You are Home   »   News   »   View Article

OT cyber security needs more attention in many companies - ABB

Monday, January 6, 2020

Operational cyber security needs more attention in many companies, says ABB's cyber security specialists Ben Dickinson and Gavin Doyle. Companies are on quite a wide spectrum for how 'mature' they are with it.

Recent studies have shown that many control systems are directly connected to the internet - which would indicate that many industrial control system operators must address the basics of cybersecurity, says Gavin Doyle, Telecoms and Cyber Specialist - Projects, Energy Industries UK, with ABB.

Even if you're not connecting a control system to the internet, 'an operator cannot afford to do nothing [on cybersecurity],' he says.

And the bigger the company is, the larger its 'estate' is, which it needs to protect.

Many companies still see cyber security as an 'IT issue', says Ben Dickinson, Digital Operations Manager, Cyber Security with ABB.

The fundamental principles of cybersecurity are the same for both information technology and operational technology, Mr Doyle says. Although, one difference is that IT tends to have a focus more on information security, while OT tends to focus more on operational integrity.

Operators with overall safety responsibilities on offshore platforms are increasingly being asked about cyber security and may have to include it as part of their safety management systems, he says.

Companies are being pushed harder to focus on cyber security, as it is now a major focus of many enterprise risk management practices, as well as new regulation.

Putting in barriers

The general approach is 'we put as many barriers in place as we possibly can,' says Mr Doyle.

The barriers need to be proportional to the target and the level of the threat - just like in the physical world, where valuable things are kept under stronger locks.

Where necessary, devices can be 'hardened' - equivalent to adding another fence in the physical security world - such as locking down more interfaces, making controls on what specific people can do, adding firewalls, and adding more advanced tools, such as intrusion detection, and continuously monitoring the baseline network.

In areas of high threat, companies can tightly control the links between the various networks.

A key technique is network segregation, where you create a 'demilitarized zone' or DMZ between networks - then carefully control what communications can travel between these 'zones'. The result is a number of zones with different security levels that have different levels of security controls implemented within them, according to their designated Security Level and criticality to operations.

If you have a high-risk system being targeted by sophisticated hackers, you need a sophisticated intrusion detection system in place.

Many attacks take place over a long period of time. For example, some nation state threat actors can spend several months penetrating one system, learning as they go whilst remaining undetected. During this time, there may be a possibility to spot someone is in there, before they have an impact on your system, says Mr Dickinson.

However, companies should not believe that just investing in a 'one box solution' will solve all their problems, Mr Dickinson says. 'Cyber security is a journey and requires a defense-in-depth approach.'

Risk assessment and validation certification

You can see cybersecurity as a discipline about understanding different scenarios where something could be targeted, and thinking it through, Mr Dickinson says, just like in the physical security world.

It is a similar process to the 'HAZOP' studies oil companies do in safety management, with a structured process to work out the various ways that something can go wrong, and what is a sensible method to mitigate the risks.

Companies can identify if any change they are considering making will also impact cybersecurity.

It is possible to certify or validate cybersecurity.

One route is to work with third-party penetrating testing companies to certify that they could not break into a system.

You can also follow one of the cybersecurity standards and ask someone to validate that the standard has been followed. The standards can look very onerous, but the basics are fairly straightforward, and reflect tasks everybody should do, Mr Dickinson says.

Technology changes

One technology change which can lead to an adverse impact on security is the movement of systems to the cloud, including sending equipment sensor data. This leads to cyber concerns about what is sent to the cloud and who owns the data which is there.

Companies are getting a lot more data-centric in general, with more applications and analytics in use, which raises further potential security vulnerabilities, Mr Doyle says.

On the positive side, standards and technologies are evolving to meet these challenges. For example, the movement to 5G communications can increase security, because this standard has been designed with security in mind and features many enhancements to existing standards, Mr Doyle says.

Associated Companies
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition Jul-Aug 2022
Aug 2022

Download latest and back issues


Learn more about supporting Digital Energy Journal