Cyber Maturity in OT/ICS environments
The UAE is already racing towards a future where smart cities will bring enormous benefits to our lives. Simultaneously, this hyper-connected and constantly evolving digital world increases our threat surface by introducing blind-spots against emerging cyber threats.
In the next three years, every organisation and government entity in the UAE must ensure they are ready to meet this moment and use cybersecurity as the enabler to protect, transform and nurture our complex digital ecosystems. As we advance, CEOs and boardroom discussions must include the business risks involved beyond the typical IT/IS security posture. Decision-makers should prepare to step into understanding the bigger picture from cyber-threats that target OT environments, which most of the time are part of the nation's critical infrastructure. Established experience and expertise are crucial for performing deep-dive security assessments capable of assessing IT and OT environments against UAE IA Standards comprehensively. Digital14 is the leading company in the UAE when executing such complete, evidence-based security assessments across the spectrum of management and technical controls. Visibility-in-depth against cyber risks through the use of a measurable cybersecurity maturity scorecard becomes the 'driving force' for decision-makers towards excellence. Quote by: Joshua Knight (CyberDefence at Digital14)
Operational Technology (OT) assessments are very different and require a more tailored skillset. If the assessment is planned with an "IT-centric" approach instead of an IT/IS security mindset, it can cause a great deal of confusion, and the results may be highly ineffective. It is, therefore, necessary to understand the Industrial Control Systems (ICS) infrastructure and the supporting OT devices implemented in the environment before assessing the OT network/infrastructure.
Figure 1 – A quick and immediate gauge into OT organisation's readiness for cybersecurity
Digital 14 has introduced the OT Security Readiness Assessment to help organisations assess the security controls in place that safeguard OT environments from cyber-attacks. The key focus areas to consider are:
- Accountability - Assist the organisation to identify who is accountable for security in the OT environment.
- Risk - Assist the organisation to identify your organisation's risk exposure and acceptable threat levels.
- Architecture - Assist the organisation to verify its OT/ICS environment is air-gapped from the internet.
- Access - Assist the organisation to protect and monitor vulnerable remote access.
- Compromise - Assist the organisation to know the potential impact of a compromise and identify if the organisation is well prepared for a cybersecurity breach.
- Best Practices -Assist the organisation to perform in-depth assessments and apply best practices/controls.
Understanding critical OT devices
Industrial Control Systems are composed of a wide range of heterogeneous devices and components that play a specific role. To familiarise the reader, the most commonly seen devices within the ICS environments are listed below while providing some clarity about their role and purpose.
- HMI: A Human-Machine Interface (HMI) is defined as a feature or component of a particular device or software application that enables humans to engage and interact with machines. It is also known as software installed on desktop computers, tablets, smartphones, or dedicated flat panel screens that permit operators to check and monitor the automation processes. An HMI can monitor multiple process networks and several devices. An operator can use the HMI to send manual commands to controllers, for instance, to change some values in the production chain. Generally, the HMI shows a diagram or plant process model with status information to facilitate such a job.
- RTU: An RTU (sometimes referred to as a remote telemetry unit), as the title implies, is a standalone data acquisition and control unit, generally microprocessor-based, which monitors and controls equipment at some remote location from the central station. An RTU is also known as a microprocessor-controlled electronic device. Like PLC, it is designed for harsh environments and is generally located far from the control centre, for instance, in voltage switch-gear. There are two types of RTUs: station and field RTUs. Field RTU receives input signals from field devices and sensors and then executes programmed logic with these inputs. It gathers data by polling the field devices/sensors at a predefined interval. It is an interface between field devices/sensors and the station RTU, which receives data from field RTUs and supervisory controllers' orders. Then station RTU generates outputs used to control physical devices like actuators. Both field and station RTU has a power supply, CPU, and digital/analogue I/O modules.
- PLC: Programmable Logic Controllers (PLCs) are commonly defined as miniature industrial computers containing hardware and software used to perform control functions. PLCs have two sections; a central processing unit (CPU) and an Input/Output (I/O) interface system and are designed for multiple arrangements of digital and analogue inputs and outputs. PLC is a microprocessor-controlled electronic device that reads input signals from sensors, executes programmed instructions using these inputs and orders from supervisory controllers, and creates output signals that may change switch settings or move actuators. PLC is generally the boundary between the OT network and the physical process. It is often rugged to operate in critical environmental conditions such as very high or low temperature, vibration, or in the presence of big electromagnetic fields. As with most ICS components, PLCs are designed to last more than 10-15 years in continuous operations.
- IED: An IED (Intelligent Electronic Device) is a device containing one or more processors that can receive or send data from an external source. An IED can be used for protection functions like detecting faults at a substation or for control functions such as local and remote control of switching objects and provide a visual display and operator controls on the device front panel. Other functions can be related to monitoring (for instance, a circuit breaker condition), metering (e.g., tracking three-phase currents), and communications with supervisory components.
- SCADA: SCADA display unit that shows the process under management in a graphic display with status messages and alarms shown at the appropriate place on the screen. Operators can typically use the SCADA system to enter controls to modify the operation in real-time. SCADA devices are placed on the higher level of the ICS hierarchy and are used to monitor and control centralised data acquired from different field sites. Furthermore, they manage the communication between the various devices and represent the remote connection point for the remote operators with the OT network. Over the year, SCADA systems protocols moved from proprietary standards towards open international standards, resulting in attackers knowing precisely the protocols. That is why there is a gain of interest in reinforcing industrial control systems security.
Different challenges between IT and OT
Understanding the OT environment in comparison to the IT can be not easy. Each OT environment has different set-ups and different devices suitable for the body of work intended. For that reason, it appears to be a gap in the knowledge base that is usually needed to secure OT environments when it comes to OT Security. Recent studies and on-the-ground security assessments have highlighted gaps in the security of OT environments which tend to originate from:
- Lack of fundamental security controls awareness on the audit client side,
- Lack of specialisation on the assessor's side,
- Lack of an adequate transition process to fully grasp the nature of the co-existence of IT and OT environments and their symbiotic interdependent relationship.
It is necessary to fully understand the ICS environment before starting with an assessment, have prior experience in both environments, and prepare to work closely with the audit client to capture the current holistic security posture fully. Every security flaw cannot be a finding or an issue in an OT assessment. The operating details of a given OT environment may depend upon specific business dependencies, challenges and limitation of isolated (air-gaped) environments.
It is not uncommon to see an absence of critical boundary protection devices on an OT network. As a best practice, it is good to familiarise yourself with the Purdue Model for Control Hierarchy logical framework, developed by the International Society of Automation (ISA99) Committee for Manufacturing and Control Systems Security, that forms the baseline for the ICS reference architecture.
In the 1990s, Theodore J. Williams, along with the Purdue University Consortium members for computer integrated manufacturing, developed the Purdue Enterprise Reference Architecture (PERA) as a model for enterprise architectures. The Purdue model does an excellent job of defining the different levels of critical infrastructure used in production lines and how to secure them. PERA was ahead of its time when it was introduced and, when implemented correctly, can achieve the "air gap" between Industrial Control Systems (ICS) or Operational Technology (OT) and IT systems.
Figure 1 – Different levels as per the Purdue model for Industrial Control Systems.
OT environments tend to use flat networks with production equipment from multiple vendors working together. While microsegmentation at the network level seems like a good idea, it is logistically challenging to implement physical devices inline in production environments. Device installation requires significant planned downtime and can also cause unplanned downtime due to factors like the age of the ICS systems and the proprietary protocols in use. Any security devices deployed inline in the communication path of ICS systems have to prove their reliability and are always subject to regulatory compliance. Above all, OT plant operations teams are not typically aware of IT best practices, let alone advanced network security concepts. An OT plant's goal is production, efficiency and uptime, and cybersecurity is a lesser priority, especially if it is complex and involves downtime.
High-level information for the different Purdue model levels are provided below:
Level 0: This layer contains fundamental OT devices that convert the analogue signals into digital, such as sensors, BCPU (Bay control protection unit) devices etc.
Level 1: This layer contains basic controlling devices containing configuration details such as the destination IP address and information routing details. It includes intelligent devices such as PLC, Intelligent Electronic Device (IED) and Remote Terminal Units (RTU).
Level 2: This layer manages the connectivity, transferring information from the RTU station towards the telecom control centre. This layer manages the integrity of information and controls related to the telecom team, such as ethernet switch, communication protocol, network monitoring system etc.
Level 3: This layer is all about the management of operational controls from the control centre. This layer ensures sufficient operational alarm are configured, fault logs captured and monitored, resolution of availability issues due to communication breakdown etc. Level 3.5 is a recent addition over the last decade; this level includes security systems, such as firewalls and proxies, to separate or air gap the IT and OT worlds. This is where the IT and OT worlds "converge," increasing the OT systems' attack surface. Many plants either do not have this layer or have minimal capabilities. The rise of automation leading to higher efficiencies has created an increased need for bidirectional data flows between OT and IT systems. This OT-IT convergence is ultimately creating a formidable competitive advantage for companies that are accelerating digital transformation.
Level 4 and 5: This layer is about the perimeter security controls. Layer 4 emphasises establishing DMZ (demilitarised zone) with relevant remote monitoring controls, patch management and SCADA application-related services. Layer 5 is where the actual boundary protection devices are placed, the perimeter firewall, IDS (Intrusion detection system), IPS (Intrusion protection system) etc.
UAE IA Standards applicability on OT assessments
The UAE IA Standards is recognised as one of the most comprehensive standards. Besides being a regulatory mandate for the region primarily for government entities, the UAE IA standard has a detailed list of controls that can also be used to protect ICS (Industrial Control System) Infrastructure. The table below provides a brief description for the reader to familiarise with the different OT standards such as NIST 800-82, NERC and ISA 62443:
Figure 2 – Brief description of different OT standards which are recognized globally.
The following bar chart maps international OT standards such as ISA 62443, NERC CIP and NIST 800-82 with UAE IA individually. Each standard has been compared with UAE IA controls. In the diagram, one can identify that UAE IA can be considered more adequate and contains holistic sets of OT controls to protect the ICS environment.
Figure 3 – Comparison of UAE IA Standards number of controls against other OT standards.
UAE IA provides few sets of critical controls that are not present in any other international OT standards. Following are the details:
- Process for internal and external communication
- Statement of Applicability
- Internal Audit
- Information sharing
When approaching an OT assessment using UAE IA, one needs to ensure that the following key differences between IT and OT network are understood and taken care off:
- Uptime and Services Availability: Continuous uptime is not always required in IT. However, with OT networks, unscheduled downtime must be avoided as they can be safety-critical. So the processes that they run need to able to run 24/7, particularly when it comes to the safety systems.
- Software Updates: Software updates for OT networks happen very rarely, and automatic updates are disabled. Every enhancement or update goes through multiple checks and testing, as any change in an ICS environment impacts the overall operations and will require re-certification of the devices.
- Distributed Network: OT systems are distributed across vast geographical distances, with the expectation to function flawlessly without human support or intervention for years or even decades.
- Process over Data: Unlike IT, OT systems will prioritise running the process over saving most things. If data is lost or not saved properly, not logged, not backed up anywhere or even updated, it is considered less critical, so long as the system does not stop running.
Challenges with OT Assessments
OT assessments' most significant challenge is the lack of understanding from the power station engineers on-ground. However, few essential myths around ICS environments can cause significant gaps during assessments if not demystified properly.
Myth #1: OT are no WindowsTM devices and hence they are secure.
Truth: Firstly, non-windows OS is also vulnerable as they can be used to relay malware to windows OS. Secondly, several incidents/attacks on OT networks in the past were supported with Unix and Linux variants.
Myth #2: We are Isolated.
Truth: It is imperative to understand the various connections that are active in the OT network. The on-ground engineers, operators etc., will claim that their environment is isolated. However, the assessor needs to check critical points such as troubleshooting OT devices, management of SCADA applications, enhancements/upgrades etc. Also, check if there is a VPN connection with the ICS vendor, or if the internet is enabled in the control centre. Unless these parameters are not thoroughly reviewed, the ICS environment cannot be stated as isolated.
Myth #3: Vendors are safe
Truth: Another claim that OT personnel will make is that they have a contractual agreement with their vendor, and the vendor is renowned in the industry. Hence there is no risk related to vendor management. Lack of vendor review is very evident in OT networks; it has been proven that many OT networks provide point to point VPN connectivity to vendors, which are mostly not monitored due to the absence of monitoring solutions. In addition, authentication and accountability are also poorly managed.
Myth #4: Physical security is not relevant
Truth: The lack of emphasis on physical security is evident with OT environments due to the absence or inadequacy of CCTVs at critical locations, poor management or lack of implementation of building management system, lack of monitoring and review of physical access control rights, inadequate controls related to fire and equipment safety.
Myth #5: Governance, Risk and Compliance (GRC) is not required in OT environment
Truth: We all understand the importance of a good Governance, Risk and Compliance framework. The complacency on the part of OT personnel for GRC is again a cause of worry; lack of policies, procedures and supporting documents, no processes to ensure compliance with local regulatory and applicable OT standards and lack of risk management activities. All these issues are prevalent and need immediate focus.
Importance and future considerations
From digitisation to digital transformation, leading to a 'Smart Cities' vision for the not-that-distant future, highly complex digital ecosystems will become the norm. The constant introduction of new technologies, the overwhelming need for interconnectivity, and the excessive use of IoT and IIoT, along with autonomous AI-based endpoints, provide only a glance of what the future will look like.
"Security by Obfuscation" is a skeleton of the past in the closet of Technology. "Security through Visibility" is the only way to allow IT and OT environments to operate securely in the future. Proper Security Architecture and Asset Management are of paramount importance, now more than ever. Quote by: Dimitrios Sarris (Director CyberDefence at Digital14)
In parallel, this "technological interconnectivity-boom", offers a considerably expanded attack surface for cyber adversaries of all kinds. The report, Smart Cities: the Power, the Risks, the Response, which Digital14 recently released, takes a look into the UAE's digital transformation and cyber resilience standpoint and suggests cyberattacks are expected to rise as the government and organisations adopt the benefits of smart city technologies.
The legacy of EXPO 2020 Dubai which opens its doors in October 2021 (after being postponed for one year due to the pandemic), is called District 2020. It will be a smart and sustainable urban environment with cutting-edge physical and digital infrastructure. EXPO will stretch at new levels the collaboration of previously heterogeneous networks and endpoints into a new era of co-existence, which requires operating under a unified umbrella of cyber resilience.
Our digital ecosystems are constantly evolving towards highly complex and dynamically scalable hybrid environments, composed of different technologies that include, but not limited to, ICS, IIoT, smart IoT, Cloud-based solutions, sensors, autonomous systems, and a variety of automations. The cybersecurity resilience of such interconnecting digital ecosystems is not a trivial task, especially when these are the fundamental components for building the smart cities of the future. Quote by: Dr. Grigorios Fragkos (vCISO EXPO 2020 Dubai and Director CyberDefence at Digital14)
The ICS environment's evolution has already started. This will only increase with time, while unsupported, legacy and outdated devices will be replaced with updated ones that come with advanced features and enhanced interconnectivity (IIoT). Ensure a well-through OT governance model is divided, applicable regulatory and legislative requirements are adhered to, monitoring and review solutions are implemented, and most importantly, vendor management controls are effectively implemented.
In recent years, the systemic blend between IT and OT networks has opened up modern ICSs to new risks, expanding the threat surface. Autonomous propagating malware that targets critical infrastructures through ICS vulnerabilities is already happening at scale.
It is of utmost importance to understand the current status and any inherent gaps by performing a thorough evidence-based security assessment. Digital14 can help to safeguard complex OT environments by clearing up the chaos and increasing visibility by setting the stepping stones for a cyber-resilient future.