OT Security Assessments

Lessons learned across global cross-industry ICS cybersecurity assessments

How do we navigate cybersecurity assessments in diverse and heterogeneous manufacturing environments?

With increasing digitalization and constantly growing threat landscapes, manufacturing environments are more at risk than ever before.

New studies show a published ICS vulnerabilities increase of more than 10%, mostly high and critical scores, comparing the first six months of 2019 and 2020 affecting all major ICS vendors (Claroty 2020; Biannual ICS Risk & Vulnerability Report: 1 H 2020). These numbers and the growing amount of reported cyber incidents highlight the increasing risks that manufacturers are facing today.

We, at BxC, have supported numerous companies, cross-industry and up to 200 global manufacturing facilities, to assess their environments, build their future ICS security strategy and guide them along the implementation path. In this Point of View, we want to share our lessons learned along these journeys by highlighting, what you should keep in mind when heading out to assess your manufacturing sites.

Adopt an ICS Mindset

ICS environments are rapidly changing and the business demand towards digitalization and industry 4.0 is growing day by day. However, the reality in most manufacturing sites looks different. Runtimes of machinery is 20+ years and changes, as well as upgrades, are commonly both very expensive and complicated.

OT innovation adoption curve

Fig. 1: Common differences between ICS and IT environments

These circumstances often lead to situations, where modern requirements are delivered with legacy systems, creating complex and vulnerable environments. To acknowledge and consider these challenges during security evaluations, it is essential to gain an extensive understanding of ICS environments, daily constraints and the everyday life of automation engineers.

Understand the Business

Cybersecurity requirements and the correct set of measures within ICS environments are highly dependent on industry specifics. In particular, due to emerging regulatory requirements such as KRITIS for critical infrastructure, it is essential to understand the business needs and constraints in order to select an adequate security target level and related security controls.

Considering relevant security-driven standards in the assessment approach, such as IEC 62443 and NIST, and industry-specific policies, such as GxP and TISAX, enables an early validation of potentially certification relevant security measures.

Failing to do so during the strategy and roadmap development might result in unexpected and often costly delays during the implementation phase.

In addition, a close cooperation with the involved business, strengthens the overall acceptance of planned maturity evaluations. This cooperation starts with the alignment of terminology to be used to ensure a wording meaningful in the daily business context, limiting potential misunderstandings and fostering constructive exchange. Besides technical terms, this terminology adaption should also include the naming of the conducted maturity evaluation, as wordings like “assessment” and “audit” are often perceived as intimidating, leading to reduced willingness of sites to support.

Select Representative Manufacturing Sites

With increasing numbers of manufacturing sites and heterogeneous equipment landscapes, the selection of representative sample sites to be assessed, is a key success factor.

Identifying the sweet spot between too limited insights and diminishing returns per assessment is crucial to provide a representative overview while handling limited resources wisely. This sweet spot is highly individual to each companies.

Investing time to identify this sweet spot will provide the best insights and a holistic overview of the overall companies manufacturing security.

Selecting a representative set of manufacturing sites is commonly based on site types including batch or process manufacturing, size, digitalization level, region, currently expected maturity level and the company’s business structure. To validate these selected sites, future M&A or divestiture plans can be leveraged to provide a solid and broad foundation.

Diversifying site assessments across business areas does not commonly reveal major maturity differences. However, including all business areas in the planned assessments, supports the overall business buy-in required for a potential remediation programs.

It is important to keep in mind that these selected sites are the overall baseline to build a sustainable strategy and to plan future remediation programs.

Keep it Simple

Designing a functional and insightful assessment framework for ICS environ-ments in alignment with leading practices such as NIST and ICE62443, without overwhelming the sites, is a substantial part of early site assessments phases.

Especially during the initial ICS assessments, light weight assessment questionnaires allow for an efficient and resource effective assessment approach. This efficient approach should allow to dive deeper into measures already existing in the sites to understand what works and what does not. For measures currently not implemented, the assessment approach should provide potential future scenarios that can be discussed and aligned with the sites to identify future implementation options.

OT innovation adoption curve

By enabling joint discussions with the site on the future architecture in local site assessment, stakeholders get familiarized with potential future scenarios. This familiarization supports their under-standing and encourages their essential participation in the remediation planning and implementation. Fostering these joint discussions supports an early integration of site stakeholders while gathering valuable insights. In addition, a discussion on eye-level supports the establishment of a trust foundation.

Visit Sites

In times of increased Zoom and Teams sessions and limited travel potential as in 2020 and most likely 2021, visiting manufacturing sites sounds like an ancient idea.

This might raise the question: Are onsite assessments still the right approach for overall maturity assessment? Or should focus more on remote assessments.

Having performed both assessment types, we, at BxC, are convinced that onsite visits still provide the biggest information gains. Being able to walk through the manufacturing site and to explain ideas, concepts and current situations in the facility itself provides a big trust benefit, which would be hard to achieve via video calls. This trust benefit also allows for a more open conversation on what is currently working, which processes might need improvement and how new measures will provide the desired maturity improvement.

Conducting onsite assessment at a representative number of sites sets the foundation in terms of maturity understanding and trusted relationships for any future action and should therefore not be neglected. However, conducting additional remote assessments and interviews can help to broaden the assessment reach while validating the collected data with a bigger number of sites.

A hybrid assessment approach, therefore, offers the best out of both worlds providing a deep insight into individual sites, validating findings over a broader range of sites while limiting onsite assessment costs.

Plan for the Future

Maturity evaluations provide detailed insights at a specific point in time. With potential future changes, including changes in the site technology landscape or defined processes, this collected insight might no longer be valid or only valid to a certain extend.

Planning for repeating assessment, including potential self-assessments, is therefore, an important consideration during the initial preparation of the questionnaire. It enables, based on the same initial questionnaire structure, to evolve the depth and the level of detail of the assessment according to the evolution of the maturity and of the challenges in the environment. Communicating this in an early phase of the initial on-site assessment supports the perceived willingness of the assessment responsible to initiate a long-term improvement process contrary to short term compliance evaluation.

A maturity evaluation approach designed in this format furthermore allows future remediation programs and projects to track achieved security improvement progress in a transparent way towards steering committees and sponsors.

Summary

ICS cybersecurity assessments are the foundation for all following activities from strategy to future daily operation. To set this foundation, current assessment approaches need to be adapted to provide valuable insight in mostly heterogeneous ICS assessments. Therefore, understanding ICS and the business is key to gather valuable insights with the conducted assessment as a base for future cybersecurity improvements.

At BxC, we believe, that we need to focus our efforts on assessments and discussions at eye level with the engineering teams and operators to develop solutions and strategies that work in a sustainable fashion in our client environments. Approaching ICS assessment in an inclusive manner enables a trust level between engineering teams and IT departments which sets a crucial foundation for future joined remediation activities.

We, as cybersecurity professionals, need to keep in mind, that site assessments are often the first contact point between manufacturing sites and corporate IT. To work on a successful and secure future, we need to use this first opportunity to reduce prejudices, to enable joint efforts and to kick-off a productive working mode on eye level and with the aim to openly learn from each other.