This position is also available in:
Written by Or Shalom
OT (operational technology) networks present a security challenge for cybersecurity managers. Such networks are kinetic networks in different sectors, such as the energy industry, production lines (cars, robotics, food, pharmaceuticals, armaments). They act as operational networks, anchored in command and control systems (e.g. baggage carousel at the airport), structural systems and BMS (Building Management Systems) which are entrusted, among other things, with security and resident safety, etc. Operational complexity and security threats require preparations, tools for maintenance and business continuity, and the ability to recover quickly from cyberattacks in OT sectors and production lines. These are the main focus of this article. When planning preparedness, you need to consider multiple layers of support: organizational policy, risk mapping and review procedures (as seen by the attacker) primarily based on core processes and critical areas, acquisition of devices and training programs to maintain cyber value.
First of all, we must differentiate the BCP, a term used for the continuation of an activity, in our case following a cyberattack, and the cybercrisis itself. The purpose of a BCP is to provide an ongoing business plan to ensure consistent business functionality across production lines, even after an unexpected event. From a perspective of managing the cyber crisis itself, this process will manifest itself in the containment phase where the method of crisis management and the ability to overcome the attack are mainly measures, to prevent a negative deterioration in response. attack and continue the routine work of the production line. These types of capabilities will manifest in different processes (technologies such as the ability to set and reset the PLC after an attack and return to production outlines, backup processes and return to functionality. Alternatively, use critical peripherals to replacement following an incident and more In organized and methodical processes, the possibility of switching to manual work during the production, documentation and customer registration processes.
Risk assessment – review and mapping of core processes and attacker’s perspective
There are many methodologies for mapping and examining risks in IT and OT networks. Most of the resources used for risk review should focus on systems and associated processes in the following areas: API, historical data (as database servers) and HMI it -same. Risk assessment must be conducted from the perspective of the attacker while using intelligence, and it must be designated and coordinated with the operational area and in relation to the sector itself. Even though there are established patterns in operational network attacks, there is also a difference in the attacker’s interest, motivation, skills, and knowledge. The risk management process should be comprehensive in all areas related to key operating environment topics, including supply chain risks, protocol vulnerabilities, software update issues, connectivity between devices (controls and software), risks related to supporting systems (e.g. generators), beware of external devices, mainly physical devices that could lead to computer and operational damage.
Equip critical components of production lines – as part of recovery preparations
The process of identifying critical components with respect to the cyber world is derived from the ICS – Critical Cyber Assets Identifies risk mapping process. This process aims to detect critical components in the production line itself. Production lines rely on a large number of machines, components, devices and controls, therefore the focus should be on digital devices (due to the potential for cyberattacks). A point of interest in prioritizing components is mapping those closest to IP zones as potential winners of an exploit or attack. Specifically map the components closest to the 4-5 layers (according to the Purdue model) due to proximity to organizational IT and Internet layers.
Examining the events of recent years and considering the impacts of the COVID-19 virus on operational arenas raises several inferences. For example, the need for redundancies (within the existing danger of a cybernetic stop-fight event, etc.). Another interesting fact is that the automobile industry has surprisingly brought to light a series of circumstances which led to the operational shutdown of a Japanese manufacturer and as such: dependence on a main supplier, acquisition of devices in “just in time” mode (which prevented the use of reserves and the ability to build on existing supply) and more. Despite the losses, they were able to recover within a few days of routine work and this is an interesting achievement in terms of recovery capabilities. These events demonstrate an exciting conclusion to logistical planning, equipment and aircraft reserves that allows for redundancy and the use of previous aircraft and not the event itself. The need for redundancy, a number of suppliers, and especially the need for possible cyber risk mapping procedures on the procurement schedule as part of the supplier communication process and agreement.
Optimization process in organizational management decision making – monitoring planning as decisive factor
During an active event, time works against the organization. There is often a window of opportunity that allows for the process of adjusting and preventing a worse outcome in a cyber crisis. For this, the IR team must be able to intervene and carry out an accurate forensic investigation of the event, examining the speed of spread and the appropriate consequences. The systems monitoring process is also relevant during an event in which it is possible to inspect the impact on the production capabilities of the production. The ability to plan how to monitor at different layers of supply chain networks will isolate investigations and conduct research that will support management decisions in the future. For example, legislation on layer zero monitoring processes, during an event, could guide company personnel to conclusions and decision-making regarding the continuation of production (it will allow examination of s there is a discrepancy associated with damage to physical activity). Therefore, it is right to plan the deployment of surveillance systems according to the layer (according to the Purdue model) and support management decisions accordingly triggering an event. Alternatively, improving the system and maximizing its functionality with regard to security and operational aspects.
Plan the readiness and maintenance of the dignity of the IR team
A plan for sustaining cyber value requires emergency cyber drills. These exercises must combine between the management staff and the technical staff of the organization. The involvement of the management is necessary due to the need for management and decision-making in the different sectors, for example: judicial aspects, supply line, public space, resource management, etc. This activity will help review lessons learned and actions that need to be taken for future preparations in the eyes of management following an exercise (and of course those who have experienced it firsthand). The decision-making process is complicated, the management is required to accept a quick decision, to hire the services of professionals and sometimes to enter into verbal communication with the hackers. The HYDRO steel company event is an interesting study on complex decision making and the impact it has on the business of nearly 35,000 jobs in different industries, the ability to switch to manual labor, decision related to labor and the need to recruit workers for production lines. In addition to management training and as part of the same exercise, it is necessary to activate the technical staff to ensure their ability to cope with the organization. The definition of success parameters will concern the ability to identify and follow up malfunctions, isolate the event, rapid investigation skills to limit the event, as well as the return of production lines to the activity of routine as part of the recovery process. Popular OT environment exercise focuses on ransomware events, HMI system attacks, protocol exploitation and manipulation, insider threats, breach of trust, as well as physical events and destruction IT infrastructure and systems as part of attackers’ efforts to damage IT by physical means. attack (such as the drone attack on the Aramco company). Measures of success will be derived from the ability to cross-check and detect functionality changes in controls, the ability to cross-analyze between monitoring processes, etc. , change of position, etc. Therefore, the training ladder should be categorized in such a way that conclusions and lessons learned from previous exercises can be calculated and archived. Another important aspect is the exercise friction in OT and IT networks in a method that guarantees blocking capabilities in changing arenas.
Or shalom – Security and cyber expert and consultant to government departments and defense industries, consultant in international business development for companies in the fields of HLS and cyber and leads centers of excellence and advanced training programs in Cyber and HLS for various organizations in the civilian, security, industrial, and academic sectors. He holds a master’s degree, as well as civilian and national qualifications in the field of HLS and cybersecurity. He has experience in security, innovation, planning and characterization of technological security systems, HLS and cyber readiness.