Emerging Best Practice Amid Rising Requirements in OT Cyber Security Assessment

Additional Contributors

• Abhijeet Naik, Managing Director, Black & Veatch Management Consulting
• Kayleigh Moss, Senior Analyst, Black & Veatch Management Consulting

Article

The emergence of the digital economy and applications across the electric utility and related services sectors has substantially increased both the value of Operating Technology (“OT”) services and its attendant risks of cyber security exposure. In turn, the need to effectively manage OT, IT: OT “edge” and internet connectivity (IP and IoT) risk exposures under a structured approach is rising with the increasing use of digitally – backed technology across the full supply and value chain.  As the value proposition of such OT and linked IoT and IT services increases, so does the need to need to proactively monitor, measure and inform and protect OT CyberSecurity (CS) investment decisions with a best practice, dynamic approach to OT CS risk management.

Energy infrastructure is among the top three sectors facing targeted cyber security attacks according to many industry assessments.  OT risk represents a particularly critical and growing exposure for both external and internal malicious actors seeking to disrupt and potentially profit from the high service value loss represented by a compromised grid.  This exposure affects generation, transmission, distribution, and fuels infrastructure, as well as downstream, customer and smart gird-based digital asset management tools.  These downstream applications are increasingly focused on enhancing the reliability of utility OT assets and customers services, but also create additional OT exposures. 

Risk exposure elements from OT CS incident include, for example:

• Service Loss, including both direct costs to the supplier and often high multiplier costs to the consumer and the economy given dependent services impacted;
• Remediation costs (labor and technology);
• Regulatory cost recovery and compliance penalties;
• Health, Safety & Environmental impact costs;
• Insurance and other corporate direct and indirect costs.

The likelihood of successful attacks is also increased if new OT applications, and in particular their network linkage via IT and IoT linked paths, is not fully assessed and risk – mitigated.  An emerging best practice representation is shown in Figure 1, below.      

Figure 1: Best Practice OT Cyber Security Risk Assessment and Mitigation Response Methodology

* For example, the MS Threat Modeling Tool utilized IT/OT network diagrams to define and visualize system components, data flows, and security boundaries with OT/IT infrastructure.

The architecture and process framed in this Best Practice approach includes, sequentially:

• Representative site and application walk-downs, including review of network configurations highlighting OT:IT, serial and IP communications connectivity, external direct and IoT interfaces;
• An assessment of company CS practices focused on comparable Industrial Control Systems (ICS) utilizing the NIST Cyber Security Framework and Evaluation Tool (CSET) and other applicable industry standards for evaluating OT CS exposure management capability;
• An OT Asset Inventory, Governance Documentation and Network Diagram Review;
• A resulting capability maturity model (CMM) to identify points of vulnerability across Hardware, Software, Firmware, Information Security Architecture (ISA), Internal Controls, Security Procedures and other NIST CSF categories;
• A technical threat vector analysis including external threat actor capability. path and internal vulnerability assessment, converted to specific mitigation strategies.

The mapping of specific Threat Vector to Mitigation Strategies provides the foundation for an OT CS prioritized investment program.  The OT Risk Assessment Program (OTRAP), based on vulnerability risk assessment, utilizes established cost exposure categories, as identified above, and associated avoided cost metrics, along with industry – based sector attack incidence records from established industry sources[1]. The resulting indicative cross-mapping of threat vector to representative mitigation strategies in Figure 2.

Figure 2: Illustrative Threat Sources and Mitigation Response Mapping

The resulting Cost of Exposure x Probability of Exposure is compared to the Mitigation Costs required to achieve an effective preventative cost mitigation investment.  Resource investments are generally characterized as People, Processes and Technologies, including both hardware and software applications. The investments are then linked and sequenced in prioritized order by payback period.  Sequencing across asset classes is based on payback rates across asset classes and synergies captured across OT CS Threats via the Mitigation Strategy investments capable of addressing multiple threats.  For example, patch management and access control mitigation strategies are applicable to multiple Threats, as shown in Figure 2.  In emerging best practice these metrics and associated risk exposure levels and probabilities will move from occasional towards real-time frequency, with both costs and probabilities updated by field devices and updated exposure metrics. The resulting AI-backed system will serve as an OT CS asset management system, with a consistent design but more dynamic metrics in comparison to longer-term investment planning applications.  

An emerging challenge in OT CS risk management is being driven by utility and multi-sector digital transformation. The intersection of digital technologies with distributed usage represents an emerging area of OT cyber risk while enabling significant value creation.  Digital device applications serve multiple customers and IP connectivity boundaries.  These include IoT platforms, data analytics, which provide multiple points of application value, while creating both internal and external network edge exposures that present new challenges in the evolution of best practice OT CS.

These emerging downstream (IP – based and customer – focused) and upstream (IT backed and centralized) digital OT cyber security exposures demand a deeper level of OT CS structuring and evaluation.  Upstream, the establishment and active boundary management of Cyber Security Operations (“CSOCs”) is vital in managing the multiple OT boundaries and gateways of CS vulnerability, both internal and external to the organization.  Many CSOCs are already challenged to establish clear line-of-sight and automated threat monitoring programs, reporting Mean Time to Resolution (“MTTR”) of more often months rather than days or hours. As a result, efforts to automate and apply software and AI - backed detection and response capabilities at the SOC are likely to yield positive risk mitigation paybacks, particularly where high threat risk detection to response times can be substantially reduced.  

The integration of digital technologies and applications both at the gird level of application, and behind the meter customer applications starts with effective asset management integration into protected systems, whether islanded or connected to the CSOC, Cloud or internal IT networks.  Because field devices will likely have IP connectivity, security systems need to establish, protect, and distinguish data access and multi-purpose analysis applications from specific device access and direct asset management applications.  Moreover, grid applications are increasingly moving from electro-mechanical device signals to microprocessor – based. The latter require an IT interface, IP communications, and network boundary management on a higher scale of data management and asset applications.  Collectively, OT CS focused on emerging digital requirements will need to utilize a combination of:

1. Cloud and internal IT solutions,
2. Segmented, OT solutions; and  
3. An additional IoT envelope, where applicable in order to be effectively managed.

Downstream, customer and service contractor – focused data applications and IoT linkages demand a higher level of detection and response across People, Process and Technology – based capabilities.  For example, automated field detection technology and  response management protocols represent key components of an emerging best practice OT CS operation for rapidly detecting, isolating and responding to system breaches.

Traditional views of serial vs. IP connectivity must be revisited with IP connectivity exposures.  The latter can create both intentional and un-intended breaches. These can be addressed via redundancy, training, more stringent internal process controls, and air-gapping equipment and multi-staging clearance paths.  Training and realistic desktop exercises replicating viable attack scenarios are part of the solution, as are system-based monitoring and the capability enhancement across the full spectrum of detection to remediation. The common objective is to reduce occurrences and minimize impact costs of system breaches. 

A well-designed risk mitigation OT CS strategy should be anchored on a clearly documented and dynamic risk – based Cost: Benefit analysis. As OT technology application value and breadth grow, so do the benefit streams, but the inverse of benefits stream is a lost service attendant direct and multiplier cost exposure.  Managing this dynamic will require a real-time application of best practice via the effective application of people, process and technology resources under a program that integrates and protects emerging digital – backed services with real-time protection technologies and business processes.  

References

[1] For example, The Verizon 2019 Data Breach Investigations Report; The ICS Threat Landscape, Dragos, 2019; NERC State of Reliability Report, 2018, 2019; The Ponemon Institute 2019 Security Operations Center Cost Study; Forrester Total Economic Impact Study, May 2019: "The Total Economic Impact of Alert Logic SIEMless Threat Management"; U.S. Congress report: "Cyberspace Solarium Commission" March 2020; SANS “State of OT/ICS CS Security Survey”, 2019

[2] See “Improving the Effectiveness of Cyber Security Operating Centers”, June 2019, Sponsored by Devo Technology, independently conducted by Ponemon Institute, LLC.