One of the key highlights of Emerson’s Ovation Users’ Group is the wealth of outside perspectives users are exposed to across the week in Pittsburgh. Tuesday morning’s Cyber-Informed Engineering session was no exception. Virginia Wright, program manager for the Cyber-Informed Engineering program at Idaho National Laboratory shared her expertise with the audience, introducing what, to many, was a new concept in operational technology (OT) engineering.
The concept, cyber-informed engineering, seeks to fill the gaps in the application of modern cybersecurity policy to OT systems. To get everyone started, Virginia shared the cybersecurity and infrastructure security agency’s definition of cybersecurity:
“Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”
That definition is, understandably, focused on data and data integrity. However, when securing OT systems, the concerns span a wider footprint, including safety, availability, and reliability of equipment in the physical world. If an attacker can gain access to an IT system, then pivot to an unsecured or poorly secured OT system, they can cause significantly more serious harm.
The Idaho National Laboratory’s strategy of cyber engineering can help mitigate these risks.
Doing so means bringing more people into the picture when considering cybersecurity strategies. In many cases, Virginia shared, the organization’s engineers know exactly what the cyber team may need to close critical gaps.
What is the threat against OT?
Virigina shared some startling statistics about the scope of attacks against OT:
- Ransomware accounts for 80% of attacks where the threat actor is known.
- In most of the multiple nation state attacks on operational technology that was open to the internet, attackers leveraged weak or default passwords that were well known and leveraged systems that were already vulnerable.
- 50% of the identified incidents this year impacted process and discrete manufacturing, with effects including production shutdowns, work stoppages, and shipping delays.
The results of these attacks can be substantial. According to Virginia, a recent ransomware attack on MKS Instruments had an impact of $450 million—$200 million in direct impacts and recovery, and an additional $250 million in impact to a customer in MKS’s supply chain.
Cyber-informed Engineering where IT meets OT
Cybersecurity is another area where the IT/OT convergence is becoming an ever more critical area of focus. IT is primarily focusing on data integrity and confidentiality whereas OT is concerned with safety, reliability, and integrity. But while those are two different concerns, the only truly effective cybersecurity strategy is one that puts both together, and the Idaho National Laboratory has a plan for that:
“With engineering mitigations, we can impact the results of a cyberattack. We want the engineers to help us prioritize how we put network controls in place. With cyber-informed engineering, we use engineering to eliminate specific harmful consequences.”
Virginia offered an example of cyber-informed engineering with remote monitoring and control of water booster stations, but the theory could apply to any project bringing IT systems to OT.
Using the example, Virginia explained that even if the software vendor can prove their software is cybersecure and has adequate certifications, and the cloud provider can show their strong response and recovery protocols and their certifications, there is more the organization can do to implement a truly cybersecure system.
A key element is working with the organization’s engineers to understand what could happen if those assurances fail. Once the risks are known, solutions can be engineered into the system. In the water booster station example, engineers suggested a time delay relay engineered into the system. With the relay only allowing one command through every 20 minutes, in the time it would take to identify an intrusion, the provider could get a team together to take the equipment offline and fix the problem before attackers could do any substantial damage.
Help is available
Cyber-informed engineering is a great idea for anyone pursuing internet-connected projects, and it isn’t hard to get started. The Idaho National Laboratory provides a cyber-informed engineering guide on their website, as well as analysis tools to help OT teams get started. Pursuing such a vision always requires a cultural shift, but the results are likely to provide significant benefit.