Leading regulations and standards, such as the Safety Case requirement in Singapore, emphasize that Major Hazard Installation (MHI) operators should take into account all likely risks, and these must surely include those relating to cybersecurity.
The number of cybersecurity-related incidents in industrial control networks has risen in every region in recent years, and there have been well publicized reports of sophisticated malware and threat actors disrupting safety instrumented control systems.
Organizations operating industrial facilities have a responsibility to monitor, detect, and mitigate cybersecurity attacks in order to maintain the safety, integrity and availability of their plant which, if compromised, may have a severe and detrimental impact on society.
The trend to digitization and system inter-connectivity means that operational technology engineering and operating personnel may not realize the full extent of cybersecurity vulnerabilities they face and are thus inadequately prepared to deal with potential attacks.
No longer can industrial systems rely on an ‘air gap’ to provide security as it has been demonstrated time and again that such measures can be overcome easily. More conventional IT security risk models fail to understand the specialized nature of operational technology and industrial control systems as they can be markedly different to those used in an office or commercial environment.
The challenge for industry today is to address the requirements of functional safety and security to effectively manage the risks related to digital technology. Organizations and their production facilities – especially those operating in support of critical infrastructure – need to be secured in a way that enables a business to still continue to drive innovation. Issues include how to monitor and assess components, systems and networks for technical vulnerabilities, as well as how to define and implement effective control measures.
Why assess your Industrial and Operational Technology Cybersecurity Risks?
• There is a regulatory or legal requirement to understand this risk as you operate in a safety critical or hazardous industry.
• Business executives are concerned how cybersecurity issues can impact their business.
• Investors and shareholders need reassuring that systems are robust and capable of managing likely cybersecurity issues and that new investments will be protected.
• Customers are demanding that their intellectual property and process information is protected on your network.
How are Industrial and Operational Technology Risks Assessed?
The TÜV Rheinland team will engage with you in an effective way to help you understand how mature your OT cybersecurity posture is. Engagements are adaptable using either IEC 62443 or NIST CSF industry standards depending on what is best for your situation.
An assessment can be undertaken in a relatively short period of time to give quick feedback to the business so that any remedial steps can be started as soon as possible. Our experts take a collaborative workshop approach enabling findings to be discussed in a friendly, informed way with internal teams to maximize the learning opportunity and ensure that key parts of the business and operations are engaged in the process.
During the engagement the team can work with you to install a passive network monitoring and situational awareness platform to provide visibility across your industrial control systems (ICS) and SCADA networks. This will provide the team with detailed information on your OT network assets, build a network map and monitor for any ongoing ICS specific threat indicators.
This is a summary of presentation by Nigel Stanley, Chief Technology Officer – Global Industrial and Operational Technology Cybersecurity CoE.