Energy and utility service providers around the world are constantly exploring new methods to improve the security of their operations.
For many, current security efforts are revolving around the recent convergence of OT and IT operations. This convergence of OT and IT is providing better control over operational processes and helping managers make better decisions to improve operational reliability, safety and profitability. However, there are many cybersecurity risks resulting from OT/IT convergence that are threatening the newly connected operational infrastructure of energy and utility service providers.
For others, especially in the US and EU, the driver to improve security is a growing range of regulatory and compliance requirements.
Mitigating the risks of a cyberattack is an involved process that entails obtaining full visibility of all distributed assets, securely connecting every asset and protecting each with current patches and antivirus signatures, while being in the position to identify vulnerabilities and policy violations. This ongoing process involves the hardening of the security controls around the IT, ISC and SCADA platforms and requires close cooperation between the IT and OT departments as well as the corporate office and remote facilities.
This long process starts with creating full visibility and conducting a complete inventory of the assets on the operational network. In order to create an effective OT security strategy, a baseline understanding of all equipment and devices along with the knowledge of how they are configured and connected is required.
On a compliance level, for utilities in the North American bulk electric system market, NERC-CIP v5 requires covered entities to identify and categorize critical cyber-assets and regularly perform a risk analysis of those assets. Furthermore, regulated entities must implement a policy and process for monitoring and changing the configuration of critical assets and for documenting the changes as an audit trail.
Baselining the operational network
Mapping all the assets is the first step towards end-to-end visibility, but getting this complete inventory is far easier said than done. Collecting an accurate accounting of hardware and software configurations, services and applications that are running, status of device patches and antivirus software, inventory of open ports and more, is required as part of this baseline. What's more, the organization needs to gain a consolidated view of all assets across the entire enterprise, including each and every distributed and remote facility.
If done manually, creating a complete asset map is a time consuming and repetitive process that is prone to mistakes. Also, a manually created inventory map will likely be out-of-date as soon as it is finished. Operational networks are dynamic environments and new devices are constantly being added. Accordingly, asset discovery and mapping with all changes from the baseline being documented and incorporated into a revised inventory is a process that should be automated.
Asset inventory challenges
There are many challenges in conducting asset discovery in an OT environment.
For example, the older equipment still used by energy and utility service providers was not designed to communicate with network probes. As a result, these assets must be discovered with non-obtrusive techniques in order to avoid disrupting their availability.
Today, most plants connect their industrial controllers to host machines that operate on either a Windows or a Linux operating system. For such assets, an active scan can be used to ping an IP address to determine if a device is actually there. If the device responds, a scanner can connect to the host device to collect the necessary information, including the machine type, its operating system version, configuration details of the hardware and software, status of the antivirus software and so on.
The host machines that control the ICS controllers are typically stable enough for an active scan. These devices are often the source of malware infections, which can spread to the controllers and industrial machines. This is why it is essential to always be in the position to know what vulnerabilities might exist on the host machines and to establish an ongoing security routine to patch and protect these devices.
The PLCs on the ICS side of the network are highly sensitive to pings, probes and network traffic, which precludes using active scanning methods. Therefore, a passive approach is required to not only detect and identify the devices, but also to understand what they communicate with and how. Even this is a challenge because the decentralized nature of ICS traffic flows, alongside the lack of capability of legacy network equipment, make the use of standard passive scanning technologies difficult. However, less intrusive technology involving traffic analysis can help to fully discover and identify these sensitive devices.
An OT security strategy and efforts must be based on a complete inventory of assets in order to effectively protect the operational infrastructure from ongoing cyber-security risks. A baseline understanding of the devices and equipment that are connected to the network and how they are configured and communicate is an absolute must to create strategy and execute a plan to mitigate cyber-security risks. This is an essential process that should be automated and managed by cyber-experts at the corporate office.
Only when the energy or utility service provider has established a complete baseline understanding of its assets, then it can be ready to develop its OT security plan and implement hardening processes to secure its operational environment.
Shmulik Aran is CEO of NextNine, a provider of security management solutions for connected industrial control system environments.
This article is the second in a series of four articles on OT security management in the energy supply industry. The first article presented an overview of the OT security challenges faced by energy suppliers connecting their IT and OT operations and offered three recommendations for improving the security posture of connected operational infrastructure. This article and the following two articles take in-depths look at each of these recommendations. The next article will provide an analysis of options for establishing secure connectivity among connected operational assets.