THE frequency and sophistication of cyber threats have increased consistently every year.
The impact on cybersecurity in every industry is significant and this is evident from the well published attacks on operational technology (OT), especially on industrial control systems (ICS).
During the last 18 months, we have seen well published ransomware attacks in the food manufacturing, oil and gas, and water utility industries.
The mandate from almost every board is to do more with less. As cybersecurity professionals we cannot “do it all” but we must choose wisely where our focus goes.
New approaches to cybersecurity in OT environments are often avoided due to the fear of additional overheads and the need for organisations to rebuild their legacy infrastructure.
It is a well-known fact that OT systems are built to be resilient by design.
This means that a hierarchy of engineering controls has been designed and implemented to mitigate any hazards that may have an impact on the availability or the safety operating parameters of the OT system, especially when long-lead-time-to-replace equipment is damaged resulting in a production, generation, transformation or distribution outage.
A common internal challenge I often see is the difference in opinion between engineering, information technology (IT) and cybersecurity teams on the importance and approach to cybersecurity in OT environments.
Each of the disciplines bring a unique insight to the situation and instead of being a hurdle for progress it must be used as an accelerator.
The key question is, how can an organisation achieve this?
There are different methods to achieve this, and one approach is the ”fairly” new concept of CCE (Consequence-driven, Cyber-informed Engineering).
The model turns the traditional method of designing and operating controls based on a form of OT cybersecurity risk assessment process (risk is the cumulation of threat, vulnerabilities and consequence) upside down.
It uniquely focuses on consequence prevention without guestimating the likelihood of a thread materialising.
> Identify and prioritise high-consequence events
The first step is to understand, identify and prioritise high-consequence events that can significantly harm your organisation or even your operating assets.
A high-consequence event is the key function or process that is integral to keep your organisation operating every day.
Generally, these are the events that have already been evaluated and considered within business continuity plans or crisis management plans.
> Understand your critical systems
The second step is to understand and prioritise the systems (also known as “crown jewels”) your organisation or operating asset is dependent on to achieve its purpose. We are all familiar with the concept that ”if you do not know what you have, you cannot protect it”.
Asset visibility is key but for OT, you need to have a very good understanding of how the OT system functions and what the dependencies are on other systems, individual components and processes.
Now the most interesting part starts with the identified high-consequence events that would harm the organisation or operating asset, along with the crown jewels with the various dependencies.
This is where the different disciplines come together to bring their unique views, skills and experiences to the table.
The focus here is to place the team in the shoes of an adversary (the assumption here is that you are dealing with a very skilled and well-versed adversary with in-depth knowledge across engineering, IT and cybersecurity) and challenge them on how they would go about to achieve all the high-consequence events.
> Think like an adversary
The third step here is for the team to identify all the possible attack vectors that can be used to achieve the identified high-consequence events.
The team must see vulnerabilities, not as a hygiene problem that requires fixing, but as an opportunity for an adversary to create an unwanted high-consequence event.
> Eliminate and protect
Now that the attack vectors have been identified, the fourth step is about the process of elimination.
The team needs to identify the key choking points where the attack vector can be halted, and vulnerabilities can be eliminated using engineering, IT and cybersecurity controls.
The primary focus should be to eliminate; then protect followed by detect, response and recover, which is very similar to the hierarchy of engineering controls.
Cyber hygiene practices are now part of a defence-in-depth strategy and not a reactive and unachievable maintenance process.
With one of EY clients, EY teams successfully used this approach to bring the various disciplines – engineering, IT and cybersecurity – together to work as one; identifying the key areas where an adversary can be stopped before real high-consequence events can materialise.
EY professionals helped in implementing a unified defense-in-depth strategy and established a strong collaboration between disciplines that historically did not see eye-to-eye in the approach to safeguarding the organisation or operating asset.
Jaco Benadie is a partner at Ernst & Young Consulting Sdn Bhd. The views expressed here are the writer’s own.