Operational Technology Cybersecurity and the Risk Assessment Process

March 14, 2022

Prepared By

Leo Staples, Board Member of Mission Critical Global Alliance (MCGA), LinkedIn

Stephen Huffman, Board Member of MCGA, LinkedIn

Steve Mustard, Board Member of MCGA, LinkedIn



Cyberattacks on critical infrastructure segments and industrial automation and control systems has been increasing at an ever-increasing pace for the last two decades. Managers and executives are keenly aware of the problem, but most are not sure how to cope with it within their companies or feel that the perceived high expense cannot be justified. Mission Critical Global Alliance (MCGA), along with other organizations and individuals, has been involved in raising awareness of the risk of a cybersecurity incident to our nation’s critical infrastructure for many years. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.


Getting Started


The first steps are to recognize that industrial automation and control systems (IACS) are considered operational technologies (OT) with completely opposite security priorities favoring availability, integrity, and confidentiality versus information technology (IT) priorities of confidentiality, integrity and availability in that order. Bad things happen when an OT system must be shut down for a cybersecurity breach. Several OT experts who are now MCGA board members took part in the development of the National Institute of Standards and Technology (NIST) Framework of Cybersecurity Standards in 2014 where it became clear that a different approach to assessing cybersecurity risk was needed for OT systems.



Reducing OT Risk


How do we go about reducing risk in critical infrastructure OT systems? MCGA recommends that OT systems should be reviewed immediately for their response preparedness, from a people, process, and technology perspective:

  • People – Train operators, supervisors, and managers to anticipate a cybersecurity incident and know how to respond.

  • Process – Run regular exercises to ensure that the incident response plan will work when required.

  • Technology – Implement secure architectures, focusing especially on the segregation of systems so that it is possible to isolate parts of an environment without impacting others.

Training and awareness are key to improving cybersecurity posture. Employees should learn about system concepts, standards, technology, operations, safety and physical security, risk management, and emergency response preparedness. With better awareness and knowledge, stakeholders in the plant can prepare its people, update its processes, and manage its technology. There are many examples of cyber events in critical infrastructure plants, such as water plants and pipelines, where basic disciplines, such as password integrity, unsecured remote access, and phishing victims on company computers, etc. are responsible for providing a vector for intrusion. MGCA conducts physical, cybersecurity, and operational risk assessments that evaluate the following protective barriers:

  • Reduced Attack Surface

  • Network Segregation

  • Access Control

  • End Point Protection

  • Portable Media/Device Control

  • Training & Competency

  • Supervision & Communication

  • Detection Systems

  • Incident Response

Using the assessment criteria, the MCGA team identifies gaps associated with these barriers or controls that create an intolerable risk to the organization. Recommendations are provided that, if fully implemented, will minimize this risk to “as low as reasonably practicable” (ALARP). As shown in Figure 1, an organization reaches ALARP when it can demonstrate that the cost involved in reducing risk any further would be grossly disproportionate to the benefit gained. At this point, the cost to lower cyber risk is relatively low, rising exponentially beyond this point of diminishing returns.



In addition, MGCA supplies emergency response training based on information from the assessment and develops a draft Emergency Response Plan (ERP) for the entity. With little effort, the entity can complete the ERP, train employees, and test the ERP. In most cases, this is the first ERP that an entity can actual use when an emergency occurs.


The MCGA assessment team has many years of experience with operational technology. They understand that people are and always will be the best line of defense when it comes to physical and cybersecurity. Entities that have gone through the MCGA physical, cybersecurity, and operational risk assessment report all feel that the recommendations are easily understood and addressed without spending a great deal of money. Our goal is to prevent you from spending a lot of money hiring an expensive IT consultant without the requisite knowledge of OT systems and priorities.


###


Media Contact

Kevin Edwards, (703) 653-0596, media@mcgalliance.org



About MCGA

Business leaders, government, and industry turn to Mission Critical Global Alliance (MCGA) as a trusted resource in dedicated to enhancing the resilience of mission critical infrastructure through our expertise in advocacy, skills standards development, education, research, workforce development, and professional certifications. MCGA is a 501(c)3 nonprofit organization.

42 views