In recent days, a customer (and friend), managing director and majority shareholder of a medium-sized chemical company with a plant in Italy and another in a country in Eastern Europe, called me.
After the New Year's greetings and the customary pleasantries, we begin an intense conversation in which it emerges that, during the end-of-year break, he happened to see a documentary on TV in which a computer incident to a control system of a chemical plant causes serious environmental damage.
At one point point-blank he asks me: "I know you've told me about it many times, but now tell me: to secure my system,
what should we do to protect our factory systems?”
I am well aware that business and friendship should not be mixed and that there are no recipes and magic potions to address the issue of security that are valid in every context, but this question forced me to think quickly and here is my short list of things that today I would do:
1) Who to contact, and how to find someone who understands? Let's start with looking for a cyber security expert (and so far it's easy, there are a lot of them: everyone knows everything about ICT Security, if he's even good, it's to be checked). And that at least know something about Industrial Automation (and here it's a little more difficult: everyone knows everything about ICT Security, but also about OT?).
And if, finally, you find a "true expert" of OT/ICS Cyber Security, you have won the bingo! (but there are not many on the square…)
2) Found yours “true OT/ICS Cyber Security expert”, let him take a “photo” of your system: commission him a “OT/ICS Security/vulnerability assessment”. But, be careful, please: a) don't ask them to do it for free or with too little budget; b) make sure that methodologies and tools suitable for the industrial world are used: the risk could be a blockage of the control system and probably also of the plant; c) identify and delimit the perimeter/purpose of the assessment, to prevent it from extending to the corporate network as well (but if you have a single "flat network", without segmentations, then you have one more problem) ...(*)
But the "true expert" of OT/ICS Security surely knows this...!
3) Finally, with the assessment report in hand and with in mind how the plant is made and how the network of control systems is made, we begin to think about what to do. What are the assets to protect, what are the most important and most critical, what can we afford to "sacrifice" in the event of an accident, without causing damage to people, plants and the environment. Definitely what are the risks, not only IT, but above all,
What are the risks for the process controlled by the control system?
4) Identify yourself the critical points, we find ways to protect them adequately. If the problem is related to FT/HA (Fault Tolerance/High Availability) of the system, we think of redundant that part of the system components that could represent weak points (**).
We identify single-points-of-failure.
5) If we have to protect against access, intrusions, malware, uncontrolled connections with industrial protocols, and similar threats, we adopt devices specifically designed for these purposes (solutions or appliances not specific for the OT mode, may not be adequate! (***) and above all
IT Firewalls, configured with IT rules, may not be adequate!
6) Let's think about the business continuity, to the resilience for the plant and the system: how best to survive an adverse event and get back up and running quickly.
We make and manage the back-ups of PC and Server software, but also of PLCs!
7) We monitor the state of health the infrastructure, components, network, connected devices and systems,
with systems to identify "anomalous events"
In conclusion, in order not to make this post too long:
there are tools for OT/ICS Security, just choose the right ones.
And, if you have asked yourself the problem, as did my Client/friend, then you are already well on your way.
If you want to know more, you can also give a eye here.
(*) an excellent tool, totally passive, to make a deep and reliable OT/ICS vulnerability assessment is that developed and proposed by CyberX-Labs
(**) EverRun by Stratus it is the most effective and simple solution to make OT/ICS applications Fault Tolerant, with 99,9999% Uptime
(***) the solution Opshield by Wurldtech it is precisely made to block any unauthorized access to the PLC, traffic, connections and commands at the factory network level