IT/OT

CYBERSECURITY:
THE GREAT DIVIDE
Contents

3 — Five questions every CISO should ask about OT

cybersecurity

7 — Extend IT security to the plant floor

12 — The IT/OT Divide: Expert Interview Series

13 — IT/OT collaboration must drive digitalization

21 — Six reasons why centralized cybersecurity doesn’t deliver

value to OT

33 — Bridging the IT/OT divide: Interview with Wayne Dorris

34 — Throwback Attack: Lessons from the Aurora vulnerability

44 — SolarWinds attack changing nature of cybersecurity for ICSs

2
Five questions every CISO should
ask about OT cybersecurity Five questions every
CISO should ask about
OT cybersecurity
Who should be involved in the OT cybersecurity program? Extend IT security to the
This is the first question for a reason. In many information technology (IT) organiza- plant floor
tions, the answer is clear. Security requires networking, endpoint, cloud, regulatory and
The IT/OT Divide: Expert
other IT partners. In operational technology (OT) cybersecurity, however, getting the Interview Series
“who” right is critical and often more complex.
IT/OT collaboration must
drive digitalization
Depending on the organization, the who may include the head of process control tech-
Six reasons why centralized
nology; the SVP/EVP/VP of operations, manufacturing or supply chain; influential plant cybersecurity doesn’t
managers; or quality or similar regulatory personnel. This is on top of the more typical deliver value to OT
groups involved in IT security. Bridging the IT/OT divide:
Interview with Wayne Dorris
We have seen many organizations stall if key operations personnel are not included early Throwback Attack:
in the process to identify bottlenecks or technical challenges. Successful chief informa- Lessons from the Aurora
vulnerability
tion security officers (CISO) create a steering committee of IT and OT personnel in addi-
tion to the operations leaders who understand the technical challenges of the systems. SolarWinds attack changing
nature of cybersecurity for
ICSs
Without this joint team, organizations struggle to gain buy-in for the necessary techni-
cal changes and required support personnel to achieve success. Together, this group
forms the right process for deciding aspirations, technical feasibility and more.

Where should you begin your OT cybersecurity journey?

Almost all industrial companies have some level of cybersecurity underway, but often
the question is where to focus first to improve the security of the OT systems. Options
usually include network protection such as segmentation and separation, endpoint 3
Five questions every CISO should ask about OT cybersecurity

protection, network anomaly detection, asset visibility, and inventory for improved vul- Five questions every
nerability management, security event monitoring and analysis.
CISO should ask about
OT cybersecurity

There is no absolute right answer to this. Some will argue for deploying network pro- Extend IT security to the
plant floor
tection technology to create a barrier. Others will argue for vulnerability assessment or
asset visibility and inventory. The IT/OT Divide: Expert
Interview Series

The right answer depends on the organization’s starting point. However, the founda- IT/OT collaboration must
drive digitalization
tion of all these initiatives is a robust asset inventory with “360-degree” visibility on
hardware, software, network connections, users and accounts, vulnerabilities, etc. To Six reasons why centralized
cybersecurity doesn’t
make network protection effective, you must know what you are protecting and how deliver value to OT
it needs to communicate. To make proper vulnerability management decisions, you
Bridging the IT/OT divide:
need clarity of the comprehensive 360-degree risk, because not all assets in OT can be Interview with Wayne Dorris
patched or upgraded. Alternative compensating controls may be needed, and prioriti-
Throwback Attack:
zation is key. Security event monitoring requires knowledge of the assets to monitor, as
Lessons from the Aurora
well as their operations and asset criticality. vulnerability

SolarWinds attack changing

This 360-degree approach provides a comprehensive view of the risks and how they inter- nature of cybersecurity for
act. For instance, two devices may have similar vulnerability or patch status, but one has ICSs
application whitelisting locked down, a robust backup, hardened configuration settings
and sits behind a well-configured firewall, whereas another does not. Or one operates criti-
cal operational processes, whereas the other does not. Even more so than in IT, these rela-
tive priorities are critical in OT given the challenges of taking rapid remediating actions.

Why do you need an OT security program?

This is the most obvious question. CISOs have protected IT systems for more than a
4
Five questions every CISO should ask about OT cybersecurity

decade. You likely have dozens of tools at your disposal to address cybersecurity ac- Five questions every
cording to Check Point, Gartner and others. So why in the world do you need a specific
CISO should ask about
OT cybersecurity
OT cybersecurity program?
Extend IT security to the
plant floor
The reality is these systems truly are different but perhaps not in exactly the ways OT
folks or original equipment manufacturer (OEM) vendors often say. They are sensitive The IT/OT Divide: Expert
Interview Series
to change or traditional IT security scanning. They are highly integrated. They do op-
erate many legacy operating systems due to long lifecycles. They include many em- IT/OT collaboration must
drive digitalization
bedded systems that cannot be scanned or managed in the same way a Windows PC
or cloud server can. And the downside risk of acting on a false security alarm can be Six reasons why centralized
cybersecurity doesn’t
operationally devastating. deliver value to OT

Bridging the IT/OT divide:

What security management actions should be included in the Interview with Wayne Dorris
program? Throwback Attack:
Many organizations become hamstrung with the actions they can take to secure their Lessons from the Aurora
OT/ICS environments. In part due to the fear, uncertainty and doubt raised by OEM vulnerability
vendors or some in OT, organizations limit what can be done to secure these systems. SolarWinds attack changing
Perhaps they limit themselves to segmentation or network monitoring because of the nature of cybersecurity for
ICSs
fear of managing these sensitive systems.

Our suggestion is to employ OT systems management. These are the same techniques
IT conducts on IT systems (and actually represent more than 70% of all IT security
tasks). This includes functions such as patching, vulnerability management, configura-
tion management, user and access management, and more.

This comprehensive set of management actions ensures protection and hardening of these
5
Five questions every CISO should ask about OT cybersecurity

devices in advance, as well as the detection of anomalies from ongoing attacks. They also Five questions every
align IT and OT security into consistent practice areas that can be monitored and tracked.
CISO should ask about
OT cybersecurity
Extend IT security to the
How should an OT security program be managed? plant floor
There is no one perfect way to manage a cybersecurity program. It depends on the
way the organization is structured more broadly. Is the culture top-down with a drive The IT/OT Divide: Expert
Interview Series
for operational consistency, even if it may take longer to align different parts of the
organization? Is the culture one where targets are set, but business units are left to de- IT/OT collaboration must
drive digitalization
termine how best to hit those targets? Is there a close working relationship between IT
and OT? These subquestions inform how best to organize your approach. Six reasons why centralized
cybersecurity doesn’t
deliver value to OT
There are several key elements regardless of the overall structure:
Bridging the IT/OT divide:
Interview with Wayne Dorris
• Establish a target early on that allows for measurement and tracking. We have
Throwback Attack:
seen great success leveraging the Center for Internet Security top 20, but there are Lessons from the Aurora
other targets and models to use. Selecting one is key. vulnerability

SolarWinds attack changing

• Gain alignment between IT and OT and leverage each for the strengths they bring. nature of cybersecurity for
ICSs

• Build traction early with visibility into key risks and by addressing key vulnerabili-
ties and risks.

• Create accountability by adding security into balanced scorecards to ensure results

have an impact on performance.

This article originally appeared on Verve Industrial’s website. Verve Industrial is a CFE
Media content partner.
6
Extend IT security to the plant floor
Five questions every CISO

T he convergence of information technology (IT) and operations technology (OT)

can make manufacturing operations more streamlined and efficient. Getting
there, though, is a challenge in of itself. This has become one of the major challenges
should ask about OT
cybersecurity

Extend IT security to
for manufacturers, and while it isn’t as fraught as it used to be, challenges remain. the plant floor
The IT/OT Divide: Expert
Eric Knopp, business manager for Rockwell Automation, said, “The cybersecurity Interview Series
threat is real in manufacturing. And it’s costly not just from a production standpoint,
IT/OT collaboration must
but from a public relations standpoint,” in the presentation “The Next Phase of the drive digitalization
IT/OT Integration: Extending IT Security to the Cell/Area Zone of the Plant Architec-
Six reasons why centralized
ture,” at Automation Fair at McCormick Place in Chicago. cybersecurity doesn’t
deliver value to OT
Security challenges for industrial networks Bridging the IT/OT divide:
Knopp said companies need to have an effective cybersecurity plan in place. The Interview with Wayne Dorris
problem is what qualifies as a priority for the IT team might not resonate in the same Throwback Attack:
way on the plant floor. Lessons from the Aurora
vulnerability

There are many security challenges in industrial environments, but two of the most SolarWinds attack changing
nature of cybersecurity for
notable, Knopp said, are a lack of visibility and insecure design. ICSs

“In the IT space,” Knopp said, “everything is structured. In the OT space, it’s very
common that the networks are thrown together as you go. As a result, the first step
many customers have to take is determine what is and isn’t on the network. You can’t
move forward if you don’t have an idea of what assets you have.”

With insecure design, it’s about a lack of segmentation. Knopp said that while custom-
ers have gotten good with the IT/OT separation with the firewall, there are still prob-
7
Extend IT security to the plant floor

lems horizontally on the OT level. Five questions every CISO

should ask about OT
“Do you have your machines seg- cybersecurity
mented in such a way so a bad actor
Extend IT security to
doesn’t have access to the whole
the plant floor
breadth of the network when they
access one controlled or machine?” The IT/OT Divide: Expert
Interview Series
Knopp said.
IT/OT collaboration must
drive digitalization
Software-defined
Six reasons why centralized
security strategy cybersecurity doesn’t
Knopp said software-defined tech- deliver value to OT
nology is not as familiar to OT as Bridging the IT/OT divide:
it is to IT, but that is changing. Software-defined technology has been prevalent in IT Interview with Wayne Dorris
and it can drive efficiency on the manufacturing floor. Throwback Attack:
Lessons from the Aurora
Co-presenter Paul Didier at Cisco added context, saying, “Software-defined is a big vulnerability
concept on the IT and enterprise side and its driving efficiencies. A lot of this stuff is SolarWinds attack changing
available in open application programming interfaces (APIs). It helps automate config- nature of cybersecurity for
ICSs
uration and operation of the network. For OT, that’s very attractive because it simpli-
fies and avoids the scaling and training issues.”

There is a caveat, however, to software-defined technology when it comes to OT.

“We are not ready to deploy in a manufacturing environment. It’s not mature enough.
There’s a lot of work to be done on both sides to bring these things together. Keep it
focused on the enterprise. Security is where software-defined concepts will start and
that’s appropriate.”
8
Extend IT security to the plant floor

As IT/OT convergence Five questions every CISO

should ask about OT
continues, it’s crucial to cybersecurity
have an industrial securi-
Extend IT security to
ty framework. The frame-
the plant floor
work, Didier said, should
have a defense-in-depth The IT/OT Divide: Expert
Interview Series
approach consisting of
five phases: IT/OT collaboration must
drive digitalization

1. Access, segmenta- Six reasons why centralized

cybersecurity doesn’t
tion, and policy deliver value to OT

Bridging the IT/OT divide:

2. Threat detection Interview with Wayne Dorris

Throwback Attack:
3. Behavior analysis Lessons from the Aurora
vulnerability
4. Content protection SolarWinds attack changing
nature of cybersecurity for
5. Cloud security and threat intel. ICSs

To keep the IT and OT worlds separate and secure, an industrial demilitarized zone
(IDMZ) can help. If information or access is needed on one side to the other, the IDMZ
acts as a place where both sides can meet and exchange information as needed with-
in a secure context.

Even with that, Didier said, there are challenges. “We see very frequently as these two
9
Extend IT security to the plant floor

worlds are colliding there is some friction. Part of that is because there’s things the IT Five questions every CISO
should ask about OT
folks understand related to security the OT folks don’t understand. OT understands cybersecurity
context related to the devices, etc., and what is needed regarding assets.”
Extend IT security to
the plant floor
It’s all about context in the end. Give the OT user the context they need in a manner
they can understand and provide them with the tools to do their job safely and se- The IT/OT Divide: Expert
Interview Series
curely.
IT/OT collaboration must
drive digitalization
Three ways to merge IT and OT insights
Six reasons why centralized
IT and OT can help each other, Didier said, in several ways to make the flow of infor-
cybersecurity doesn’t
mation a little smoother. He cited three use case examples on how they can do that. deliver value to OT

Bridging the IT/OT divide:

1. Monitoring flows and anomaly detection. Didier said this is the first step in the Interview with Wayne Dorris
process. IT monitors traffic lows and detect anomalous traffic behavior so the source
Throwback Attack:
can be identified. “You need to do this before you implement anything,” Didier said. Lessons from the Aurora
“This is about discovering the network, and who’s talking to who for context.” vulnerability

SolarWinds attack changing

2. Cell/area zone segmentation. This requires visibility of industrial automation and nature of cybersecurity for
ICSs
control systems (IACS) in the production environment. From there, companies can
segment the industrial network so IACS devices can communicate with each other in
the cell/area zone. IT and OT, Didier said, create a policy chart that everyone is on-
board with. “It’s relatively easy to manage, but they require previous knowledge of
who’s talking to who. Once they’ve been written, it’s easy to implement in a relatively
simple matrix,” he said.

10
Extend IT security to the plant floor

3. On-demand remote access. This allows OT to manage access as defined by IT Five questions every CISO
should ask about OT
security. A specific asset in the machine being serviced must be accessible to the ma- cybersecurity
chine building over a remote virtual private network (VPN). There’s no dependency on
Extend IT security to
IT to enable access during the maintenance window, which reduces downtime.
the plant floor

While a full convergence might not be happening anytime soon, there are many steps The IT/OT Divide: Expert
Interview Series
manufacturers can take to make the process easier.
IT/OT collaboration must
drive digitalization
Chris Vavra
Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, Six reasons why centralized
cybersecurity doesn’t
cvavra@[Link]. deliver value to OT

Bridging the IT/OT divide:

Interview with Wayne Dorris

Throwback Attack:
Lessons from the Aurora
vulnerability

SolarWinds attack changing

nature of cybersecurity for
ICSs

11
The IT/OT Divide: Expert Interview Series

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide:

Expert Interview
Series
IT/OT collaboration must
drive digitalization


Six reasons why centralized
cybersecurity doesn’t
deliver value to OT

Bridging the IT/OT divide:

Interview with Wayne Dorris

Throwback Attack:
Lessons from the Aurora
vulnerability

The IT/OT Divide: Expert Interview Series SolarWinds attack changing

nature of cybersecurity for
Bryan Bennett of ESDGlobal offers thoughts on why it’s ICSs
important to have an outside source validate your efforts.

12
IT/OT collaboration must drive
digitalization Five questions every CISO
should ask about OT
cybersecurity

I ndustry talk about the convergence of operations technology (OT) and information
technology (IT) assumes the two sides will merge into some common domain using
IT methodologies, devices, tools, and team expertise — with all of it being as appli-
Extend IT security to the
plant floor

The IT/OT Divide: Expert

cable to a plant floor as to front- and back-office operations. Interview Series

IT/OT collaboration
That notion, however, can be seriously misleading. must drive
digitalization
By itself, IT/OT convergence does little to actually move end-to-end digitalization
Six reasons why centralized
forward. While it might provide short-term cost savings through more technology cybersecurity doesn’t
sharing and consolidated IT and OT teams, the performance gains will be incremen- deliver value to OT
tal, at best, and not the quantum gains digitalization can unleash. Shop-floor applica- Bridging the IT/OT divide:
tions of IT-oriented hardware, software, connectivity, and services always will need to Interview with Wayne Dorris
be far more robust, precise and reliable than those needed in offices. Throwback Attack:
Lessons from the Aurora
vulnerability
Instead of IT/OT convergence, industrial enterprises require a deep, cross-function-
al, and proactive collaborative approach that combines the respective intellectual SolarWinds attack changing
nature of cybersecurity for
power, know-how, and experience of IT and OT teams to make today’s industrial
ICSs
operations fully digital enterprises. The goal would be to collectively understand the
unique terminology and design requirements for all network environments, especially
in context of the network as the strategic backbone of a fully digital industrial enter-
prise.

Roots of the IT/OT convergence myth

The idea of IT/OT convergence is understandable. After all, IT and telephones were
13
IT/OT collaboration must drive digitalization

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide: Expert

Interview Series

IT/OT collaboration
must drive
digitalization
Six reasons why centralized
cybersecurity doesn’t
deliver value to OT

Bridging the IT/OT divide:

Interview with Wayne Dorris

once separate functions and networks in most large companies, but they converged Throwback Attack:
Lessons from the Aurora
years ago thanks to packetized voice-over-IP (VoIP) technology. What’s more, OT
vulnerability
engineers have adapted many enterprise IT technologies to address the needs of a
diverse industrial landscape that spans factories, warehouses, logistics facilities, plus SolarWinds attack changing
nature of cybersecurity for
power, marine, mining, and oil and gas industries. ICSs

Among those technologies are Ethernet-enabled wired and wireless local area net-
works (WLANs) as well as industrial PCs, switches and routers. Industrial operators
are continue to adapt emergent enterprise IT technologies, such as the cloud, Big
Data, and advanced analytics, compelled by the economic advantages and competi-
tive imperatives of the Industrial Internet of Things (IIoT).

14
IT/OT collaboration must drive digitalization

The benefits of these IT adaptations have included big reductions in costs, laten- Five questions every CISO
should ask about OT
cies, cycle times and data collection errors. Industrial communications — the digital cybersecurity
thread — also has helped interconnect what were once islands of activities and data,
Extend IT security to the
while helping to break down operational silos. Greater transparency and operation- plant floor
al visibility also enable far better decision support for optimizing asset utilization as
The IT/OT Divide: Expert
well as production quality, flexibility and costs. Interview Series

IT/OT collaboration
Adapting enterprise IT for complex OT applications must drive
Adapting IT solutions for complex OT applications goes far beyond putting a veneer digitalization
of ruggedization on devices.
Six reasons why centralized
cybersecurity doesn’t
For example, OT automation systems consisting of hundreds or even thousands of deliver value to OT
field-level devices — sensors, actuators, valves and instrumentation — need precise, Bridging the IT/OT divide:
millisecond synchronizations of activities. Supporting networks must be determinis- Interview with Wayne Dorris
tic. Data commands must arrive when they are supposed to and not on a best-effort Throwback Attack:
basis. A network hiccup that delays an outbound email by a half-second might not be Lessons from the Aurora
noticed by a user, but a similar delay in a controller command arriving at its destina- vulnerability

tion could disrupt a production line. SolarWinds attack changing

nature of cybersecurity for
ICSs
The consequences could be missed customer commitments, costly restarts, or, worst
of all, worker injuries. Many leading industrial enterprises are not converging IT and
OT technologies because they know doing it is beside the point.

The real point of IT/OT collaboration is to establish vibrant digital threads of data
running transparently, seamlessly, and securely through businesses from the factory
floor to the boardroom and everywhere in between.
15
IT/OT collaboration must drive digitalization

Five questions every CISO

Facilitating IT/OT collaboration for end-to-end digital en- should ask about OT
terprises cybersecurity
Rather than pushing their IT and OT teams to force even a blending of two necessar- Extend IT security to the
ily distinct technology environments, these companies prefer them collaborating to plant floor
make an end-to-end digital enterprise a reality for their companies. To do so, each The IT/OT Divide: Expert
team needs to understand the other’s expertise and points of view, which includes Interview Series
their chief concerns.
IT/OT collaboration
must drive
Three concerns for IT and factory digitalization digitalization
1. Environmental, health, and safety impacts. While technology failures or security Six reasons why centralized
incidents can certainly disrupt enterprise operations, similar incidents in an industri- cybersecurity doesn’t
deliver value to OT
al environment can cause disruptions and consequences on a different scale, even
threatening lives and the environment. Bridging the IT/OT divide:
Interview with Wayne Dorris

2. Asset availability and utilization. Networked industrial systems can create busi- Throwback Attack:
ness risks most IT teams may not yet had to consider, such as the damage or loss of Lessons from the Aurora
vulnerability
expensive equipment or the production of faulty goods. Production disruptions also
can cause industrial enterprises to miss customer commitments. Poor asset availabili- SolarWinds attack changing
nature of cybersecurity for
ty and utilization also can lower investment returns. ICSs

3. Outdated or custom systems. IT is used for applying frequent and consistent soft-
ware patches and upgrades, while industrial environments tend to be more systemic:
one small change in one component or subsystem can trigger changes or disruptions
elsewhere. Many legacy plant and factory control systems, as a result, may be running
outdated operating systems that cannot easily be swapped out or a custom configura-
tion that isn’t compatible with the standard enterprise IT security packages.
16
IT/OT collaboration must drive digitalization

Five questions every CISO

Four concerns for OT with enterprise connectivity should ask about OT
1. Physical risks and safety. Threats to life safety are still a concern, but OT teams cybersecurity
now face threats that are potentially outside of their control. Connecting machines, Extend IT security to the
equipment and control systems to more open enterprise networks can leave them plant floor
vulnerable to hacking. Hacks can override valve controls and emergency shut-offs, The IT/OT Divide: Expert
exposing employees to danger and production to costly disruptions. Interview Series

IT/OT collaboration
2. Productivity and quality control. Losing control of the manufacturing process or must drive
any related devices are an OT team’s worst nightmare. What if some malicious party digitalization
was able to reprogram an assembly process to skip a few steps or halt production
Six reasons why centralized
entirely — resulting in a faulty product that could potentially injure a customer user? cybersecurity doesn’t
deliver value to OT
3. Data leaks. While data breaches have long been a top concern for traditional IT Bridging the IT/OT divide:
teams, they are somewhat new to OT teams used to working with closed systems. Interview with Wayne Dorris
However, given the types of industrial systems coming online, securing transmitted Throwback Attack:
data is critical. Lessons from the Aurora
vulnerability

4. Industrial security. While OT teams can see the benefits of moving from closed SolarWinds attack changing
nature of cybersecurity for
systems to open networks, they worry about a seeming lack of IT experience and
ICSs
potential solutions for rigorous OT needs, including real-time communications and
cybersecurity traditional office solutions can’t provide.

Common IT/OT objectives for securing a fully digitalized

industrial enterprise
Identifying and authenticating all devices and machines within a system, manufactur-

17
IT/OT collaboration must drive digitalization

ing plant and in the field, to ensure only approved devices and systems are commu- Five questions every CISO
should ask about OT
nicating with each other. cybersecurity

Extend IT security to the

Encrypting all communications between the devices ensures privacy of the transmit- plant floor
ted data and the integrity of the data generated from these systems.
The IT/OT Divide: Expert
Interview Series
Three ways to collaborate on industrial digitalization
IT/OT collaboration
Full end-to-end digitalization of industrial enterprises requires a comprehensive
must drive
networking strategy developed by IT and OT teams working together. The industrial digitalization
network must be designed as the strategic backbone of production systems, not as a
Six reasons why centralized
component. It involves deployment industrial-grade networking technologies based cybersecurity doesn’t
on proven standards. Here are three ways companies can facilitate the needed col- deliver value to OT
laborative process. Bridging the IT/OT divide:
Interview with Wayne Dorris
1. Bring all stakeholders to the table Throwback Attack:
All relevant stakeholders to the digitalization of a company’s industrial and enterprise Lessons from the Aurora
operations must have a voice in building a consensus about which metrics are most vulnerability

critical to the organization and which metrics need improvement. They should focus SolarWinds attack changing
on the unique requirements of production operations while managing risks of down- nature of cybersecurity for
ICSs
time and security. Together, they should consider these questions to identify key
goals for success:

• What critical assets are likely to fail, when and why?

• How could an asset’s failure impact personnel, operations, or production costs

and downtime?
18
IT/OT collaboration must drive digitalization

• How can data-driven decisions be integrated within the constraints of existing Five questions every CISO
should ask about OT
practices? cybersecurity

Extend IT security to the

• Which production operations are performing below standard in terms of quality plant floor
output or in-process defect rates?
The IT/OT Divide: Expert
Interview Series
• Where are large amounts of human intervention occurring to control quality that
IT/OT collaboration
could be otherwise automated?
must drive
digitalization
Where could data be used to monitor real-time performance to reduce variability in
Six reasons why centralized
output quality? cybersecurity doesn’t
deliver value to OT
2. Provide education on industrial networks
Bridging the IT/OT divide:
IT teams may need education in the real-time requirements of industrial OT networks Interview with Wayne Dorris
and the issues with traditional IT security solutions. That’s why OT teams must share
Throwback Attack:
the principles, protocols and architectural details about how to operate, maintain, Lessons from the Aurora
and troubleshoot existing and planned industrial networks, including: vulnerability

SolarWinds attack changing

• Switching and routing nature of cybersecurity for
ICSs

• Wireless communications

• Security requirements.

3. Find an experienced partner to facilitate first steps

Only an active IT/OT collaboration — with a mutual understanding of each other’s
19
IT/OT collaboration must drive digitalization

respective roles and backgrounds — can data flows be optimized over a company’s Five questions every CISO
should ask about OT
core network, the backbone of a fully digitalized industrial enterprise. cybersecurity

Extend IT security to the

By understanding the full potential of modern industrial communications, IT and plant floor
OT can work together to ensure more operational efficiency, visibility, flexibility and
The IT/OT Divide: Expert
security in production. This can help companies fully realize the promise of digitali- Interview Series
zation to gain greater competitiveness and profitability in the short-term and for the
IT/OT collaboration
long-term.
must drive
digitalization
Michael Bingaman
Six reasons why centralized
Michael Bingaman is director of vertical sales, Siemens Industry Inc. cybersecurity doesn’t
deliver value to OT

Bridging the IT/OT divide:

Interview with Wayne Dorris

Throwback Attack:
Lessons from the Aurora
vulnerability

SolarWinds attack changing

nature of cybersecurity for
ICSs

20
Six reasons why centralized
cybersecurity doesn’t deliver Five questions every CISO
should ask about OT
cybersecurity
value to OT Extend IT security to the
plant floor

M any industrial leaders operate their businesses with a false sense of security. Ran-
somware events such as the ones faced by Norsk Hydro, Hexion, and Momentive
in 2019, which caused considerable operational disruption, serve as a warning to all
The IT/OT Divide: Expert
Interview Series

IT/OT collaboration must

industrial organizations. According to IBM, the cyberattacks against industrial targets drive digitalization
doubled in 2019. They not only bring down information technology (IT) infrastructure,
Six reasons
where the average cost of downtime reached $5 million per hour according to ITIC for why centralized
nine critical verticals including manufacturing, utilities and healthcare, but also affect cybersecurity doesn’t
operational technology (OT) networks with even costlier impact. Ponemon Institute deliver value to OT
surveys conducted in 2018 and 2019 involving utilities and manufacturing companies Bridging the IT/OT divide:
reveal: Interview with Wayne Dorris

Throwback Attack:
• 56% of respondents reported at least one shutdown or operational data loss per Lessons from the Aurora
year with many reporting outages, damage, injury, and even environmental conse- vulnerability
quences from incidents involving OT, SolarWinds attack changing
nature of cybersecurity for
ICSs
• Insider threats represented the majority of attacks in OT

• 45% of organizations experienced attacks involving IoT/OT assets.

While cyber attacks continue to rise, many companies feel ill-prepared to manage OT
cybersecurity risk. The same Ponemon Institute surveys highlighted a lack of alignment
between OT and IT security, difficulties in finding and building industrial cyber skills in
21
Six reasons why centralized cybersecurity doesn’t deliver value to OT

employees, and an incorrect belief that protections designed for IT are effective for OT Five questions every CISO
should ask about OT
as some of the key challenges facing the organizations. The reasons include cybersecurity

Extend IT security to the

• The IT or information system (IS) teams’ insufficient knowledge of OT systems, op- plant floor
eration and environment,
The IT/OT Divide: Expert
Interview Series
• A lack of cybersecurity expertise in OT teams,
IT/OT collaboration must
drive digitalization
• A lack of adequate engagement from operations leadership in cybersecurity
Six reasons
why centralized
• Occupational biases in IT/IS teams. cybersecurity doesn’t
deliver value to OT
The combination of rapidly expanding OT connectivity in Industry 4.0, the increasing
Bridging the IT/OT divide:
rate and sophistication of cyber-attacks, and uncertainty on how to effectively manage Interview with Wayne Dorris
OT cybersecurity leaves many industrial companies exposed to significant financial and
Throwback Attack:
operational risk. Lessons from the Aurora
vulnerability
Centralized cybersecurity approaches – high cost, low ef- SolarWinds attack changing
fectiveness for OT nature of cybersecurity for
ICSs
The IT/IS team is often requested to lead OT cybersecurity efforts to exploit potential
cost synergies and their knowledge of cybersecurity. It is natural for them to explore
and strongly advocate for opportunities to apply IT security practices to OT. These
IT security practices mostly depend on centralization, early detection, and standard-
ization to achieve economy of scale. In theory, extending them to OT should deliver
cost efficiency at scale by using existing network security tools such as segmentation,
centralized cybersecurity operations to monitor and respond when an intrusion is de-
22
Six reasons why centralized cybersecurity doesn’t deliver value to OT

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide: Expert

Interview Series

IT/OT collaboration must

drive digitalization

Six reasons
why centralized
cybersecurity doesn’t
deliver value to OT
Bridging the IT/OT divide:
Interview with Wayne Dorris

Throwback Attack:
Lessons from the Aurora
vulnerability

SolarWinds attack changing

nature of cybersecurity for
ICSs

tected, and applying standardized endpoint security Example of a centralized cybersecurity

approach extended to OT with the
tools to edge devices and systems. It also minimizes latest technologies. Courtesy: Resiliant
the need for change management and cross-func-
tional engagement as it is largely managed by the central IS team using the latest and
greatest technical tools.

23
Six reasons why centralized cybersecurity doesn’t deliver value to OT

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide: Expert

Interview Series

IT/OT collaboration must

drive digitalization

Six reasons
There are, however, fundamental differences in the Level of segmentation, trade-offs and why centralized
OT applicability. Courtesy: Resiliant cybersecurity doesn’t
intended use of these two networks. On the IT side,
devices are mostly general-purpose computing devic- deliver value to OT
es (e.g. computers, phones, servers, etc.), network performance variation is more of nui- Bridging the IT/OT divide:
sance than a real disruption to core operations, and standardized endpoint security tools Interview with Wayne Dorris

(e.g. anti-virus) are easily applied and maintained over time. On the contrary, cyber-phys- Throwback Attack:
ical systems connected to OT networks are special purpose devices (e.g. an anesthesia Lessons from the Aurora
vulnerability
machine, computer numerical control [CNC] machine, etc.) installed to function in a
specific manner and support specific processes in operations. Therefore, standardized SolarWinds attack changing
nature of cybersecurity for
endpoint security tools cannot be applied to these special purpose devices without en- ICSs
suring the integrity of their functional performance in the given environment. Further, OT
network performance degradation due to security tools can be operationally disruptive.

Six reasons why centralized cybersecurity doesn’t deliver

value to OT
As illustrated in the figure above, extending centralized IT security practices to OT
environments can be both ineffective and costly. Worse yet, the approach may create 24
Six reasons why centralized cybersecurity doesn’t deliver value to OT

a false sense of security in Five questions every CISO

should ask about OT
the organization. Even the cybersecurity
advanced technical tools such
Extend IT security to the
as artificial intelligence (AI) plant floor
based intrusion detection
The IT/OT Divide: Expert
system (IDS), advanced threat Interview Series
detection (ATD), micro-seg-
IT/OT collaboration must
mentation (i.e. software de- drive digitalization
fined network), etc. may fail
to deliver much value to OT
Six reasons
why centralized
cybersecurity in most cases. cybersecurity doesn’t
The key reasons are: deliver value to OT
Bridging the IT/OT divide:
1. Benefits are lim- Interview with Wayne Dorris
ited mostly to man- Throwback Attack:
aging broad net- Lessons from the Aurora
vulnerability
work-based attacks.
The approach is heavily geared towards managing The level of inaccuracy for an intrusion SolarWinds attack changing
detection system (IDS) can be very high. nature of cybersecurity for
risk of broad network-based attacks. In this case, ICSs
Courtesy: Resiliant
attackers cast a broad net by injecting malware into a
network and hoping that the malware reaches a de-
vice that fits the target profile. Granular segmentation, in theory, can reduce the risk of
an end device being infected by restricting and managing traffic to the device through
various network-based policies. Segmentation, however, may not help if an attack
was targeted, for example, to a cyber-physical system by using already compromised
access credentials. Targeted attacks account for 86% of attacks in the manufacturing
25
Six reasons why centralized cybersecurity doesn’t deliver value to OT

sector where attackers use knowledge of an organization’s vulnerabilities, operating Five questions every CISO
should ask about OT
environment, compromised user credentials, etc. In fact, in 70% of the cases, publicly cybersecurity
known vulnerabilities are exploited.
Extend IT security to the
plant floor
This approach also falls short in managing the risk of insider attacks which are on the
The IT/OT Divide: Expert
rise. According to Nucleus Cyber report, 60% of companies experienced insider attacks Interview Series
in 2019. Ill-intending, unskilled or misled insiders can pose big risks to organizations.
IT/OT collaboration must
drive digitalization
2. Granular segmentation may not actually be feasible
Six reasons
Granular segmentation often comes at the expense of network performance. Further,
why centralized
OT environments present considerable diversity in device types, intended functions, cybersecurity doesn’t
and associated processes. Hence, deploying and managing policies for a multitude of deliver value to OT
scenarios adds significant cost in terms of policy management using a highly skilled
Bridging the IT/OT divide:
workforce. Unmanaged policies, at the same time, can either lead to operational dis- Interview with Wayne Dorris
ruptions or security vulnerabilities. When a Midwest-based hospital failed to manage
Throwback Attack:
policies and parameters for their medical devices with needed operational changes, Lessons from the Aurora
the network started to reject genuine medical devices and caused disruptions in pa- vulnerability
tient care. Granular segmentation, therefore, may not be applicable for many OT appli- SolarWinds attack changing
cations. nature of cybersecurity for
ICSs

Six reasons why centralized cybersecurity doesn’t deliver

value to OT
As illustrated in the figure above, extending centralized IT security practices to OT
environments can be both ineffective and costly. Worse yet, the approach may create
a false sense of security in the organization. Even the advanced technical tools such
as artificial intelligence (AI) based intrusion detection system (IDS), advanced threat
26
Six reasons why centralized cybersecurity doesn’t deliver value to OT

detection (ATD), micro-segmentation (i.e. software defined network), etc. may fail to Five questions every CISO
should ask about OT
deliver much value to OT cybersecurity in most cases. The key reasons are: cybersecurity

Extend IT security to the

1. Benefits are limited mostly to managing broad net- plant floor
work-based attacks. The IT/OT Divide: Expert
The approach is heavily geared towards managing risk of broad network-based attacks. Interview Series
In this case, attackers cast a broad net by injecting malware into a network and hoping IT/OT collaboration must
that the malware reaches a device that fits the target profile. Granular segmentation, in drive digitalization
theory, can reduce the risk of an end device being infected by restricting and manag-
Six reasons
ing traffic to the device through various network-based policies. Segmentation, how- why centralized
ever, may not help if an attack was targeted, for example, to a cyber-physical system cybersecurity doesn’t
by using already compromised access credentials. Targeted attacks account for 86% of deliver value to OT
attacks in the manufacturing sector where attackers use knowledge of an organization’s Bridging the IT/OT divide:
vulnerabilities, operating environment, compromised user credentials, etc. In fact, in Interview with Wayne Dorris
70% of the cases, publicly known vulnerabilities are exploited. Throwback Attack:
Lessons from the Aurora
This approach also falls short in managing the risk of insider attacks which are on the vulnerability

rise. According to Nucleus Cyber report, 60% of companies experienced insider attacks SolarWinds attack changing
in 2019. Ill-intending, unskilled or misled insiders can pose big risks to organizations. nature of cybersecurity for
ICSs

2. Granular segmentation may not actually be feasible

Granular segmentation often comes at the expense of network performance. Further,
OT environments present considerable diversity in device types, intended functions, and
associated processes. Hence, deploying and managing policies for a multitude of sce-
narios adds significant cost in terms of policy management using a highly skilled work-
force. Unmanaged policies, at the same time, can either lead to operational disruptions
27
Six reasons why centralized cybersecurity doesn’t deliver value to OT

or security vulnerabilities. When a Midwest-based hospital failed to manage policies Five questions every CISO
should ask about OT
and parameters for their medical devices with needed operational changes, the network cybersecurity
started to reject genuine medical devices and caused disruptions in patient care. Granu-
Extend IT security to the
lar segmentation, therefore, may not be applicable for many OT applications. plant floor

The IT/OT Divide: Expert

3. IDS in OT environments can be very expensive. Interview Series
There is value in detecting intrusions early before any of the OT devices are affect-
IT/OT collaboration must
ed. An infection of an OT device could lead to malfunction or down-time resulting in drive digitalization
operational disruption. Trade-offs involving placement of IDS include network perfor-
Six reasons
mance, accuracy of detection, and cost. Similar to network segmentation, bringing IDS
why centralized
capability closer to the OT devices, and eventually on to a device (i.e. Host-based IDS), cybersecurity doesn’t
would increase detection accuracy. This action, however, can add significant data-load deliver value to OT
onto the network and impact network performance. It also adds large sums of cost for
Bridging the IT/OT divide:
adding IDS sensors onto or closer to the installed OT devices, ensuring functional as Interview with Wayne Dorris
well as network performance for the systems, and managing integrity of the sensors
Throwback Attack:
over time. On the other hand, network-based IDS, typically placed further away from Lessons from the Aurora
the end devices, does not affect network performance as much. It, however, leads vulnerability
to lower detection accuracy. as a result, full-time monitoring (i.e. analyst-in-the-loop) SolarWinds attack changing
resources would be required. There is considerable cost associated with the triaging nature of cybersecurity for
ICSs
alerts generated by the IDS to find the ones deemed reliable, as shown in the adjacent
figure. The diversity of OT devices on a network makes the situation worse at scale
than shown in the figure. They generate more alerts, and often require field personnel
with knowledge of the OT device functionality and operational break (i.e. downtime) to
evaluate the alerts. False positives can create organization fatigue and a lack of trust in
the system. Even the most advanced IDS with AI could lead to significant incremental
costs in the OT applications with questionable return.
28
Six reasons why centralized cybersecurity doesn’t deliver value to OT

Five questions every CISO

4. Many OT devices and the associated risks can remain should ask about OT
unmanaged. cybersecurity
The centralized cybersecurity approach also primarily relies on active and/or passive Extend IT security to the
scanning operations to discover devices and identify associated product-level vulner- plant floor
abilities. In many instances, active scanning shuts down or reboots OT/IoT devices. In The IT/OT Divide: Expert
such cases, advanced passive scanning along with other analytical methods are used. Interview Series
There are many devices, such as the one shown in the preceding figure where a motor IT/OT collaboration must
vibration tester is in peer-to-peer connection with the motor/drive, that are usually not drive digitalization
identified with such scanning operations. Further, many intermittently-connected OT
Six reasons
devices can remain misidentified. It is hard to manage risk relating to the devices that why centralized
are not identified, tracked and managed. In general, about 15 to 40% of devices may cybersecurity doesn’t
remain unmanaged in this approach leaving substantial unaccounted risk. deliver value to OT
Bridging the IT/OT divide:
5. Many critical vulnerabilities including human-factors go Interview with Wayne Dorris

unaddressed. Throwback Attack:

The centralized cybersecurity approach is often limited to identifying product-level Lessons from the Aurora
vulnerability
vulnerabilities. Various studies, however, indicate that up to 95% of breaches are hu-
man-enabled. For example, misconfigurations such as missing isolation, weak pass- SolarWinds attack changing
nature of cybersecurity for
words, delayed updates, disabled QoS, incorrect permissions, inconsistent system ICSs
integration, and missing authentication are frequently exploited in cyber-attacks. The
given approach doesn’t adequately address such human-factors in cybersecurity, and
leaves the organization with a false sense of security. Semiconductor giant TSMC was
faced with a virus outbreak, which brought three of its plants down, because of mis-op-
eration during the software installation process for a new tool, which caused a virus to
spread once the tool was connected to the network.
29
Six reasons why centralized cybersecurity doesn’t deliver value to OT

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide: Expert

Interview Series

IT/OT collaboration must

drive digitalization

Six reasons
why centralized
cybersecurity doesn’t
deliver value to OT
Bridging the IT/OT divide:
Interview with Wayne Dorris

Throwback Attack:
Lessons from the Aurora
vulnerability

SolarWinds attack changing

nature of cybersecurity for
ICSs

6. Ineffective incident response. The optimal OT security approach

is multi-faceted and requires
The centralized cybersecurity approach assumes relative- many different aspects to come
ly more standardized response mechanisms. An incident together. Courtesy: Resiliant
response involving an OT network often requires coordi-
nation across many domains. In most cases, isolating just an infected device without
bringing the whole network and associated processes down may not be as feasible in
30
Six reasons why centralized cybersecurity doesn’t deliver value to OT

OT as it would be in IT. In other words, it is difficult to have standardized responses in Five questions every CISO
should ask about OT
the case of OT devices. Extending IT security practices based on centralization, ear- cybersecurity
ly detection and standardization onto the OT side can result in high costs and large
Extend IT security to the
unmanaged risk. Applied generally, without consideration of the OT devices and en- plant floor
vironment, certainly leads to low ROI while providing a false sense of security to the
The IT/OT Divide: Expert
organization. Interview Series

IT/OT collaboration must

Optimal risk-based approach to OT cybersecurity drive digitalization
To be efficient, cybersecurity needs to be risk-based to prioritize the areas of greatest
Six reasons
impact. Cybersecurity of OT needs more of an operational approach through which
why centralized
all vulnerabilities impacting a device are proactively identified and risk is managed by cybersecurity doesn’t
a cross-functional team. As discussed in the preceding sections, cyber-risk associated deliver value to OT
with a device includes not only technology but also people, policies and process con-
Bridging the IT/OT divide:
siderations. A security control implementation may every so often come at an expense Interview with Wayne Dorris
of operational flexibility or other operational values. Hence, operational risk-return
Throwback Attack:
trade-offs have to be part of risk management decisions involving cyber-physical sys- Lessons from the Aurora
tems. In this way, the most effective security tools are applied to the biggest risks to vulnerability
the business. An example of how the risk-based approach can be optimally applied to SolarWinds attack changing
OT cybersecurity is illustrated in the following figure. nature of cybersecurity for
ICSs

An optimal solution may include perimeter controls, IDS at the enterprise level to
detect any unusual activities before the OT network is infected, datalink (VLAN) or
network layer segmentation, demilitarized zones (DMZ) where data and services can
be shared, cybersecurity training for all personnel, and active device-level risk manage-
ment using relevant controls. It would ensure effectiveness, efficiency and adaptability
in cybersecurity risk management over time.
31
Six reasons why centralized cybersecurity doesn’t deliver value to OT

Successful execution of the suggested strategy, however, requires a considerable level Five questions every CISO
should ask about OT
of change management. Hence, industrial organizations must make OT cybersecuri- cybersecurity
ty a top business priority, link it to the board of directors’ risk oversight process, and
Extend IT security to the
operationalize a robust cybersecurity program via cross-functional engagement. The plant floor
program needs to be championed by an operating executive who is also accountable
The IT/OT Divide: Expert
for operational excellence. Doing this ensures the right stakeholders are involved and Interview Series
the right trade-offs are made around operational performance, cost, and security. More
IT/OT collaboration must
importantly, it helps institutionalize a culture of security – the best defense mechanism! drive digitalization
This is analogous to Toyota’s approach to quality.
Six reasons
why centralized
Overall, cyber-physical systems together with the Internet of Things (IoT), Big Data and cybersecurity doesn’t
cloud computing in Industry 4.0 can deliver improved productivity, quality and compli- deliver value to OT
ance. According to some experts, increased interconnectedness and digital collabo-
Bridging the IT/OT divide:
ration across the full supply-chain can further reduce operational costs by at least 30% Interview with Wayne Dorris
and reduce inventory requirements by as much as 70%. The exponentially increasing
Throwback Attack:
connectivity, however, also raises concerns around centralized cybersecurity. Hence, Lessons from the Aurora
organizations will have to make OT cybersecurity a core competency to win in today’s vulnerability
digitally connected environment. SolarWinds attack changing
nature of cybersecurity for
This article originally appeared in Resiliant’s Knowledge Center. Resiliant is a CFE Me- ICSs

dia content partner.

32
Bridging the IT/OT divide: Interview with Wayne Dorris

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide: Expert

Interview Series

IT/OT collaboration must

drive digitalization

Six reasons why centralized


cybersecurity doesn’t
deliver value to OT

Bridging the IT/OT

divide: Interview with
Wayne Dorris
Throwback Attack:
Lessons from the Aurora
vulnerability
Bridging the IT/OT divide: Interview with SolarWinds attack changing
nature of cybersecurity for
Wayne Dorris ICSs
Cybersecurity is no longer solely the purview of the
information technology (IT) department. Companies now
need to enlist the operational technology (OT) side in threat
management. Wayne Dorris of Axis Communications discusses
ways to bridge the IT/OT divide.

33
Throwback Attack: Lessons from
the Aurora vulnerability Five questions every CISO
should ask about OT
cybersecurity

L essons can be learned from prior cybersecurity efforts, even older ones, as this 2007
demonstration showed. Are you aware of the eight ways to mitigate the Aurora
vulnerability?
Extend IT security to the
plant floor

The IT/OT Divide: Expert

Interview Series
In 2007, the Department of Homeland Security, working with the Idaho National Lab- IT/OT collaboration must
oratory, undertook to demonstrate that a cyberattack could, in fact, cause real-world drive digitalization
physical damage. It had already been known that cyberattacks could destroy computer Six reasons why centralized
equipment by creating anomalous behavior in hard drives and by overclocking micro- cybersecurity doesn’t
processors; the goal of this test was to determine if the manipulation of various control deliver value to OT
components could damage or destroy large infrastructure, in this case a 2.25MW, 27- Bridging the IT/OT divide:
ton diesel generator. The test was a success as it proved it could be done. However, it Interview with Wayne Dorris
also determined the vulnerability it revealed could be difficult to mitigate. The test was Throwback Attack:
code named “Aurora” and is known as the “Aurora vulnerability”. Lessons from the
Aurora vulnerability
Cybersecurity implications of power generation 101 SolarWinds attack changing
Power generation is a complex, yet routine operation. A typical generator rotates nature of cybersecurity for
ICSs
powerful magnets through heavy copper coils to induce current; the rotating force that
turns the armature or the field, as the case may be, can be an internal combustion en-
gine, a steam turbine or a water wheel. The power is then distributed through the pow-
er grid to homes and businesses. At either end of the distribution system are circuit
breakers. The purpose of these circuit breakers is to protect the wiring and equipment
connected to the grid and to protect the grid.

Generators for large installations use circuit breakers controlled by a system of pro-
34
Throwback Attack: Lessons from the Aurora vulnerability

tective relays. Protective relays are a science unto themselves; they monitor what is Five questions every CISO
should ask about OT
happening on the wiring connected to the generator and protect it from damage from cybersecurity
anomalous conditions on the grid or in the generator.
Extend IT security to the
plant floor
Among those conditions are overcurrent, undercurrent, undervoltage, phase imbal-
The IT/OT Divide: Expert
ance, loss of synchronism and ground fault. Each relay has an American National Stan- Interview Series
dards Institute (ANSI) designated device number and must be periodically checked
IT/OT collaboration must
and calibrated to avoid damage to the generator or to the distribution system. When a drive digitalization
protective relay senses a condition it is designed to monitor, the relay trips the circuit
Six reasons why centralized
breaker and disconnects the generator or connected equipment from the line. cybersecurity doesn’t
deliver value to OT
The point of these protective systems is to keep the power grid stable and operat- Bridging the IT/OT divide:
ing by detaching faulted devices from the system, leaving as much of the distribution Interview with Wayne Dorris
system operating as possible. In the United States and the rest of North America, the
Throwback Attack:
power grid operates at 60 Hz. For any power grid to function properly, all the generat- Lessons from the
ing plants connected to it must be synchronized by voltage, phase and frequency. Aurora vulnerability
SolarWinds attack changing
If any of the generators are out of synchronization, there will be an imbalance in the nature of cybersecurity for
system, which could damage a generator, the distribution system or other connected ICSs
equipment. If a generator were to fall out of synchronization, the phase imbalance pro-
tective (synchronism) relays would trip and disconnect the generator from the line. If
this did not happen, then the tremendous force of the system would attempt to resyn-
chronize the machine.

The generator’s electrical and physical characteristics would naturally resist this, and
large torques would be exerted on the driving shaft and high currents produced in the
35
Throwback Attack: Lessons from the Aurora vulnerability

generator windings. These current spikes can and will damage other equipment, such Five questions every CISO
should ask about OT
as transformers and motors. cybersecurity

Extend IT security to the

Cybersecurity throwback: plant floor
The Aurora generator test description The IT/OT Divide: Expert
Connecting an unsynchronized generator to a working power grid is dangerous and Interview Series
will lead to a damaged, if not destroyed, generator. What if a threat actor with knowl- IT/OT collaboration must
edge of the workings of generating systems were to gain access to protective systems, drive digitalization
either physically or virtually? This was the basis for a proof-of-concept test done at the Six reasons why centralized
sprawling Idaho National Laboratories, which is run by the Department of Energy. cybersecurity doesn’t
deliver value to OT
The lab has its own large power grid and generating capacity it uses to test small Bridging the IT/OT divide:
nuclear power systems used in submarines, ships and spacecraft. A large diesel gen- Interview with Wayne Dorris
erator was acquired from surplus, and a facility was built to house it. A new substation Throwback Attack:
was built, replicating those seen in common practice and including the protective relay Lessons from the
systems often used in this type of installation. Aurora vulnerability
SolarWinds attack changing
To facilitate the main goal of the test, vibration monitoring, overspeed and synchro- nature of cybersecurity for
ICSs
nism trips were disabled. The goal was to produce what is called out-of-phase synchro-
nization (OOPS) by opening and closing the generator’s circuit breaker while it was
running and connected to the grid. Protective systems are designed to isolate a mal-
functioning generator. For the test, the synchronism and phase imbalance protective
relays were reprogrammed to randomly open and close the generator breaker.

Prior to initiating the test, the generator was synchronized to the grid and operating
as expected. Upon commencement of the test, the protective systems first checked for
36
Throwback Attack: Lessons from the Aurora vulnerability

synchronism; then they disconnected the generator from the grid. Being unloaded, the Five questions every CISO
should ask about OT
generator naturally accelerated. Then, the circuit breaker was closed again, tying the cybersecurity
generator back into the grid. The generator was violently thrown back into synchroni-
Extend IT security to the
zation by the overwhelming force of the grid; the force of the other connected genera- plant floor
tors and devices pulled the small mass of the test generator back to synchronism with
The IT/OT Divide: Expert
the 60 Hz grid frequency. Interview Series

IT/OT collaboration must

The malicious code that had corrupted the protective system’s functions was less than drive digitalization
130 kb, which is about 30 lines of code. The opening and closing of the generator
Six reasons why centralized
breaker had lasted for only a few microseconds, or about 15 cycles. The code was ex- cybersecurity doesn’t
ecuted three more times. Each time, the generator was observed to violently jolt and deliver value to OT
shake; after the second hit, pieces of the machine began to fly off. The large rubber Bridging the IT/OT divide:
connector that joins the generator to the engine was rapidly deteriorating from the Interview with Wayne Dorris
extreme torque exerted on the machine. The generator began to smoke. Its windings
Throwback Attack:
had begun to fuse and melt from the high current spikes that accompanied the OOPs. Lessons from the
Aurora vulnerability
On the third and fourth execution of the code, the engine and generator essentially
SolarWinds attack changing
tore themselves apart. A postmortem revealed the generator windings were melted nature of cybersecurity for
and burned. The engine shaft had twisted and struck the inside of the crankcase – the ICSs
generator was scrap metal. The test lasted three minutes, and the generator was de-
stroyed in under a minute.

The test video is available here: [Link]/watch?v=bAWU5aMyAAo

Methods of cyberattack
Connecting a generating source to the electric grid requires frequency, voltage and
37
Throwback Attack: Lessons from the Aurora vulnerability

phase rotation to be matched for a proper and safe connection to the grid. Protective Five questions every CISO
should ask about OT
relays monitor each of these parameters to ensure a successful connection; if any of cybersecurity
these parameters exceed tolerance, the machine is disconnected to prevent damage
Extend IT security to the
to the machine or the grid. plant floor

The IT/OT Divide: Expert

To compromise these systems, an attacker would have to breach several layers of se- Interview Series
curity and have a good working knowledge of the system to target the correct breaker.
IT/OT collaboration must
The attacker would also need physical access to the substation or to have compro- drive digitalization
mised the communications systems connecting the protective relays to the supervisory
Six reasons why centralized
control and data acquisition (SCADA) system. The various alarms would also need to cybersecurity doesn’t
be disabled so as not to alert operators to the problem. The several layers of security deliver value to OT
that need to be breached would ideally be password-protected at each level. Password Bridging the IT/OT divide:
protection is a common oversight and vulnerability. Interview with Wayne Dorris

Throwback Attack:
The root cause of the Aurora vulnerability is poor physical security and poor cybersecu- Lessons from the
rity. Designers and operators must consider cybersecurity at the outset and plan for all Aurora vulnerability
possible modes of attack, including physical attacks on the facility. The aurora vulner-
SolarWinds attack changing
ability, if not mitigated, can extensively damage much of the equipment connected to nature of cybersecurity for
the grid, and could cause extended power outages. The attack does not have to hap- ICSs
pen at the generator or the substation; it can be initiated from anywhere.

As higher value options are hardening their defenses, critical infrastructure and in-
dustrial control systems (ICSs) are becoming prime targets. Most attacks are remotely
conducted. However, poorly-secured facilities also can provide opportunity for on-the-
ground physical attacks.

38
Throwback Attack: Lessons from the Aurora vulnerability

Direct hacking is a mode of attack that physically accesses protective relay systems and Five questions every CISO
should ask about OT
reprograms the devices to affect the anomaly – directly hacking the protective relay. cybersecurity
This requires physical access and both power system and hacking knowledge. This
Extend IT security to the
attack implies it could be performed by an insider or someone who has breached the plant floor
physical security of the facility.
The IT/OT Divide: Expert
Interview Series
Anyone with physical access to the substation could open and close the breaker man-
IT/OT collaboration must
ually and achieve the same result – manual switching bypasses any automatic control drive digitalization
or protective systems. This attack falls under the “disgruntled employee” or malicious
Six reasons why centralized
vandalism category. cybersecurity doesn’t
deliver value to OT
Compromised communication channels are a common access method for remotely Bridging the IT/OT divide:
attacking a wide variety of control systems. In fact, it is the most common attack vector Interview with Wayne Dorris
given the physical location of most threat actors is offshore. As with any other attack,
Throwback Attack:
the chief culprits for allowing a successful breach are poor cyberhygiene, poor pass- Lessons from the
word policy and poor network architecture and protection. The human element also Aurora vulnerability
plays a large part in the mitigation of this risk and should not be ignored.
SolarWinds attack changing
nature of cybersecurity for
A third, and increasingly common attack vector, is infiltrating the supply chain. If an ICSs
attacker can access the protective systems during manufacturing or at any point prior
to installation, embedded code can be injected into the device that will trigger on a
specific date or event. This attack has been seen in recent events where software integ-
rity has been compromised while in the supply chain between vendor and end users
(SolarWinds, for example).

39
Throwback Attack: Lessons from the Aurora vulnerability

Five questions every CISO

Eight ways to mitigate the Aurora vulnerability should ask about OT
This will sound like a common refrain, but mitigating this vulnerability is similar, if not cybersecurity
identical, to protecting any other ICS. These measures require an investment in time Extend IT security to the
and money. If executed properly, they can make a facility practically impregnable. plant floor
Levels of defensive measures, referred to as defense in depth, frustrate determined The IT/OT Divide: Expert
attackers by physically blocking, or obfuscating, misdirecting and blocking their efforts. Interview Series
Eventually, these bad actors will give up and move on to easier targets.
IT/OT collaboration must
drive digitalization
By following proper security measures, the Aurora vulnerability can be mitigated.
Six reasons why centralized
These eight measures are a good baseline. cybersecurity doesn’t
deliver value to OT
1. Audit communication systems. It is important to know how the control network Bridging the IT/OT divide:
is set up and where any possible breaches can occur. Think like a hacker – they Interview with Wayne Dorris
operate like burglars who walk down the street and check doorknobs – and shut Throwback Attack:
down any unused ports or extraneous communication channels. The point of Lessons from the
the audit is to determine which systems and which staff have access to critical Aurora vulnerability
systems communication networks, including SCADA. Know what communication SolarWinds attack changing
channels are actually in use and which can be eliminated. nature of cybersecurity for
ICSs

2. Institute algorithms that monitor and supervise protective relay and

breaker operation. Unusual opening and closing of the relays or breaker may
follow a recognizable pattern and be detected and mitigated before an attack
is executed.

3. Encrypt and protect communication channels. Use a firewall with virtual private
network (VPN) capability for any outside access requirements. Institute a secure
40
Throwback Attack: Lessons from the Aurora vulnerability

and encrypted (and unadvertised) backup communications channel for use if the Five questions every CISO
should ask about OT
primary channel is compromised. cybersecurity

Extend IT security to the

4. Eliminate any cross connections with office or corporate networks. There plant floor
should be no connection between SCADA or energy management system net-
The IT/OT Divide: Expert
works and the facility’s office network, which is likely connected to the internet. Interview Series
This is a grave vulnerability because of attacks that start with a “phishing” email;
IT/OT collaboration must
85% of all attacks start with a phishing email. Also, attacks can be “inside jobs” drive digitalization
by malicious or disgruntled employees.
Six reasons why centralized
cybersecurity doesn’t
5. Password policies should be established and enforced. Change the default deliver value to OT
passwords on the protective relays. Use long and strong passwords and hierarchi- Bridging the IT/OT divide:
cal access controls. Require periodic password changes. Use multifactor authen- Interview with Wayne Dorris
tication (MFA) for critical system access. Treat each system as a unique security
Throwback Attack:
domain, and do not use the same password for all systems. Lessons from the
Aurora vulnerability
6. Institute a policy of least privilege for all staff to limit access to critical sys-
SolarWinds attack changing
tems. Consider schematics, product manuals, diagrams, flowcharts and any other nature of cybersecurity for
detailed system information as confidential and limit access to those staff on a ICSs
need-to-know basis. Compartmentalize system knowledge and the security meth-
ods used to secure each domain.

7. Check incoming equipment against the vendor’s specifications. This helps

users determine if a supply chain attack has occurred. Work with the vendor to
institute methods that can determine if the device or software was tampered with
between the factory and the customer.
41
Throwback Attack: Lessons from the Aurora vulnerability

8. Audit and strengthen physical security. Threat actors who can infiltrate a facility Five questions every CISO
should ask about OT
and physically access equipment can perpetrate an enormous amount of damage. cybersecurity

Extend IT security to the

The weakest link in any cybersecurity scheme is the human element. Automating as plant floor
much of the process as possible, including the starting, synching and connecting of
The IT/OT Divide: Expert
generating equipment can easily be automated, and the initiation of these processes Interview Series
can be substantially automated. Modern protective systems perform their functions
IT/OT collaboration must
well with reliability levels exceeding a human’s – they are not distracted or annoyed or drive digitalization
aggrieved, and they work 24/7 without complaint.
Six reasons why centralized
cybersecurity doesn’t
Cautionary tales of cybersecurity breaches deliver value to OT
In 2009, the first purpose-built digital weapon was used to destroy a third of the ura- Bridging the IT/OT divide:
nium enrichment centrifuges at the air-gapped Natanz laboratory in Iran. The Stuxnet Interview with Wayne Dorris
worm, developed by the NSA and Israeli cyber warriors, was smuggled into the facility Throwback Attack:
on a contractor’s laptop. The worm infected the centrifuge control systems by specif- Lessons from the
ically targeting the programmable logic controllers (PLCs) that controlled them. This Aurora vulnerability
was the first known use of a digital weapon to destroy physical equipment in the real SolarWinds attack changing
world. nature of cybersecurity for
ICSs
In 2016, Russia’s GRU military intelligence agency perpetrated an attack on the
Ukrainian power grid. That attack started with a phishing email, which unleashed a
script that quickly compromised the grid, mostly through unsecured or poorly secured
communications channels. The attack caused widespread outages and collateral dam-
age. One often-overlooked item was the destruction caused by the attack: The worm
targeted key pieces of equipment such as PLCs and PCs used for process control and
power generation. Several generators were damaged or destroyed using Aurora-type
42
Throwback Attack: Lessons from the Aurora vulnerability

attacks; transformers and substations were damaged using similar techniques. Five questions every CISO
should ask about OT
Learn from cybersecurity mistakes, demonstrations cybersecurity

Extend IT security to the

The Aurora vulnerability sent shockwaves throughout the cybersecurity and power plant floor
industries when it was first inadvertently revealed in 2009 in a Freedom of Information
The IT/OT Divide: Expert
Act (FOIA) request regarding a different program that happened to be called Project Interview Series
Aurora.
IT/OT collaboration must
drive digitalization
The vulnerability can be mitigated, and much progress has been made since 2007 in
Six reasons why centralized
the protection of critical systems. However, many legacy systems still exist, and oper- cybersecurity doesn’t
ators succumb to the belief that this is a solution in search of a problem. The problem deliver value to OT
exists, and the means and methods for preventing it also exist. With the chaos that a Bridging the IT/OT divide:
large and prolonged blackout would produce, the issue requires a sober examination Interview with Wayne Dorris
of the facts and for responsible parties to act.
Throwback Attack:
Lessons from the
Daniel E. Capano Aurora vulnerability
Daniel E. Capano is senior project manager, Gannett Fleming Engineers and Archi-
SolarWinds attack changing
tects, a CFE Media content partner and is on the Control Engineering Editorial Adviso- nature of cybersecurity for
ry Board. ICSs

43
SolarWinds attack changing
nature of cybersecurity for ICSs Five questions every CISO
should ask about OT
cybersecurity

T he SolarWinds attack has been in the news a lot lately due to the widespread
scope of the attack, which went beyond one company or one specific target indus-
try. The SolarWinds attack affected more than four-fifths of the Fortune 500 companies
Extend IT security to the
plant floor

The IT/OT Divide: Expert

and hit virtually every major sector in the U.S. government and military. Interview Series

IT/OT collaboration must

This was more than a one-off cyberattack, and it’s only going to increase, according to drive digitalization
Eric Byres, CEO for aDolus, in his presentation: “After the SolarWinds attack: What the Six reasons why centralized
SolarWinds fiasco tells us about the changing security landscape” at the ARC Advisory cybersecurity doesn’t
Group Forum, which was presented remotely via Zoom. deliver value to OT

Bridging the IT/OT divide:

Nation-state-backed, multi-stage SolarWinds attack Interview with Wayne Dorris

The actors behind the SolarWinds attack, Byres said, were very professional and very Throwback Attack:
well-organized in their attack. It was likely financed and backed by a nation-state, and Lessons from the Aurora
vulnerability
they played the long game, initiating a multi-stage attack that lasted more than 18
months. SolarWinds attack
changing nature of
cybersecurity for ICSs
This kind of attack might seem like the kind of thing manufacturers might not have to
worry about. It’s all information technology (IT), right? Not so, according to Byres. Op-
erational technology (OT) has just as much, if not more, to worry about.

Industrial control systems (ICSs) and the supply chain, Byres said, are the next wave of
cybersecurity threats. Supply chain attacks in these areas in 2020 were up 430% com-
pared to 2019. This is not going to stop. Why? Because they’re effective.

44
SolarWinds attack changing nature of cybersecurity for ICSs

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide: Expert

Interview Series

IT/OT collaboration must

drive digitalization

Six reasons why centralized

cybersecurity doesn’t
deliver value to OT

Bridging the IT/OT divide:

Interview with Wayne Dorris

Throwback Attack:
Lessons from the Aurora
vulnerability
Cybersecurity attacks that take The SolarWinds attack were likely financed and
backed by a nation-state, initiating a multi- SolarWinds attack
advantage of trust stage attack that lasted more than 18 months, changing nature of
“They’re taking advantage of the trust we [in- according to Eric J. Byres of aDolus. Courtesy: cybersecurity for ICSs
aDolus, ARC Advisory Group
dustrial companies] have with our vendors,”
Byres said.

Industrial control systems supply chains are easy targets. Many supply chains are a mix
of different programs, codes and standards. Finding an exploitable weakness isn’t that
hard because there are many potential gaps in the networks.

45
SolarWinds attack changing nature of cybersecurity for ICSs

And like companies, the actors behind these attacks seek a good return on investment Five questions every CISO
should ask about OT
(ROI). Given the level of sophistication of the SolarWinds attack and the depth of the cybersecurity
infiltration, it’s safe to say they got their money’s worth. Hitting a company’s supply
Extend IT security to the
chain and stealing information is no different. plant floor

The IT/OT Divide: Expert

It’s not like ICSs and the supply chain haven’t been a target before. Stuxnet was all Interview Series
about the supply chain and exploiting a particular weakness. In that case, it was stolen
IT/OT collaboration must
digital certificates, which underline the broader problem, according to Byres. drive digitalization

Six reasons why centralized

“There’s nothing wrong with digital certificates,” Byres said, “but they are being mis- cybersecurity doesn’t
used and misunderstood and being exploited. There’s more malware now than regular deliver value to OT
software. They’re not enough, and they need to be cleaned up.” Bridging the IT/OT divide:
Interview with Wayne Dorris
Cybersecurity cleanup: 3 software bill of materials needs Throwback Attack:
How can companies make their supply chain safer and help OT follow best practices? Lessons from the Aurora
vulnerability
After all, this isn’t their field of expertise. They need all the help they can get. Byres lik-
ened it to a rich stew full of different ingredients. If the user doesn’t know what’s inside SolarWinds attack
the stew, they won’t know how everything works together. This can be very confusing changing nature of
and overwhelming and may lead to mistakes. Clarity is needed in these cases. cybersecurity for ICSs

Byres advocated a software bill of materials (SBOM), which is a nested inventory and a
list of ingredients that make up software components. An SBOM, like a regular BOM,
identifies and lists components, information about the components and the relation-
ships between them.

Byres listed three things that are needed for SBOMs to work:
46
SolarWinds attack changing nature of cybersecurity for ICSs

Five questions every CISO

should ask about OT
cybersecurity

Extend IT security to the

plant floor

The IT/OT Divide: Expert

Interview Series

IT/OT collaboration must

drive digitalization

Six reasons why centralized

cybersecurity doesn’t
deliver value to OT

Bridging the IT/OT divide:

Interview with Wayne Dorris

Throwback Attack:
Lessons from the Aurora
For a software bill of materials (SBOMs) to work,
vulnerability
1. Cloud-based aggregation.
they need cloud-based aggregation, machine
SolarWinds attack
learning and graph database technology.
2. Machine learning for correlating multiple Courtesy: aDolus, ARC Advisory Group
changing nature of
databases.
cybersecurity for ICSs

3. Graph database technology for component association and tracking.

Software bill of materials benefits for cybersecurity

All that aside, why do manufacturers need software bill of materials to improve cyber-
security? What benefits can they provide to people on the OT side? Byres highlighted
several points:
47
SolarWinds attack changing nature of cybersecurity for ICSs

• For ICS vendors, they help track dependencies and component-based issues. They Five questions every CISO
should ask about OT
also help vendors track and detect evolving third-party security issues. cybersecurity

Extend IT security to the

• For asset owners, they help create vulnerability and risk priority lists for deployed plant floor
software.
The IT/OT Divide: Expert
Interview Series
• For security analysts, they provide critical threat-hunting info and give them infor-
IT/OT collaboration must
mation needed for malware hunting. drive digitalization

Six reasons why centralized

“We are going to see supply chain attacks as a regular problem,” Byres said. “For us to cybersecurity doesn’t
be on the road to a secure supply chain, we need vendors.” deliver value to OT

Bridging the IT/OT divide:

Like so many other changes in the world, it’s a question of adapting and taking the Interview with Wayne Dorris
preventive steps now rather than becoming the latest victim that ends up in the news. Throwback Attack:
Lessons from the Aurora
Chris Vavra vulnerability
Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia. SolarWinds attack
com. changing nature of
cybersecurity for ICSs

48
 IT/OT Cybersecurity:
The Great Divide
Content Archive Thank you for visiting the IT/OT Cybersecurity: The Great Divide
eBook!
Threats &
Vulnerabilities
If you have any questions or feedback about the contents
in this eBook, please contact CFE Media at
customerservice@[Link]

We would love to hear from you!

49