By Mirel Sehic
From the June 2019 Issue
Buildings are rapidly embracing digitization, and while the convergence of smart technologies and physical environments has greatly improved business operations and overall capabilities, this digitized method of operating has, in certain respects, led to increased potential vulnerabilities and attack vectors not previously encountered.
For years, this challenge has brought about heightened focus and awareness around securing corporate and more traditional Information Technology (IT) systems—especially as more devices get introduced onto networks due to the proliferation of IoT technology. For example, California recently signed into law SB-327, a bill that will require manufacturers of devices that connect directly or indirectly to the Internet to equip the devices with “reasonable” security features to prevent unauthorized access, modification, or information disclosure.
However, organizations often overlook Operational Technology (OT) environments, which can house sensitive control systems, when devising a cyber security plan. OT environments comprise the machinery, sensors, actuators, and other equipment that help form the backbone of building operations but have not traditionally connected to the Internet—until now. And without the precedent of strict cyber compliance, these environments are often vulnerable, and in certain instances, the weak link in the organization.
Why OT may be a target. In recent years, cyber security measures have often simply focused on protecting traditional IT systems and providing tighter controls on information security in general—often aimed at safeguarding solely personal and corporate data. But with the rise of smart digitization technologies and the ability to extract value out of previously disconnected or air-gapped OT systems, these systems might enter a world they perhaps weren’t originally designed for. As such, they can sometimes become a new target.
The advent of IoT and the increasing demand for smart technology is a major contributor to the increasing threat footprint in the OT space. Traditionally, these systems have been largely out of sight for IT departments and have often not had a high level of monitoring, protections, or oversight put in place. As such, the OT environment may be plagued by misconfiguration, vulnerable hardware and software, poor cyber security practices, outdated network components, and lack of general cyber security awareness.
It may be a big mistake to simply assume that your organization is not at risk of an attack. The reality is that many OT systems are experiencing cyberattacks similar to IT networks. IBM Managed Security Services (MSS) data shows a 110% increase in attacks on industrial control systems since 2016—a threat landscape predicted to grow at a phenomenal rate to 2020 and beyond.
Understanding the threat landscape. The threat landscape is continuously evolving. A first step to building a strong cyber security ecosystem is to have an understanding and awareness of typical attacker motives and common cyber risk scenarios. Various adversaries can carry out attacks, including nation-states, industrial spies, cyber criminals, and curious tinkerers. In addition, negligent or undertrained staff can also inadvertently lead to incidents. While attacker motives shift and change almost as fast as technology evolves, the top three motivations remain, and typically include financial gain, disruption of service, and theft of personally identifiable information or intellectual property.
Within the smart building environment, control systems can present easy targets, with common cyberthreat scenarios including:
- Accessing building control systems
- Disrupting power management functions causing business interruptions and shutdowns
- Tampering with temperature settings on HVAC systems
- Accessing Internet-connected physical security systems
- Improper network segregation using OT systems to potentially gain access to other, more secure, environments
By understanding the cyber security risks in Operational Technology, decision-makers are able to make smarter buying decisions, implement targeted OT security controls, educate personnel in effective procedural measures, and maintain enhanced cyber resilience across their environments.
Creating A Cyber-Smart Strategy
Maintaining a more secure and resilient OT environment often requires a wide-ranging strategy that includes measures such as employee training, the implementation of security governance and process, and investment in the right technology. There is typically no quick fix. However, as a first step, organizations need to establish an understanding of their internal threat landscape and mapped maturity level, and should also assess their appetite for risk. A great place to start is by conducting a cyber security threat and risk assessment, which aims to detect material vulnerabilities.
With a threat and risk assessment, organizations can often determine quick wins and establish the cyber security maturity of an Operational Technology environment. And, these assessments can also occasionally uncover possible infiltrations for immediate remedying.
Steps to conducting the cyber security threat and risk assessment include:
Asset Inventory: Organizations should identify which assets are connected to their networks, and how these assets interconnect between IT and OT, which can help uncover any undocumented devices or the presence of expected assets. Having a clear sense of the full range of assets connected to an organization’s network can help identify and prevent breaches through those devices.
Network Traffic Baselining: Establishing a baseline for network traffic, which includes taking inventory of normal levels of network activity, can help organizations more easily identify existing gaps, as well as have a comparison to determine future anomalous behavior. OT networks are often largely deterministic, making it easier to identify normal operational traffic that can later help with recognizing suspicious activity.
Vulnerability Identification: Organizations can then provide assessors with a list of identified vulnerabilities that the organization is aware of, since risk assessments are often underpinned with current knowledge of weak spots in the Operational Technology environment. Security vulnerabilities tied to the OT environment can then be considered and a risk rating applied to guide organizations on appropriate remediation methods pertaining to the respective risk appetite.
Leveraging Findings: Once completed, assessments can help build the foundation for an overall cyber security strategy, underpinning the processes and procedures for enhanced risk mitigation. Findings of the assessment can also serve as metrics to guide stakeholders in making improved business decisions, including resource allocation.
These strategies will often need support from C-level executives and require clear communication from the top down to all stakeholders and staff. A lack of understanding internally can often lead to a breakdown in cooperation and processes, which can result in an incomplete execution of strategy and contribute to undesirable breaches.
Developing a cyber-smart strategy is a journey, and one that typically involves the ongoing assessment of internal processes and procedures, staff awareness programs, and the adoption of suitable applications—all of which are specific to a set of defined organizational requirements. Although climbing the cyber security maturity ladder will take time, the key is to be informed and take the first step.
Sehic is a digital operations, ICT, and cyber security leader for Honeywell Building Solutions. Seeing an increase in more focused cyber security threats abusing gaps in control systems, Mirel has set his sights on utilizing the skills gained through his various roles across Operational Technology (OT) environments to increase awareness and steer key stakeholders toward industry best practice and increased resilience.
Do you have a comment? Share your thoughts in the Comments section below or send an e-mail to the Editor at firstname.lastname@example.org.