Operational technology (OT), as opposed to information technology (IT), has different challenges from those familiar to many cyber security professionals; historically, industrial systems have existed in silos, not connected to the Internet Protocol (IP) networks also hosting other business systems. The US Department of Homeland Security now talks about the need for “cyber physical security”, and says: “Industrial control systems were traditionally standalone systems used for automation and data acquisition… The security of all systems are jeopardised as legacy components are integrated with networked systems and made more accessible.”
Inexperience of personnel in OT security is a risk, argues John H (not his real name), a senior manager in one of the biggest international cyber security consultants: “One of the issues is, we have been sensitive to the security of IT systems for considerably longer than we have security of OT systems. From a maturity point of view, it certainly lags behind IT – there is a smaller pool of experts.” However, he adds: “There are certain generic principles about assessing cyber risks and assessing the security of systems that can be applied in both domains, whether it’s IT or OT. There’s also a community of people coming in from the safety side, because OT has a very strong safety culture.
“One aspect, which is a little bit different than IT, is introducing changes into industrial systems, especially when they’re often continuous processes. It’s that much more challenging – you may not be able to simply stop an industrial system to patch it.”
Some of the worst cyber-attacks have been caused by nation-states targeting their rivals’ critical national infrastructure (CNI). But these are not always perfectly targeted: in 2017, Danish shipping and logistics firm Maersk was one victim of an apparent ‘ransomware’ attack called NotPetya, which paralysed much of its operations – costing the firm hundreds of millions of dollars. “And that was not created to target Maersk, per se,” says John H. “It was actually part of the cyber campaign that the Russian government was targeting at the Ukrainian economy.” Around the world, law firms, oil companies, pharmaceuticals makers and even a chocolate factory in Australia were affected, at a total cost estimated at $10 billion.
SCHEMES & GUIDANCE
Britain’s National Cybersecurity Centre (NCSC), which is actually a part of GCHQ, runs the Cyber Essentials scheme: this is a way of assessing whether firms or other organisations have a basic level of cyber security in place. The certificate costs around £300, paid to one of a number of third-party certifying bodies, but this is essentially a self-certification process.
For more money, the Cyber Essentials Plus scheme covers the same elements, but the verification of your cyber security is carried out independently by your certification body. Either certificate is required if you want to do business with central government departments.
The NCSC is increasingly concerned with protecting CNI, so it has said that it will put out specific guidance for OT systems. This has yet to appear. However, the Health and Safety Executive (HSE) has published a very detailed and relevant document, ‘OG86 Cyber Security for Industrial Automation and Control Systems (IACS)’ (www.is.gd/azadiz).
The computing profession has many organisations awarding certificates of expertise, from the most general to the most specific – often focusing on a single software package. Cyber security is a relatively common subject, but it is usually related to IT; only recently have some of these bodies started to offer specific qualifications in OT cyber security.
In the US, NIST has published a comprehensive ‘Guide to Industrial Control Systems Security’ (www.is.gd/owuwik). On the subject of building a relevant team, it says: “At a minimum, the information security team should consist of a member of the organisation’s IT staff, a control engineer, a control system operator, security subject matter experts, and a member of the enterprise risk management staff.”
Similarly, the Federal Office for Information Security (BSI) in Germany has published ‘Recommendations for further education and qualification measures in the ICS environment’ (www.is.gd/utuxoy), which emphasises the need for cooperation between experts in different areas, and for tailored training for management, plant staff and office-based staff.
German-based standards organisation TÜV Rheinland recently launched the Certified Operational Technology Cybersecurity Professional Program, “aimed at improving the quality of industrial cybersecurity”. This certificate is a relatively high-level qualification, requiring:
●a minimum of 10 years’ experience in cyber security (including five years in leadership roles)
● a Bachelors degree with honors in engineering or technology
● a Masters degree or Engineering Doctorate (EngD) accredited by a professional engineering institution
● submission of a relevant, structured case study
● an interview and technical examination.
A more achievable option might be TÜV Rheinland’s CySec Specialist certificate. This requires:
● Around three years’ business experience in safety or security of industrial controllers
● A technical education/training or degree (Diploma, Bachelor’s or Master’s) as an engineer, computer scientist, or physicist, for example
● Completion of a four-day training course, with an exam at the end.
A NEW AREA
Alternative qualifications come from the USA-based ISA (International Society of Automation), which developed the globally-recognised ISA/IEC 62443 series of standards, designed “to provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS)”. The ISA provides a series of four training certificates based on these standards, from Cyber Security Fundamentals Specialist to Risk Assessment Specialist, Design Specialist and Maintenance Specialist. Those who gain all four certificates are designated as ISA/IEC 62443 Cyber Security Experts.
Each certificate is skills-based, involving a multi-day classroom course or an online course, followed by a formal exam (there are UK test centres in London and Salford). However, ISA says “it is highly recommended that applicants have at least three to five years of experience in the IT cyber security field with some experience in an industrial setting – specifically with at least two years of experience in a process control engineering setting”.
GIAC is another certifying body with relevant and targeted subject areas, including GICSP (Global Industrial Cyber Security Professional), GRID (GIAC Response and Industrial Defence) and GCIP (GIAC Critical Infrastructure Protection). However, these certificates are awarded after passing a single exam, with no particular requirement for specific training or experience. Finally, ISACA is another international IT certification agency, but it does not offer any specialist qualifications in OT or industrial cybersecurity.
Concludes John H: “Cyber physical remains a relatively new area for security professionals to focus on. It’s a smaller market for the professional, and requires a combination of skills combining IT security knowledge with OT and ICS insight, including safety. It is certainly not the case that all IT or cyber security professionals will be able to effectively define controls for OT.”
BOX OUT: Where do threats to OT come from?
In June, the German Federal Office for Information Security (BSI) identified the top 10 cyber security threats to Industrial Control Systems (www.is.gd/ezanup). Of these, the top four reasons are all on the rise since a similar survey in 2016.
1 Infiltration of malware via removable media and external hardware
2 Malware infection via Internet and Intranet
3 Human error and sabotage
4 Compromising of extranet and cloud components
5 Social engineering and phishing
6 Distributed denial of service attacks
7 Control components connected to the Internet
8 Intrusion via remote access
9 Technical malfunctions and force majeure
10 Compromising of smartphones in the production environment