One of the many challenges that can be encountered when setting out to improve Operational Technology (OT) security is determining what good looks like. I'll look at this challenge in three parts:
- gaining a clear understanding of the current situation
- determining how good the design and operations need to become
- justifying, in business terminology, the effort required to get there.
I'll explore this challenge here, as I did verbally earlier this month at NTT's ISW 2019, held in the IET's building on Savoy place in London.
As a chartered engineer and member of the IET, it was an honor for me to present and host one of the afternoon sessions in the Haslett room of the IET's London home. The session was discussing securing businesses through digital transformation, and included excellent presentations from Nozomi Networks, Fortinet and LogRhythm.
As part of my introduction to the session, I tried to link three of my interests into one concept; athletics, instrumentation and control engineering and OT security. Bear with me!
First of all, earlier this month, I watched Mutaz Barshim win a thrilling high jump contest at the 2019 World Athletics Championships, soaring over the bar set at 2.37m in front of a home crowd - just months after sustaining a potentially career ending ankle injury. An amazing performance. No other tenuous link; my first point is simply about the concept of setting the height of a bar, or setting a target, and knowing how high to set it.
Second, with ISW 2019 held in the IET building, I was thinking back over the engineering methodology I used as a safety systems engineer. I used historical data to help estimate reliability and therefore how well to design and maintain a safety system. As a team, we'd gather this data from manufacturers, independent sources, from our own operating experience and from others via collaboration across the industry. Once that data was validated and trusted, it helped to form the justification for the design and operation. Does it need to be dual or triple redundant, for example, and how often do we need to proof test it? This process is vastly more complicated if we need to include software justification, but I'll exclude that here for simplicity.
So my second point; the concept of using an ever expanding data source to help with justification and decision making.
Third, I've been reading through the excellent book "Solving Cyber Risk: Protecting Your Company and Society", which uses examples of assessing the total impact, in business terms, of a cyber attack on an organization. By using this ever-increasing amount of cyber impact analysis data, it can help justify the improvements required to reach a target, and also to help determine what that target needs to be, i.e. how high to set the bar in the first place.
Targets for OT security, both technical and organizational, are nothing new; IEC 62443 Security Levels, IEC 62645 Security Degree definitions, C2M2 Maturity Indicator Levels, etc. Making the required technical and organisational improvements to reach these targets requires change, almost certainly requiring justification via a business case.
By using this emerging and historical data, it can help make the business case more convincing, and more specific for the organization in their own business context, to avoid or minimize the impact of loss of production, loss of revenue, loss of reputation etc. This tied in well with the point made by Daniel Eitler from BMW at ISW's keynote morning session; "Cybersecurity is a priority at BMW, it is what differentiates us from other companies". Even though being secure is good for business, it still requires justification.
Nothing I have written here is new. I'm not taking credit for Barshim's winning jump, for decades of engineering good practice, or for the work of Coburn, Leverett and Woo in "Solving Cyber Risk: Protecting Your Company and Society". However, by simply linking these concepts together, it is my hope that something resonates with you, and is of use in helping to address some known challenges:
- lack of investment for cybersecurity
- difficulty in communicating cyber risk to the board
- difficulty in assessing risk across numerous complex systems performing important business functions.
Finally, linking back to the key theme of ISW of smart society and digital transformation, which covered a range of topics and technologies; cloud, IoT, IT, IIoT and OT. With all these technologies being available to businesses, it can be difficult to manage, plan, assess, and prioritize all these complex systems in terms of cyber risk.
So my final thought is to use one more concept from safety system engineering practice; focus on functions first, systems second, technology third. Keeping sight of the importance of functions to a business that OT provides (for example, generating electricity, protecting the workers and public) can help determine how well the systems need to be designed and operated, and therefore how well they should be secured. In other words - how high to set the bar, how much effort is required to reach it, and how to measure the progress in getting there.
If you look through the "What's your security challenge?" tab at the top left of NTT's blog site, you'll see that this is the general approach NTT provides for the development of security programmes; assess the current situation, determine the target state, and develop a roadmap to achieve that target state.
The threat landscape will change, the build up of historical cyber impact data will (unfortunately) continue, and therefore the setting of the bar may need adjusting. However, once that roadmap is set and understood, at least the delta will be known, and measurable.
By applying risk management principles to cyber security, non-technical leadership gains a greater understanding of the types of threat, level of threat, and level of investment needed to fortify the organization against attack