Why securing the OT environment against cyberattacks is vital
During FAT, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope. Image: Frantzou Fleurine on Unsplash
- Despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases.
- Risks can open up during Factory Acceptance Testing, Site Acceptance Testing, shutdown maintenance and brownfield services.
- Here, we consider how these risks can be mitigated.
Despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases, such as Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), shutdown maintenance, and brownfield services, increasing vulnerability to cyber threats. CISA's 2022 report highlights a 30% increase in OT system cyberattacks, with over 800 incidents. ENISA's findings corroborate this, showing that 63% of critical infrastructures faced cyber incidents, 55% targeting OT systems.
The early months of 2023 saw notable cyberattacks: a ransomware strike on a U.S. water plant in January; a European power grid disruption in February; and, an Asian transportation company's operational halt in March. These incidents emphasize the importance of stringent cybersecurity throughout the OT system lifecycle, especially in critical stages
Have you read?
Risks during the FAT milestone and proposed controls
During FAT, a pivotal stage in the OT system lifecycle, the system is tested in a controlled environment to confirm adherence to design requirements. During FAT, however, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope. It's crucial to integrate essential high-level cybersecurity controls at this stage to prevent transferring risks or threats to the site post-FAT. This proactive approach is key to maintaining robust security throughout the system's lifecycle. These controls include, but are not limited to:
• Security of the staging area
Staging areas, designated for pre-deployment system testing, require secure measures to prevent unauthorized access, thereby avoiding the introduction of malware or other threats into production environments.
• People
People are always the weakest point in any security system. It is important to educate employees about best cybersecurity practices. This includes training on how to identify phishing activities, handling sensitive project information, complying with cybersecurity requirements and identifying and reporting a cybersecurity incident.
How is the Forum tackling global cybersecurity challenges?
• Asset lists
An asset list is a comprehensive list of all hardware and software assets used in a specific project. This list is the main pillar to detect and understand if any changes have occurred.
The asset list contains information about firmware versions, OS, IP addresses, MAC addresses, vulnerabilities, what was patched and what wasn’t, the latest updates to end-point security, etc. The list must be maintained and updated regularly to ensure that all assets are properly secured, as well as to enable effective vulnerability and patch management.
• Access controls
Access controls are essential to prevent unauthorized access to sensitive information and systems. This includes implementing strong password policies, multi-factor authentication and other mechanisms to ensure that only authorized personnel can access sensitive areas or functions.
• Secure configuration
Secure configuration involves implementing security best practices when configuring hardware and software systems. This includes disabling unnecessary services and ports, using strong encryption and implementing other security measures to reduce the attack surface of a system.
• Vulnerability and patch management
Vulnerability and patch management involves regularly scanning systems for vulnerabilities and deploying patches to fix known issues. This is critical to prevent attackers from exploiting known vulnerabilities to gain access to sensitive information or disrupt operations.
• Incident management
Incident management involves having a plan in place to respond to cybersecurity incidents when they occur. This includes identifying the scope of the incident, containing it and recovering from it, as well as conducting a post-incident analysis to identify areas for improvement.
All these controls must be implemented and documented during the FAT milestone to ensure that potential risks are not transferred to the site.
Risks during the SAT milestone
Similarly, the SAT/shutdown maintenance window and brownfield services milestone also pose a cybersecurity risk to the OT system. During this milestone, the system is tested in its actual environment and any issues are addressed. These milestones, however, may require taking the system offline and cybersecurity controls may be relaxed to facilitate maintenance activities. Moreover, third-party contractors may not be familiar with the system's cybersecurity controls, leading to potential cybersecurity problems with the completion of maintenance work and when the system/plant is brought online again to resume production. This can result in dozens of untraceable changes to the cybersecurity controls, which are either disabled or bypassed.
Proposed high-level controls
Apart from the high-level controls mentioned during the FAT milestone, additional controls need to be implemented during the SAT/shutdown maintenance window and brownfield services due to the dynamic SAT environment. These controls include:
• Environment integration
During SAT, the system is evaluated for its integration with the surrounding operational systems. This can identify vulnerabilities that might arise due to interactions with other systems or software.
• Network integration and firewalls
As the system is now in its intended network environment, SAT can assess how it interacts with firewalls, intrusion detection systems and other network security measures. It can uncover vulnerabilities, such as open ports, that shouldn't be open or potential for unauthorized network access.
• Authentication and authorization
While these might be tested during FAT, during SAT, they're tested in the context of the operational environment. For instance, how the system integrates with the enterprise's identity and access management solutions.
• Red/blue team testing
Sometimes, organizations might choose to perform more aggressive penetration testing (red team exercises) during SAT to see how the system holds up against simulated cyberattacks in its actual environment.
• Incident response integration
During SAT, you might also test how incidents on the system integrate with the broader organizational incident response plan and tools.
How to mitigate these risks
To mitigate these risks, end-users, contractors, vendors and suppliers must establish and adopt a robust change management process that includes proper documentation, approval mechanisms, testing and validation procedures. This process should ensure that all changes, including those made during the critical and gap periods, are properly tracked, assessed for security implications and validated before the system's commissioning. A more advanced and strict approach is to assign a dedicated cybersecurity officer to follow up and document all the changes made at different milestones.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybersecurity
Related topics:
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.
More on Emerging TechnologiesSee all
Hope French and Michael Atkinson
November 7, 2024