OT Security Risks: How to Assess and Address?

On June 4, 2020 we hosted our "OT Security Risks: How to Assess and Address?" webinar, where our security experts André Slingerland and Mentor Emurlai discussed the landscape of OT (operational technology) security and highlighted the top 10 lessons learned from OT Risk Assessment. The attendees asked good questions, which we have summarized below in a Q&A.

Should you still have any remaining questions, please contact info@secura.com.

Curious to our other webinars? Visit: https://www.secura.com/webinars


Should you still have any remaining questions, please contact info@secura.com.

Our organization has multiple plants, how do you deal with that in performing risk assessments?

Ideally a plant is assessed seperately, but generally speaking if multiple plants are to be assessed this would normally take more time. There are cases were multiple different plants are steered and managed centrally. At all times with the customer the details and specifics are discussed regarding the approach. A part of the OT risk assessment is a walk-down where we look at various part where we visit the process units and areas based on criticality. As example we would like to see firewall rulesets, diagrams, PFDs and PHAs, workstation and configuration etc.

Is Secura using IEC62443 controls for auditing, and is there a mapping to the BIO (baseline informationsecurity overheid) controls?

Risks that are identified during the risk assessment may relate to each of the IEC 62443 foundational requirements and in specific IEC 62443 controls. Similar to the IEC 62443, a mapping can be made to the BIO controls if this is requested by the customer. In addition similar mapping can be made to the NIST Cyber Security Framework controls.

How the proprietary devices are checked to see the status of software update?

In the risk assessment we have a seperate subject area which is ICS visibility and control. There we check whether the asset inventory is fully complete. The asset inventory should specify information elements such as physical asset location, exposed connectivity interfaces, asset criticality, status of software update etc. We also perform several samples to check whether (proprietary) devices are up-to-date and besides if these are vulnerable.

Can you give an estimation how long a risk assessment takes and how it works?

A risk assessment depends largely on the size of the site that is being assessed. A small site may take up to 1-2 days while a larger site may take up 3 to 5 days. How it works is that together with the client the scope is defined inluding how the walk-down will be performed on-site and which key personnel is interviewed. In general the risk assessment zooms in on critical subsystems and networks.

How do you deal with a risk assessment on buildings?

We deal with it the same way we would deal with any other site. The methodology that we follow in conducting risk assessments makes it possible to assess various different types of sites/buildings. There might be some subject areas that are less relevant or more relevant.

Can you give us an interesting example of an unexpected cyber threat?

There are various interesting cyber threats to list as this mostly dependent on the site that is being assessed. To take as an example, there was this large site that was shared between different rival companies.This posed for additional threats that would normally not be there (as much) if the site was not shared. In this case if you have not taken adequate measures the company might be exposed to: third party threats e.g. contractors where it was hard to differentiate who was who, Externally exposed interfaces giving direct access to the network making it easy for infiltration of malware via removable media and external hardware, the possibility of rogue devices which go unnoticed.

Can you give us an interesting example of an unexpected cyber threat?

Input evidence is gathered preferably beforehand from the customer. This can include several documents such as network diagrams, ground plan, list or at least total number of critical assets and processes, a lab copy of critical assets (safety controller) and other relevant information. In general information covering all Purdue levels are wanted. During the OT Risk assessment itself additional input evidence may be gathered e.g. passive network traffic is collected from switches with port mirroring capabilities (by client only). Thereby no active scanning is performed.

If you have any remaining questions, please contact us at info@secura.com