Feedback from CRITIS 2021
The convergence of two worlds, OT and IT, makes the news. More and more, industrial systems are interconnected with other systems, which can be inside or outside an enterprise’s network. These new interconnections are like new doors and windows in networks and have obvious consequences. Unfortunately, reality is joining fiction: here, a hospital lacking the capacity to take patients in charge, there, planes forced to stay on the ground because of a pipeline’s shut down, elsewhere, shops closed due to a cash register break down. Even the space isn’t cybersafe!
OT - What does it mean?
For some, OT, compared to IT, is unique and more sensitive than IT. The two most common aspects are:
OT and IT networks are more and more interconnected linking two incompatible worlds. Really?
- The principal vulnerability of OT equipment is software obsolescence. The software or the operating systems of health monitoring systems, water pump controllers or air sensors are neither up to date nor well configured with system hardening configuration. A lot of OT machines are still running on Windows XP or ME… This is due to both manufacturers and users. The first don’t offer patches, while the second ones, too afraid to break something which works or warranty, doesn’t deploy patches when they exist. This is a similar situation than in IT a few years ago…
OT networks are more critical than IT ones: shutdown, even temporarily, is not an option. Really?
- If a piece of infrastructure is essential for the functioning of a society and economy, then it’s qualified as critical. For instance, it is clear that water supply, a hospital and electricity networks are crucial. If operations stop, even for a short time, lives can be affected. However, banks, financial institutions, insurances, governmental services are also concerned. Can you imagine not being able to withdraw cash or receive your social security payment?
OT is a set of multiple technologies, sometimes less standardised than IT, which often impact safety and security. However, structural similarities between OT and IT exist. Those should be used as a base to secure the whole OT and IT architecture. OT is evolving similarly to IT a few years ago. This evolution is rapid and, progresses in a world highly dependent on technology. This evolution is changing the risk landscape of companies.
Interconnections of OT systems with IT increases, as did the opening of IT networks in the past, the surface of attacks. In other words, the companies’ entry points are numerously increasing. The variety of technologies adds complexity to supervise and control the networks.
The devices are becoming more and more knowledgeable: your watch can transmit where you were and when, send a report to your insurance, who will use these data to adjust, in almost real-time, your insurance policy. Ensuring that customers’ connected items don’t contaminate the company’s network is one consequence while protecting the collected data is another.
As an example, the automation of cars is generating further changes in the risk landscape of vehicle manufacturers: an autonomous car is likely making decisions, good or bad, on its own. Everyone's responsibilities must be clarified and formalised. Imagine a car being hacked and weaponised to ride into a crowd, injuring or even killing people.
This kind of examples, far from being exhaustive, demonstrate that the most trivial objects can modify the landscape of risks for companies, whether suppliers or users of technological solutions.
To conclude, IT security best practices like NIST can also be applied to OT. Here is a selection of solutions to improve OT’s security level and enhance critical infrastructure’s resilience.
The first thing to do for the company is learn from its ecosystem to understand what it needs to protect, from who and what.
Know the company’s value: what is valuable to the company? What makes the company valuable? The answers to these questions are specific to each organisation. It can be production line configurations, product recipes, prototypes, data, know-how, etc.
Knowing what is valuable allows us to know what needs to be protected, the conditions of defence and the most appropriate technologies.
Know its adversary threats: the number of hackers is increasing. They have a wide range of motivations. Know who you are up against and estimate their capacity and motivation to adapt your protection, defence, and reaction strategy.
Knowing its adversary threats to understand how they work, their motivations to adapt your strategy of defence adequately.
At the same time, a security culture must be built within the company and outside, involving everyone in security and making them accountable. It is essential for the survival of any organisation.
Promote a security culture that encompasses all safety stakeholders, whether they are active or passive. This is the airport security model, which relies on everyone to alert in case of doubt or non-compliance with security rules. Continuously educate and raise awareness of the risks of revealing company information, clumsily clicking on a link, or sharing a user account.
Promote a security culture based on clear rules and principles to build up a detection and reaction force in case of attack.
Build a win-win relationship with third parties: work with manufacturers, providers, constructors to ensure that products have a good level of security and compliance from the moment they are delivered (security by design and by default). Establish a long-term relationship to ensure that these devices are maintained in security conditions by being transparent and sharing any anomalies detected and all relevant information with the third party.
Build a win-win relationship with third parties to ensure products are in excellent security conditions and aligned with needs and requirements during their life cycle.
All actions, no matter how relevant, are only efficient with an appropriate and established governance. Good governance implies clear roles and responsibilities.
Assign responsibilities: knowing and understanding the environment will make it possible to identify what falls under the responsibility of IT and OT and explain the attack paths that may cross the company's different environments. Tangible visibility of the risks of attack will enable everyone to take appropriate security controls. Thanks to stakeholders, these controls, can suit to the technology, the organisation and the business needs.
Assign roles and responsibilities that allow everyone to feel accountable and act effectively.
Establish and promote a cross-functional organisation that views critical infrastructure as an integrated part of the business rather than an isolated and detached element. Indeed, organisational borders don’t stop hackers. The two environments can’t work smoothly without clear responsibilities between OT and IT and established and adapted communication channels. This is the recipe to reach the shared goal of security.
Establish and promote an organisation that fosters collaborative work between OT et IT teams to aim for a single, shared goal of an appropriate security level.
All these actions will contribute to improving the resilience of the company. It is only possible to react when we know we are under attack. It is only possible to adequately respond when we have prepared and practiced. All these actions have one goal: to be able to detect, understand, react, and respond to an attack.
Eraneos, as well as many OT professionals, recommends that:
- Security should be considered at the earliest phase of the project from the design of products and solutions – regardless of their nature and function. Collaborative work between experts, users and suppliers would increase flexibility and improve the average security level of companies and administrations.
- Security should no longer be an afterthought in a risk map. But a subject that makes sense to the Boards and a topic dealt with at the highest level in a way that is adapted to the company’s context to enable everyone to progress.
Eraneos supports you with its five core competencies from strategy to implementation:
- Digital Strategy & Innovation: Together with you, we develop a suitable strategy and data-based business models.
- Data Analytics & Artificial Intelligence: With Robotic Process Automation and Artificial Intelligence, we digitize and automate administrative processes.
- Project Management & Transformation: Program and project management as well as business process engineering supports successful project implementations.
- IT Advisory: As experts in new technologies and platforms, we help identify how to add value to your business.
- Cyber Security & Privacy: Our cyber security specialists ensure that your data is optimally protected and secure at all times.
CRITIS 2021 aims to bring together researchers, professionals from academia, critical (information) infrastructure operators, industry, defence and governmental organisations working in the field of security of critical (information) infrastructure systems. Thus, CRITIS 2021 aims to encourage and inspire early stage and open-minded researchers in this demanding multi-disciplinary field of research.
What new capabilities and skills are needed to build a corporate IT that supports and actively drives innovation as part of corporate value creation?
How the Blockchain works
Touted as the greatest revolution since the invention of the Internet, Blockchain will completely reorganize our society. Blockchain as an interesting technical tool holds both opportunities and risks. Only available in German.
Blockchain: What’s in it for you?
Blockchain technology gained enormous market attention in the past years, not only by individuals investing in cryptocurrencies but also by international organizations exploring the potential of a decentral ledger technology deployed to eliminate friction.
Reports on our projects, interesting facts from the various competence and customer areas as well as information about our company have been compiled here for you.