Ten tips for OT security

30/11/2016

As we move forward in industrial automation and Industry 4.0, cybersecurity of industrial control systems becomes ever so important too.

The Stuxnet computer worm, manipulating the feedback data of an Iranian nuclear enrichment facility’s centrifuge units, was in many ways an eye-opener.

Cybercriminals are capable of manipulating your building management systems, your operational equipment for factories, sluices, steel mills, power grids or oil rigs. More and more organizations understand the potential operational, economic and environmental impact of cyber incidents.

In a 2015 survey, 40% of the respondents indicated the breakdown of an industrial system would mainly result in material damage. 30% said it would also contain safety and health risks.

How can you make a difference?

Operational Technology teams understand what’s at stake. Their biggest security objective is preventing unauthorized access. If you only secure your outer perimeter, then cybercriminals have free access to everything once they are in: control rooms, server racks, etcetera. How many organisations leave the key and spare key hanging on the server rack locks?

The most frequent security issues we see are physical security breaches, missing patches and password issues.

[blogkader]

Here are ten tips to take better security measures in ICS environments:

Define a security strategy and include as much people as possible. Understand the risk at every level, and make every management level aware of the need for cybersecurity.
Build a comprehensive inventory of both your IT and OT environment. This allows you to find your network’s weaknesses: rogue access points, wireless routers with free access SSIDs, embedded systems that are still running Windows XP or even NT, old cabling, and so on.
Perform security testing. Penetration tests indicate potential breaches. They aren’t without risk though, so I would advise to start with a vulnerability scan.
Start a bug bounty programme, allowing white hackers to find bugs in your environment.
Organize governance for OT. You still need to foresee back-up and patch management, you still need to draw your responsibility assignment matrix (RACI). There are responsibilities for OT staff too, yet they are often not defined.
Create awareness within your OT teams. Explain why security is important.
Collaborate with IT. Sometimes small IT interventions can help prevent security breaches.
Include vendors. OT hardware is often a black box and the vendors need to give you approval for modifications for patching and maintenance or your SLAs or even warranty can change.
Pay attention to authentication. A lot of vendors use the same standard passwords at multiple sites.
Define network zoning with specific hardware in different zones, different security levels and access matrixes: a standard in IT but not yet in OT.

[/blogkader]

Traditionally organizations focus on malware and cyber-attacks, but these account for only 30 and 20 percent of cyber incidents respectively.

Half of the cyber incidents or breaches are of accidental nature, leading to unauthorized access too. Hence the importance of awareness.

Content gathered during our CIO Speaker’s Café on CYBER SECURITY
– keynote by Dieter Sarrazyn, Toreon

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
swpm_session	session	This cookie is set by the Simple WordPress Membership Plugin. This cookie is used for membership login session and to provide access to the protected content on the website.This cookie keeps the login records so user don't want to authorise each time while moving to next page.
_gat	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.

Cookie	Duration	Description
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.