Cyber security isn’t a business outcome. It’s a business enabler. Security by reducing risk allows business to achieve outcomes. A lot of attention is being paid to the problem of enhancing cyber security for Industrial Controls Systems (ICS) and automation. It’s a fairly simple problem: because of trends such as digitization and IT/OT convergence, ICS environments are now facing exposures to cyber risk they were never designed to handle.
This results in well-justified concerns that cyber threats can and will disrupt business processes and even result in safety and environmental problems. But it’s important to recognize that cyber security is a system property, not a business outcome. It’s not the thing that companies invest in. Rather, companies should be investing in processes such as asset and risk management, with the goal of minimizing business disruptions and safety problems.
OT Risks Are Different
Asset and risk management are mature disciplines in all phases of business, except in industrial automation, which has always managed process risk by isolation. The isolation breaks down in the face of IT/OT convergence, and this is the key gap that many companies have chosen to address.
A good approach to the problem is to recognize that IT has become expert in managing cyber risks to IT assets and creating holistic risk management programs, so let’s use those processes to manage OT risk.
But there’s an issue.
Everyone is familiar with risk as a function of threat, vulnerability, and impact. For systems, this can be thought of mathematically as a product; for organizations, as an integral. In IT-centric risk management, there are two schools of thought:
1. The first is traditional risk management where the usual path is to manage IT vulnerabilities. You patch your computers, rotate your passwords, and train your people not to click on links in emails. 2. The second is Enterprise Risk Management where vulnerabilities are expanded to include other types of “Incidents” that could have major disruption to the organization as a whole.
For OT, vulnerability management is generally less effective because systems often can’t be patched. Even worse, vulnerability analysis in often-proprietary control systems is far more difficult to do than it is for general-purpose computers and operating systems used by hundreds of millions of people.
Contain the Damage
That leaves you with impact management. And this has turned out to be the path taken by organizations that are farther ahead on the maturity curve and have decided to invest in cyber protection strategies for OT.
In IT-centric processes when we talk about impact management, this is really Incident Response. To be clear, an Incident (regardless of how you classify an incident) is going to happen. It is the “response” or, in the case of OT, the “impact management” that will determine success or failure.
A basic idea in impact management for network-connected control systems is, very simply, to contain the damage. It’s probably too much to try to prevent infiltration against relatively soft ICS environments, much less to track obscure vulnerabilities. It makes a lot more sense to recognize that breaches will occur, and instead to manage their impact and spread.
Consider a Risk Assessment
The first-line approach to this is firewalling and network segmentation (a very traditional approach). A second-line approach is adopting a Zero Trust methodology. But what is really needed is a proper Risk Assessment that helps define critical assets, define incidents and how said incidents impact those critical assets and create a proper impact management process to respond to incidents and reduce overall risk.
After proper risk and asset management processes have been implemented, companies can follow up by implementing OT protection strategies that, while simple, have the virtue of cost-effectiveness and manageability. Those are the points along the maturity curve.