role focuses on the process controls required to operate the manufacturing side of the business, such as power and utility, oil and gas, automotive, manufacturing and building management systems. The differences between OT and IT can be somewhat confusing for those on either side when it comes to the specific roles each department plays within a company, but the OT department and IT department must work together to develop a company’s overall system policies as well as a cybersecurity compliance program, with both departments responsible for their side of the business. An effective critical infrastructure cybersecurity plan requires clearly defined and coordinated roles and responsibilities among OT personnel and IT personnel. However, as critical infrastructure systems and assets become more interconnected, accountability gaps as well as perceived overlaps have formed between the functional roles. Information technology Operational technology Purpose Transaction systems: business systems, information systems, IT security standards Control systems: control or monitor physical processes or equipment, regulatory security standards Architecture Enterprise-wide infrastructure and applications (business) Event-driven, real-time, embedded hardware and software (industrial) Interfaces Operating systems and applications, UNIX, GUI, web browser, terminal and keyboard Electromechanical, sensors, Windows, actuators, coded displays – PLC, SCADA, DCS Ownership CIO, finance and administrative departments Engineers, technicians, operators and managers Connectivity Corporate network, internet, IP-based Control networks, hardwired twisted pair and IP-based Role Supports business applications and office personnel Supports control processes and plant personnel safety In many industries, focus has shifted to more regulatory compliance rather than comprehensive security. The existing federal and state regulatory environment creates a culture within businesses and industry of focusing on compliance with cybersecurity requirements instead of a culture focused on achieving comprehensive and effective cybersecurity. Cybersecurity is enhanced when IT and OT converge, and failing to address both the corporate and regulatory cybersecurity requirements can be detrimental to an organization. Operational technology cybersecurity | 1

4 Cybersecurity misconceptions
Common misconceptions about cybersecurity crime and risk are that these are IT issues or that cyber threats are always external. For these reasons, many in the industrial OT sectors have felt a degree of safety. However, it is a false sense of security. In fact, cybercrimes go far beyond external threats to include theft of intellectual property (IP) and extortion through ransomware. Which industry doesn’t value its intellectual capital? After all, it is a company’s IP that gives it the competitive edge. What would happen if a competitor had access or a nation state were able to gain access to this information? A company could lose its time-to-market advantage, investment and time in ideas that were stolen and even lose market share or revenue. IP theft is a high-dollar crime and directly affects industry. A recent report from McAfee estimates the value of all IP in the US to be $12t, with an annual increase of between $700b and $800b annually, with cybercrime targeting perhaps $50b to $60b.3 The U.S. Department of State reports that IP crime can wreak havoc on business by: Causing billions in financial losses for rights holders and legitimate businesses around the world, and costing hundreds of thousands of jobs What is the impact to a business and safety if there is a sudden unscheduled interruption? Loss of production and revenue due to systems being offline for an unspecified period of time Cost and time to repair or replace damaged systems Employee and public safety concerns if containment systems fail Impact to the business’s reputation OT cybercrime is a global issue influencing virtually all aspects of industry. The following chart illustrates global industries affected by cyber attacks:6 Energy 26% Health care 25% Retail and wholesale Manufacturing 22% Infrastructure 19% Financial institutions 17% Automotive 15% Professional services Power and utilities 14% Undermining important American advantages in innovation and Maritime creativity Communications, media and technology 13% Posing risks to consumer health and safety in industries as different as auto and aviation parts to pharmaceuticals and health care products Funding cross-border organized criminal networks through profit from trade in counterfeit and pirated products Hindering the economic development of countries worldwide as well as the United States4 Extortion or ransomware is another all-too-common cyber attack on industry. With ransomware, a cybercriminal loads a piece of malware onto the company’s assets, including databases and business-critical systems. The malware then seizes and encrypts company assets, rendering them useless to operate systems that control processing or manufacturing. In order to make the company assets available again, the company must pay a ransom in cryptocurrency like bitcoin. If the ransom is not paid, the assets are destroyed. Unlike IP theft, ransomware attacks are disruptive and often destructive. Ransomware attacks worldwide rose 350% in 2017, with an estimated $5b in damages reached.5 Availability and uptime are key performance indicators for any industry because when plants are not up and running, the company is not profitable. Ultimately, OT is the operational money maker and IT is the corporate money accountant. Energy 9 % 0 % 5 % 10% 15% Share of respondents 20% 25% 30% Although each industry may be viewed as unique in the products it makes or the customers it serves, they all share one common item, which is the reliance on an industrial control system (ICS) to control their OT environments. 2 | Operational technology cybersecurity

5 OT cybersecurity challenges
Like IT, OT is an environment that is defined by the technologies that comprise the networks. In OT, the technologies are typically PLCs (programmable logic controllers), SCADA (supervisory control and data acquisition), HMIs (human machined interfaces), RTUs (remote terminal units), historians and engineering workstations. Regardless of industry type, all industrial control systems employ these various technologies. Although OT may be a new acronym for many, OT technologies such as the PLC predate modern computers by 20 years. Herein lie the primary security challenges. This can be illustrated by looking at the common industrial network profile. Industrial OT network: Plants are 20 to 30 years old, operating on similar-age OT systems. Disparate networks are built on two or more vendor platforms. Vendors utilize proprietary protocols (Modbus, BACnet, PROFIBUS, Foundation Fieldbus, etc.). Legacy technology is commonplace, such as Windows XP. Newer technology is overlaid on preexisting legacy networks. Primary focuses are availability, uptime and safety, not security. The strength of the OT environment is in fact its very weakness. These robust systems that have lasted more than 30 years predate many of today’s most common cybersecurity offerings. The PLCs that control assembly lines were never designed to have security software loaded onto them. In addition, the manufacturing legacy OSs were never designed to be upgraded to today’s more common Windows platforms. For these reasons, most ICS networks are and continue to be vulnerable to cybersecurity threats. Here are some statistics to show how industry professionals think about OT security: 59% of industry professionals believe there is a greater risk in OT than the IT environment.7 67% of industry professionals believe the risk levels to ICS have substantially increased because of cyber threats.8 68% of oil and gas professionals report at least one cyber compromise.9 US manufacturing accounted for 30% of cyber attacks, with automotive being the top target, followed by chemicals and pharmaceuticals.10 30% of all cyber attacks target OT.11 76% of energy industry professionals worry about a cyber attack interrupting their business operations.12 25% of energy industry professionals were aware that their company had been hit by a damaging cyber attack in the past year.13 In the first half of 2017, manufacturing companies were the most susceptible to cyber threats: their computers accounted for approximately one-third of all attacks.14 With all the recent press, it is no wonder that old OT technology has become new cyber risk focus. Soft center with a crunchy coat The OT cybersecurity dilemma is best visualized. The majority of OT assets are either too old and/or incompatible with many cybersecurity offerings, which can be viewed as the soft, gooey center. Since it is not realistic to secure these assets directly, they can only be protected by a crunchy, hard coat. The crunchy coating is based on a “perimeter security” strategy, utilizing today’s hardware and software point offerings, such as firewalls, IDS/IDP (intrusion detection services, prevention), data backups and access management. The point-solution approach, while effective, has its limitations in many OT environments. Before installing any cybersecurity offerings, a few questions must be addressed first. Do I know where the devices should be deployed for optimum protection? Who is going to write rules and policies? How will patches be supported? Are there personnel on staff with cybersecurity training to support and maintain the cybersecurity network? Unless these basic operational questions can be addressed, there is little assurance to overall security effectiveness. This is where many OT cybersecurity programs falter. Operational technology cybersecurity | 3

6 OT cybersecurity opportunity
As illustrated above, hardware and software are only part of any effective cybersecurity program. To drive improved cyber resiliency, it is essential to have a holistic security view of people, process and technology. Only then is it possible to have the necessary visibility into potential cybersecurity threats, security risks and anomalous behavior that can impact the business. “To see what threats you’re up against, you need visibility into all the data available from logs, packets, endpoints and threat intelligence, as well as a complete contextual view across all those sources.”15 It is equally important to have visibility of the OT cybersecurity offerings in the ICS network itself. The traditional approach to gaining visibility is through direct monitoring of the various system log and network traffic monitors. While effective, many network dark corners still exist. Top three threat detection challenges16 How well can you correlate data from different sources?17 48% 37% <37% 56 % 50 % 48 % Not well Well Very well Data collection is critical, and the data collected is only as good as the device placement. However, as IT data collection devices tend to be active or nonpassive technologies, deploying these types of devices is incompatible with the OT environment. OT technology such as PLCs is not as robust as IT servers and active scanning or nonpassive software can easily overwhelm the devices’ limited resources, resulting in potential unwanted and unscheduled system reboots. For this reason, it is best to deploy non-active devices such as passive network taps or OT-specific virtual machines that can monitor and collect the required ingress and egress of data with no impact to the OT network. Vision is a new approach to assess the OT environment holistically. It first collects OT-related data in a passive manner, and then correlates IT environments into a graphical model that is used to visually depict OT cyber risk, and allows an organization to visualize and prioritize resources, remediation and past performance. Many similar approaches rely on a default risk score that may not totally align with your operation or your specific cybersecurity controls or organization. The Vision approach is developed for the OT environment, taking into account that every industry is different, that no two ICS networks in a company will be the same nor will be the technology that makes up the OT environment. Vision is fully customizable considering that every company is unique and everyone has a different appetite for risk. Risk is typically a function of maturity, needs and experience and cannot be generalized. believe they are keeping up with new threats, including zero- day threats believe they have an understanding of the full scope of the attack believe they have the ability to detect an attack in progress To gain a complete and holistic view of the OT environment requires vision, the ability to not only monitor available data, but also to be able to absorb information from various data points across people, process and technology. After data collection, analysis is required not only for known issues, but also for anomalous network connections, excessive user privileges and unknown cyber threats. This analysis helps model possible routes to compromise the OT environment and prioritize critical issues that affect the business. 4 | Operational technology cybersecurity

7 Rapidly provides visualized OT cybersecurity risk
Vision attributes Rapidly provides visualized OT cybersecurity risk Supplies real-time and historical threat graph analysis Analyzes and prioritizes relevant series of threats to the OT environment Recommends remediation strategies based on possible compromise routes, not only based on each device Analyzes and prioritizes excess user privilege levels and recommends access management strategy Supplies configurable risk scores for alignment to business needs Provides customized risk metrics to your business that show risk remediation effectiveness Provides an economic solution with effective and efficient analysis capabilities Value Vision Other tools in the market OT access visibility Operational technology access management strategy based on privilege levels and threat analysis in conjunction with OT risk visibility Nonexistent OT risk visibility OT passive data gathering OT risk calculation based on possible compromised routes Remediation recommendations based on data analytics Risk prioritization based on threats in an OT environment Passive data gathering Device-based risk calculation Remediation recommendations based on individual devices Prioritization based on threats in an IT environment OT threat visibility OT cyber as a service customized for sensitive process, operations and safety environments No cyber as a service for OT Vision is an economical solution that requires minimal data sources. Vision’s data collection does not affect the business as it is performed in a passive manner. The insights gained through Vision provide a prioritized, actionable remediation strategy that also considers business limitations. Vision focuses on mitigating business risk. It provides customized risk data of the OT environment, supplying business owners the operational data to prioritize monitoring and remediation while meeting your business needs. The ability to understand the nature of and origin of threats provides valuable insight on where to best focus resources, planning and budget. It shows a new way to measure OT security and business risks, and as a result, you can perform a cost-benefit analysis of how effective risk remediation would be to your environment. Without cybersecurity resiliency based on visibility into the OT environment, plants are operating in the dark with little direction to resources for remediation. Operational technology cybersecurity | 5

8 Contact Tom Jackson, CISSP References
1 “Cyber Security In Real Estate,” Facility Executive website, February 2016. 2 “Securing Industrial Control Systems,” SANS Institute website, systems , June 2017. 3 “Too Many Forms of IP Theft Add Up to Big Losses,” McAfee website, big- losses/, 21 February 2018. 4 “Intellectual Property Rights/Cyber Crimes,” U.S. Department of State website, htm, accessed 17 August 2018. 5 “ Ransomware statistics and facts,” Comparitech website, May 2018. 6 “Global industry cyber attack victimization rate 2017,” Statista website, worldwide-2017/, 16 August 2018. 7 “Reviewing a year of serious data breaches, major attacks, and new vulnerabilities,” Automotive Industry News, autoindustrylawblog.com/wp-content/uploads/sites/8/2016/05/ IBM_2016-cyber-security-intelligence-index.pdf, April 2016. 8 “The State of Cybersecurity in the Oil & Gas Industry: United States,” Ponemon Institute website, newshq.businesswire.com/files/press_release/additional/Cyber_readiness_ in_Oil Gas_Final_4.pdf, February 2017. 9 “The State of Cybersecurity in the Oil & Gas Industry: United States,” Ponemon Institute website, newshq.businesswire.com/files/press_release/additional/Cyber_readiness_ in_Oil Gas_Final_4.pdf, February 2017. 10 “Reviewing a year of serious data breaches, major attacks, and new vulnerabilities,” Automotive Industry News, autoindustrylawblog.com/wp-content/uploads/sites/8/2016/05/ IBM_2016-cyber-security-intelligence-index.pdf, April 2016. 11 “Industrial Cybersecurity Is the Next Risk Frontier,” Powermag website, frontier/, 16 March 2018. 12 “Energy Firms Are Worried About Cyber Attacks, But Don’t Really Know What To Do,” Forbes website, mikescott/2018/03/07/energy-industry-worried-about-cyber-attacks-but- doesnt-really-know-what-to-do/#109e203c68bb, 7 March 2018. 13 “Energy Firms Are Worried About Cyber Attacks, But Don’t Really Know What To Do,” Forbes website, mikescott/2018/03/07/energy-industry-worried-about-cyber-attacks-but- doesnt-really-know-what-to-do/#3d4e87b668bb, 7 March 2018. 14 “Cybersecurity Risks for Manufacturing,” MNET website, manufacturing.net/article/2018/02/cybersecurity-risks-manufacturing, 16 February 2018. 15 “The 7 Building Blocks of Better Threat Visibility,” RSA website, threat-visibility.pdf, April 2018. 16 “The 7 Building Blocks of Better Threat Visibility,” RSA website, threat-visibility.pdf, April 2018. 17 “The 7 Building Blocks of Better Threat Visibility,” RSA website, threat-visibility.pdf, April 2018. EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2018 Ernst & Young LLP. All Rights Reserved. US SCORE no US ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com Contact Tom Jackson, CISSP Senior Manager, IoT/OT Cybersecurity Ernst & Young LLP


Download ppt "Operational technology cybersecurity"

Similar presentations


Ads by Google