In recent times the concept of is increasingly on the lips of insiders “Security-by-Design/Default”, And “OTsecurity-by-Design/Default” for those who, like us, deal with the protection of plants and machinery used in industry and utilities against IT risks.

The recent EU Cybersecurity ACT/Strategy., and certainly the directives for GDPR and NIS brought attention back to the regulations and the issue of Cyber ​​Security ed they have made the management's eyes jump out at how much "NON-security" there is in systems and organizations currently in use in many companies and organizations in every sector.

The concept of Security-by-Design/Default implies that in addition to requirements functional, the drawing, design, lo developoe systems maintenance must take into account security (in this case cyber), throughout the life cycle of the system, from its conception to its disposal.

This, the Security-by-Design/Default, can be done with new systems, those yet to be conceived and/or in the initial design phase.

But how to do with systems already installed and running which today are already active and in production on plants and machines in factories and Operators Provider of Essential Services (OSE)?

In our activity as supplier of "remediation" methodologies and tools for cyber-security, often they ask us what are the first steps to take for safety and protection of systems used in production.

STEP 1: system mapping. Are you sure you know your architecture inside out? Maybe something is missing from you…

According to our experience a precise are indispensable census of ALL systems existing in the Company and a careful risk analysis for each of them as well as for all systems and of the organization.

But what is the first requirement?

Certainly the assumption of responsibility by the management and the attribution of a BUDGET.

For Security, sorry to say, but without money you don't go very far.

And the money is not only "one-off" but must also be taken into account for months and years following the first awareness, to keep the level of security adequate according to the risk that we have decided to take on.

But be careful: money, we know, is always counted. And it's a pity to spend them carelessly, on activities and devices that may prove to be ineffective.

Sometimes we even hear people say: we're already done!

We have already equipped ourselves with everything they have recommended to adapt our systems and our organization to the provisions of the GDPR.

Well! This is a great start: it means that management is sensitive to Cyber ​​Security.

But the GDPR mainly concerns IT infrastructure and systemsI Company data and their protection.

And when we look at OT (Operation Technology), the networks and systems that make the production of goods and services work, are we really sure that the safeguards and countermeasures that we have put in place for IT Security are adequate to protect OT systems as well?

Here then a proposal what we feel like doing: invest some money to try to figure out if we might have OT leaks Security, which have so far escaped our attention and which could jeopardize our Business Continuity and ultimately the Business Continuity of the entire Company.

We therefore recommend that you proceed with a assessment to be done on OT systems in an absolutely passive and non-intrusive way, without interfering with production:  a POC (Proof-Of-Concept) or a POV (Proof-Of-Value) with a discovery tool, specific for the OT world, such as e.g example SCADA-Guardian from Nozomi Networks, distributed and supported by ServiTecno.

After a few hours or a few days (depending on the complexity of the network/infrastructure to be evaluated) we'll have a report and una dashboard with a complete map of all participants and communications present on the OT network/infrastructure, with identification of the protocols in use, le ports used, connections present and/or that occur in an impromptu or unexpected way, i firmware levels and switch software versions, routers, firewalls, PLCs, PC/SCADA, etc.

With an absolutely innovative method and developed specifically for OT systems and networks, we will also have a list of the vulnerabilities detected with mapping referring to the CERT ICS databases with in addition an assessment of any anomalies found which, if aggregated, may highlight further vulnerabilities on the systems.

This report/dashboard can be evaluated with the specialists of Nozomi and ServiTecno and presented to the management for any further actions required.

Interested in talking about it? Call us!

Anomaly Detection for Plants

References: