Industrial control systems (ICS) and operations technology (OT) are vulnerable to cyberthreats and vulnerabilities that target crucial industrial processes. The effects go far beyond data breaches and have the power to upend entire industries, jeopardize security and even put lives in danger. When identifying risks and factors to consider for OT/ICS environments, the following are often noted as being most critical:
- Operational downtime and productivity loss: Any successful cyberattack on OT/ICS technologies could cause system downtime and significantly reduce productivity. Delivery of goods and services to customers may be delayed because of stalled production lines. As a result, financial impacts can be significant, with losses in market reputation and investor confidence in addition to revenue losses.
- Compromised safety systems: Accidents that are extremely serious can result from a breach that jeopardizes OT/ICS safety systems. For instance, a cyberattack on the control systems of a power plant could cause power outages that would impact not only businesses but also homes, hospitals and other vital services that depend on electricity.
- Physical harm and safety Risks: Accidents and fatalities can result from a successful attack on transportation infrastructure, such as rail networks or traffic control systems. Patient safety in the healthcare industry could be put at risk by malfunctions of medical equipment controlled by OT/ICS systems.
- Environmental impact: Pipeline or chemical plant control system breaches can cause spills, leaks and other environmental catastrophes with long-term ecological and financial repercussions.
As this list shows, OT/ICS cybersecurity risks are not limited to the digital sphere. That’s why strong cybersecurity measures are increasingly necessary to reduce these risks as industries place a greater reliance on connected systems. Businesses need to understand that cybersecurity is a key component of their overall risk management strategy, not just an IT issue.
Fundamentals of risk
Following industry best practices is essential if you want to begin a journey toward proficient OT/ICS risk management (see reference links list at the end of this article to access key best practice information for further reading). But first, it’s important to understand fundamental terminology terms in the realm of OT/ICS cybersecurity, such as:
- Asset—PLCs, sensors, firmware, network switches and other interconnected parts are examples of OT system assets.
- Vulnerability—any flaw that a threat source could exploit in an information system, security protocols, internal controls or implementation process.
- Threat—any situation or occurrence that has the potential to have a negative impact on the operations, assets or personnel of an organization
Focused approach to OT/ICS risk assessment
An OT/ICS risk assessment should be overseen by a third party to ensure impartiality and draw upon the experience of industry experts. The outcomes of such assessments can vary, but they usually include:
- Asset inventory and classification: This covers connections and communication protocols in addition to hardware and software. Prioritizing risk mitigation efforts is made easier by classifying assets according to their importance, functionality and potential impact if compromised.
- Data flow mapping: The paths that information travels through in an OT/ICS environment are revealed by detailed data flow mapping. Finding potential vulnerabilities and entry points for cyberattacks is made easier by identifying the ingress and egress points of data.
- Network topology identification: This involves identifying device placements, connections, communication paths and connections to external networks. Understanding potential attack vectors is facilitated by awareness of network segments, demilitarized zones (DMZs) and external connections.
- Vulnerability assessment: This analysis identifies weak points, out-of-date software and unpatched systems. It offers perceptions into potential weak points that threats could exploit.
- Stakeholder engagement: Diverse expertise should be gathered through collaboration between various departments, including management, IT, security and OT/ICS operations. People with extensive system and process knowledge provide perspectives that enhance the risk assessment process.
By executing these initial steps, you lay a sturdy foundation for effective OT/ICS risk management. This process should be dynamic as it requires periodic re-evaluation to stay aligned with evolving threats and changes in the OT/ICS environment.
Responding to OT risks
Following an OT risk assessment, it's imperative to apply the findings to mitigate the identified risks. Maintaining the assessment as a reference point and updating it regularly ensures that risk-based decisions are consistently made and risk factors are accurately accounted for. Ongoing activities here could include:
- Systematic recordkeeping and documentation, including detailed records of identified risks, risk magnitudes and suggested mitigating actions.
- Creating security plans for operational and information systems environments, including specific security measures, IT hardware, software and service providers.
- Implementation and upkeep of security solutions, including regular authorizations and strategies for ongoing monitoring.
- Consistent risk assessment to evaluate the likelihood and potential impact of various cybersecurity risks, allowing for well-informed prioritization.
- The development of specialized threat models that address the difficulties faced by OT/ICS environments and describe potential threats and attack methods that are particular to industrial systems.
- Creation of tools and procedures for ongoing monitoring to spot changes, anomalies and security incidents while remaining vigilant in the face of changing threat landscapes.
- Enlisting an impartial third party, such as cybersecurity companies or industry experts, to supervise the risk assessment can improve objectivity.
- NIST Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments
- NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
Matt Smith is an IT/ICS network architect at E Tech Group. E Technologies Group is a certified member of the Control System Integrators Association (CSIA). For more information about E Technologies Group, visit its profile on the Industrial Automation Exchange.