Professional Documents
Culture Documents
Cybersecurity
and Operational
Technology
Abstract
As industrial control systems (ICS) cybersecurity breaches continue to increase,
the consequences arising from inadequate protection of information have become
an important executive management issue. It follows, then, that the convergence
of information technology (IT) and operational technology (OT) has become a
business imperative.
This white paper is a joint investigation by ISACA and the International Society
of Automation (ISA) to explore the critical issue of securing Industrial Systems/
Industrial Internet, given that cybersecurity is more IT-focused than OT. How do
we bring cybersecurity into OT and begin to secure those systems?
www.isaca.org/cyber
Introduction
As industrial control systems (ICS) cybersecurity breaches continue to
increase, the consequences arising from inadequate protection of
information have become an important executive management issue. It
follows, then, that the convergence of information technology (IT) and
operational technology (OT) has become a business imperative.
One example of a recent (and significant) attack was revealed in January
2016, when the Computer Emergency Response Team of Ukraine (CERT-UA)
confirmed global suspicion that the previous months power outage across
several western Ukrainian regions was caused by a malicious attack that left
more than 57 power stations in a blackout state. In excess of 230,000
residents were left without power and heat on a cold December day while
employees at the power substation were helpless to mitigate the action.
Although the power was not out for long, the impact of the attack was felt for
months after the initial problem resolution: The attackers had overwritten
firmware on critical devices at myriad substations, which necessitated
manual handling of remote activities that had previously been automated.
The attack was well staged and sophisticated. Attackers gained control of
operators credentials and locked them out while they shut down controllers.
The attack likely took extensive planning and funding and has not been
positively attributed to a single organization as of the date of this publication.
The Ukraine suspects a nation-state threat actor, but the activity could have
been carried out by one or many threat actors at different points. While the
attack caused major disruption in service to thousands of Ukrainian
residents, it could have been much worse.
According to recent surveys, attacks on ICS are on the rise. Dells 2015
Security Annual Threat Report1 showed that attacks doubled from 2013 to
2014. The ICS-CERT Monitor2 reported that just over half of reported
incidents in the US in 2014 arose from advanced persistent threats (APTs),
while the other 45 percent sourced from cybercriminals, hacktivists and
malicious insiders. Attacks on critical infrastructure and the supervisory
control and data acquisition (SCADA) systems that monitor and gather data
on equipment in real time to remotely control equipment and conditions
may be increasing due to the lack of alignment between OT and IT. IT
and OT have traditionally been separated and managed with different
objectives, protocols, governance models and standards, but increased
usage of IT is forcing enterprises to examine whether convergence could
help to provide a more holistic cybersecurity solution.
1 Dell, 2015 Dell Security Annual Threat Report, USA, 2015, www.sonicwall.com/docs/2015-dell-security-annual-threat-report-white-paper-15657.pdf
2 US Department of Homeland Security, ICS-CERT Monitor, USA, September 2014 February 2015,
https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf
Defining OT and IT
While IT is responsible for the systems that collect,
transport and process data that provide information to the
business, OT generally comprises the systems that handle
the monitoring and automation of ICS through SCADA
systems attached to distributed control systems (DCS),
programmable logic controllers (PLCs), remote terminal
units (RTUs) and field devices. According to Gartner, OT
is hardware and software that detects or causes a change
through the direct monitoring and/or control of physical
devices, processes and events in the enterprise.3 ISACA
defines IT as the hardware, software, communication and
other facilities used to input, store, process, transmit and
output data in whatever form.4
Although threats to critical infrastructure have been well
documented for years, OTincluding systems like
manufacturing execution systems (MES), SCADA and
DCStraditionally was not perceived as a threat to the
infrastructure for a few reasons. Initially, due to the primary
need for real-time monitoring, OT systems could not
depend on protocols such as the Ethernet and were
simple, isolated point-to-point networks. However, over
time, enterprise networks have replaced proprietary
communication tools with protocols such as the Ethernet
and Internet protocol (IP), resulting in the erosion of
isolation. Threat actors are very familiar with open protocols
and the move to those open protocols, so whatever
security by obscurity that existed is lost.
OT and IT:
Similarities and
Differences
Historically, OT and IT have been two distinct units.
OT is focused on the automation of machines, processes
and systems within a plant, and IT focuses on the business,
operations and enterprise information systems required
to support the business. Their business objectives are not
the only difference between these two distinct systems
divisions, however. Their employees have different roles,
they frequently report to different executives and they have
different departmental cultures. Their systems are frequently
separated both logically and physically. Most notably, their
approach to and tolerance of risk differ.
When it comes to cybersecurity, IT personnel are concerned
with confidentiality, integrity and availability (CIA), with a strong
focus on confidentiality. OT personnel typically prioritize
availability, data integrity and then confidentiality (AIC). The IT
systems in ICS are internetworked systems that require the
same type of defense-in-depth strategies employed throughout
IT systems in any industry. Identifying vulnerabilities and
appropriately treating risk are paramount to protecting systems
and information assets. However, on the OT side, while
the concerns of AIC are important (with a strong focus on
availability), of primary importance is human safety.
See figure 1.
Some of the categories noted in figure 1 are problematic
when considering joint risk management approaches.
Availability, for example, is a critical category for both types
of systems, but it is especially critical in the OT space
where machines rely on availability for real-time monitoring.
Of course, availability is a critical key performance indicator
in any IT shop as well, but it is possible that when considering
risk in the context of cybersecurity, confidentiality will take
precedence over availability.
FIGURE
Differences between
IT and OT
Attribute
IT
ICS
Confidentiality
(Privacy)
High
Low
Message Integrity
Low-Medium
Very High
System Availability
Low-Medium
Very High
Authentication
Medium-High
High
Non-Repudiation
(Proof of the integrity
and origin of data)
High
Low-Medium
Time Criticality
Days Tolerated
Critical
System Downtime
Tolerated
Not Acceptable
Security Skills/
Awareness
Usually Good
Usually Poor
35 years
1525 Years
Interoperability
Not Critical
Critical
Computing
Resources
Unlimited
Software Changes
Frequent
Rare
Frequent Loss
of Data
Equipment
Destruction,
Inquiries
SOURCE: Joseph Weiss, What Executives Need to Know About Industrial Control
Systems Cybersecurity, International Society of Automation, 2016. Reprinted with
permission.
Convergence
While vast differences exist between OT and IT, the
replacement of legacy OT systems with IP-enabled devices
has lessened the isolation these systems once benefitted
from and significantly increased the attack surface. Physical
security of the plant floor and machinery is also frequently
controlled by IP-enabled devices and, as a result, IT security
FIGURE
SOURCE: ISA99, Industrial Automation and Control Systems Security standard. Reprinted with permission.
Conclusion
While IT and OT have traditionally been separated by
various physical barriers such as data centers, facilities
and hardware, the integration of IT systems that are
frequently IP-enabled into OT systems has increased the
need to better and more holistically manage both types of
systems. Due to connectivity to enterprise networks, the OT
systems that once enjoyed obscurity are now extraordinarily
vulnerable to cyberattacks. To better protect critical
systems, IT and OT need to work together to harmonize
processes, governance, systems and peoplein fact, a
robust cybersecurity program in an ICS environment must
include people, process and technology. Establishing
cross-functional teams to handle security of both IT and
OT will enable the enterprise to generate a more holistic
approach to cybersecurity in the ICS environment and
reduce enterprise risk. When bringing these two teams
together, it is important to consider the differences between
them and establish strong change management processes.
By harmonizing the two traditionally separate areas, both the
enterprise and the employee will enjoy the benefits of a
high-performing, cross-functional team.
7 Gilbert, B.; Em(Power)ing the Grid: Top Benefits of Converging IT and OT, Wavelengths, 9 August 2015,
http://wavelengths.freewave.com/industrial-iot/empowering-the-grid-top-benefits-of-converging-it-and-ot/
ISACA
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus
(CSX), a holistic cybersecurity resource,
and COBIT, a business framework to
govern enterprise technology.
Disclaimer
This is an educational resource and is
not inclusive of all information that may
be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.
Reservation of Rights
2016 ISACA. All rights reserved.
Provide feedback:
www.isaca.org/CSX-merging-OT
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
ACKNOWLEDGMENTS
ISACA would like to recognize:
Cybersecurity
Working Group
Eddie Schwartz,
Christos K. Dimitriadis
Niall Casey,
Stacey Halota,
Tammy Moskites,
CISM, Venafi, USA
Lisa OConnor,
Accenture, USA
Ron Ritchey,
Marcus Sachs,
Rosemary M. Amato
Garry J. Barnes
Robert A. Clyde
CISM,
Clyde Consulting LLC, USA, Director
Theresa Grafenstine
Greg Witte,
Leonard Ong
Rogerio Winter,
Andre Pitkowski
Gregory T. Grocholski
CISA,
SABIC, Saudi Arabia,
Past Chair
Tony Hayes
Robert E Stroud
CGEIT, CRISC,
USA, Past Chair
Zubin Chagpar
Matt Loeb
CAE,
ISACA, USA, Director
Jo Stewart-Rattray
Eddie Schwartz