Professional Documents
Culture Documents
OT Operational Technology
IT Information Technology
An air gap, or air gapping, refers to computers or networks that are not
Air gap/ connected directly to the internet or to any other computers connected to
gapping the internet.
It is not difficult to see why the situation has changed. The digital
transformation of industry and adoption of ‘open’ technology facilitates
interoperability, unlocks unprecedented insights and the flow of
information across logical boundaries. This revolution is unequivocally
a good thing as it allows organisations to become more adaptive to
demand. Yet it has also unlocked a door that was once kept firmly shut.
Today’s hackers recognise this and are actively looking for ways to
compromise modern industrial control systems.
Keeping one step ahead is difficult, not least because cyber threats are
constantly evolving. Regulation rightly looks to maintain the pace but has
also made plant security a daunting challenge for most organisations.
This report simplifies that problem, bringing together all the information
necessary to develop effective plant security.
Introduction
Cyber attacks are no longer a rare occurrence. They threaten a world that is now defined
by, and reliant on, ease of access and connectivity. Statistics restate the need for action.
According to research from the Centre for Strategic & International Studies, the rate of
‘significant’ cyber incidents rose by 63% between 2016 and 2019.1
Often these attacks will target IT networks with the aim of stealing sensitive company data.
Others will look to disrupt by disabling servers and other digital assets necessary for day-
to-day activity. There are also attacks that extort targets by encrypting information and
holding it to ransom – the 2017 ‘WannaCry’ worm that temporarily disabled the NHS is a
notable example of this.2 While breaches of this type are clearly undesirable, they still figure
at the ‘lower end’ of severity when malware infiltrates an organisation.
Attacks directed at operational technology (OT) networks give far greater cause for
concern. OT is hardware and software that monitors and controls industrial equipment and
processes. It is found in facilities that manage energy generation, chemical processing, as
well as automated manufacturing, pharmaceutical processing, and defence networks. 3
OT is innately tied to production environments and therefore breaches in this space can
be profoundly dangerous. When an industrial control system (ICS) is successfully targeted,
serious damage to critical infrastructure and the environment are very real possibilities, as
is threat to life.
There are a growing number of incidents that demonstrate the impact of unauthorised
access to an ICS. In 2014, for example, a blast furnace at a German steel mill suffered
“massive damage” following an attack on the plant’s control system. It is believed those
responsible gained access by tricking staff via a phishing email.4 This type of attack typifies
how successful breaches now not only cause production downtime but physical, material
losses on the plant floor.
The stakes can be much higher. In December 2015, part of Ukraine’s central grid was taken
offline for six hours when hackers were able to remotely access the supervisory control and
data acquisition (SCADA) system of a regional electricity company. Thirty substations were
switched off during the attack, leaving some 230,000 people without electricity or heating.5
1. https://www.linklaters.com/en/insights/publications/2019/january/global-cyber-incidents-soar-by-63pc-in-the-last-three-years--linklaters-report
2. https://www.kaspersky.co.uk/resource-center/threats/ransomware-wannacry
3. https://ics.sans.org/media/IT-OT-Convergence-NexDefense-Whitepaper.pdf
4. https://www.bbc.co.uk/news/technology-30575104
5. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
This incident is considered to be the first known successful cyber attack on a national
power grid. More recent events, however, have revealed vulnerabilities in other parts of
key national infrastructure. In November 2019, the Nuclear Power Corporation of India
confirmed an attack at the Kudankulam nuclear facility in Tamil Nadu. Investigation by
India’s Department of Atomic Energy found one user had caused the incident by connecting
a malware-infected personal computer to the plant’s administrative network. While no
critical damage was recorded in the production environment, some speculated that this first
breach could have laid the foundations for a more serious future incident. In the weeks that
followed, analysts reported that large amounts of data had been stolen from Kudankulam’s
servers. If true, it would be possible for bad actors to target the plant’s ‘air gapped’ ICS
more effectively at a later date. As the Washington Post reports, isolating production
networks can be effective against unsophisticated cyber threats but not against targeted
attacks that leverage witting or unwitting people in large, difficult-to-defend supply chains.6
Even with technical advances, risk remains high. In 2019, Kaspersky Lab released a report
on the state of ICS, confirming it had detected and prevented activity by malicious objects
on almost half of the systems it analysed. Contrary to the Washington Post’s assessment,
security researcher Kirill Kruglov believes that the main threat does not come from targeted
attacks but rather “mass-distributed malware that gets into industrial systems by accident,
over the internet, through removable media such as USB sticks, or emails.” However, as
Kruglov adds, the fact that attacks are successful because of a casual attitude to ‘cyber security
hygiene’ means they can potentially be prevented through staff training and awareness.7
Developing robust plant security is difficult for several reasons. First, cyber weaponry
is becoming more sophisticated, exploiting both technical vulnerabilities and human
fallibility. Secondly, security of OT is relatively immature when compared to IT. Twenty
years ago, for example, it was not possible to ‘see’ or monitor a physical asset on the plant
floor like it is today. Consequently, it is only in recent years that OT security has risen up
the security agenda as cyber threats have developed effects that rival, or even, surpass
physical attacks. Thirdly, new problems are emerging as IT/OT convergence gathers pace.
Finally, IT cyber security strategies cannot be copied and applied in the OT domain. OT
is principally concerned with safety and availability, while IT is focused on information
confidentiality. The security management principles required are therefore different.
Organisations can no longer rely on existing processes. Kaspersky’s latest report The
State of Industrial Cyber Security highlights the need for action. Less than 40 per cent
of businesses that took part said they had not experienced any cyber incidents in the
last 12 months, while 52 per cent were “aware of the need to provide more resource
for OT/ICS cyber security”.8 The last decade has shown the damage of a complacent
approach to security in industrial environments. While no facility can completely
eliminate risk, measures can be put in place to limit the extent of exposure.
6. https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/
7. https://www.silicon.co.uk/e-regulation/industrial-control-systems-cyberattacks-242897
Distinguishing IT and OT
9. https://hitcon.org/2017/pacific/0composition/pdf/Day2/R1/R1-1.12.8.pdf
IT/OT Convergence
Until recently, IT and OT have remained separate silos with their own priorities and
structures. IT is overseen by CIOs and IT network specialists principally concerned with
access and integrity of data, while OT is the domain of plant managers and engineers who
will be looking to minimise injury, damage and downtime. Commercial pressure and wider
economic challenges, however, are now causing these two areas to integrate for better
responsiveness to changing market conditions.
10. https://searchitoperations.techtarget.com/definition/IT-OT-convergence
11. https://radiflow.com/wp-content/uploads/2019/06/Survey_ICS-2019_Radiflow.pdf
12. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-ics-white-paper.pdf
13. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
ICS Opportunistic
(General Purpose)
PETYA
ICS Themed
(Delivery Techniques)
ICS Tailored-Access
(Exploits & Modules)
ICS Tailored-Effects
(Payloads/Manipulation)
It is important to note that risk exceeds what is reported in the media. High-profile incidents
like Stuxnet will occasionally make headlines but organisations are known to face a persistent
‘silent’ threat. Confidentiality and reputational damage mean these incidents are often not
publicly disclosed. This is worrying when research shows 70% of organisations believe an attack
on their OT/ICS is ‘likely’ and just 31% have an appropriate incident response plan in place.14
Stuxnet is a malicious worm that targeted vulnerabilities in the Windows OS and is the first
known to attack SCADA systems. It was discovered in 2010 but thought to have been in
development since 2005, or possibly earlier. Stuxnet is believed to have ruined one-fifth of
Iran’s nuclear centrifuges, its primary target, yet it went on to infect over 200,000 computers
and caused 1,000 machines to physically degrade.15
The malware’s sophistication took computer experts by surprise. It exploited four ‘zero-day’
vulnerabilities that had yet to be discovered and patched by developers or antivirus vendors.
Researchers initially believed the worm was developed for surveillance purposes but soon
discovered it was designed to sabotage centrifuges at power facilities in Natanz, Iran. The
malware has three parts that work in concert: a worm, a .LNK file and a rootkit. Working
together, these three components allow Stuxnet to execute its payload, spread to other
machines and hide all malicious files and processes from detection systems.
Stuxnet specifically targets programmable logic controllers (PLCs) made by Siemens that are
commonly used to automate processes in the production environment. It was introduced to its
target via an infected USB stick, thus breaching the facility’s air gap. Once inside, it collected
information and caused fast-spinning centrifuges to spin out of control.
As David Kushner writes: “Stuxnet could spread stealthily between computers running
Windows – even those not connected to the Internet. If a worker stuck a USB thumb drive
into an infected machine, Stuxnet could, well, worm its way onto it, then spread onto the next
machine that read that USB drive. Because someone could unsuspectingly infect a machine
this way, letting the worm proliferate over local area networks, experts feared that the
malware had perhaps gone wild across the world”.16
15. https://www.mac-solutions.net/en/news/129-sheep-dip-your-removable-storage-devices-to-reduce-the-threat-of-cyber-attacks
16. https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
Lessons learned
ICS are subject to human All the necessary resources Stuxnet was believed to be
nature. Defences can be exist today to successfully knowingly introduced by a
bypassed, particularly in engineer a specialised attack plant worker via an infected
facilities with poor security against an ICS. USB stick, highlighting the
awareness, and lack of ‘insider threat’ that can only
effective policies be combatted with a holistic
and procedures. approach to plant security.
!
? ? 1
Frameworks,
Regulations
and Standards
Cyber security is governed by different frameworks and standards. This section details key
guidance, which is seen as best practice for supporting regulatory compliance in ICS.
The NIST cyber security framework provides private sector organisations with a structure
to prevent, detect and respond to cyber incidents. It uses business drivers to guide cyber
security activities and considers robust digital protections as central to an organisation’s risk
management process. NIST’s framework consists of three main parts:
• Implementation tiers – The tiers describe how well an organisation’s cyber security risk
management decisions exhibit characteristics defined in the framework. Tiers range from
partial (1) to adaptive (4). Higher tiers reflect the degree of rigor and integration of cyber
security practices as part of wider risk management.
• Framework core – The framework core is a set of desired cyber security activities and outcomes.
• Profiles – Profiles reflect the alignment of an organisation’s requirements and objectives, its risk
appetite and resources available to achieve desired outcomes listed in the framework core.
NIST 5 FUNCTIONS
4
Security Level
3
Protect against
Security Level
intentional attacks
with sophisticated
Protect against means and high
2 intentional attacks resources and
Security Level with sophisticated knowledge
means and
moderate
Protect against
resources and
1 intentional attacks
knowledge
with simple means
Security Level and low resources
and knowledge
0 Protect against
accidental errors
Security Level
No security
IEC 62443
IEC 62443 is seen as best practice for the security of industrial networks. It helps organisations
to limit the exposure of an ICS to cyber threats. The standard is published by the International
Electrotechnical Commission and much of the document has been developed by industry. The
standard provides best practice for every aspect of the ICS cyber security lifecycle, from product
development, risk assessment through to operations, and is applicable to many different sectors.
The standard acknowledges that not every system is equally critical. IEC 62443 thus defines five
security levels (SL) to reflect the level of security required for a particular organisation. These range
from SL 0 (no security) to SL 4 (resistant to nation-state attacks).
Due to the changing nature of cyber threats, IEC 62443 treats security as an ongoing process rather
than a final goal. It caters to the development of ICS components that are “secure by design” and
successful integration has to be governed by defence-in-depth policies and practices.17
17. https://www.tripwire.com/state-of-security/regulatory-compliance/isa-iec-62443-framework/
• Offers proportionate risk reduction and a means to demonstrate ALARP, which other
guidance does not cover.
Notable attacks on ICS demonstrate this idea. Major breaches are often initiated when someone in the
corporate domain innocently opens a phishing email. This foothold provides hackers with access to
corporate networks and then the ability to move laterally into control systems.
The TRISIS attack in the Middle East is a typical example of this. These kinds of human error, even when not
maliciously intended, open a window to critical assets in the OT domain.
It is difficult to stop bad actors gaining access, particularly as IT/OT convergence gathers pace, but there
are measures that can stifle the opportunity to cause harm. However, this can only be achieved when an
organisation takes a holistic approach to cyber security, incorporating people and processes alongside
technology. A resilient culture, in other words, is essential for an organisation looking to combat today’s
evolving cyber threats.
1. D EF I N I N G T H E PR O B L EM 2. TR A INING
3. R I S K A S S E S S M EN T 4. P O L IC Y, PR O C ED U R E S
A N D D E S IG N PR I N C I PL E S
Three risk assessments are recommended
to determine current level of risk. Yokogawa
Consultants with OT and cyber security Once assessments are complete, and the baseline
knowledge conduct these assessments based on is determined, policy, procedure and design
industry best practice as outlined in principles then need to be defined. Policies and
IEC 62443. procedures are the crucial link between people and
technology, and the processes described serve as
• Operational risk assessment, which will assess the foundation of security assurance.
the security management system for risk
mitigation and security assurance. Policies are high-level statements translating
• Business risk assessment, which determines company targets and objectives into clear
the value of information types between guidelines. The procedures define how the
the IT and OT domain, and the business policies are achieved and the different roles and
continuity impact of a security breach in the responsibilities found across an organisation.
production environment. Procedures may also refer to other existing policies
or standards adopted by the organisation.
• Technical risk assessment, which will detect
vulnerabilities for individual assets and
determine the risks in the OT domain.
5. B US I N E S S C A S E
These three risk assessments are the cyber
security baseline and mark the start of an OT
cyber security program development. The business case will document the justification
for undertaking an OT security programme. It will
rationalise the required investment and define the
6. D E S IG N PR I N C I PL E S plan and scope of work.
8. M A N AG ED S ER V IC E S
Without proper managed services, the complete cyber security program will gradually deteriorate.
Yokogawa’s managed services package provides ongoing support to maintain security of industrial
assets. It is tailored to each customer’s needs, either as a single or enterprise-wide solution.
• Endpoint security, for secure and controlled access to • Minimised risk of unplanned downtime
critical data at any time and from any location and production losses
• Emergency recovery • Audit trails for compliance
• Asset inventory and monitoring, for preventative and • Business continuity in the event
predictive maintenance of a security breach
• Remote operation from a centralised control room
• Expert threat intelligence
• Remote security update, which automates and
standardises delivery and management of vendor-
approved Windows operating system patches and
antivirus signature updates
• Help desk for incident response, available at all times
• Compliance and reliability monitoring
1. WWW
Although not confirmed a phishing attack
is suspected as a possible infection vector
which provided attackers access to the IT
IT
network.
RDP Station
2. IT
The attacker further penetrated the IT
network using well-documented and
easily-detected attack methods.
3. DMZ
The attackers moved to the OT
(Operational Technology) network
through custom backdoors in IT and OT
DMZ DMZ right before gaining access to the
! PCS engineering workstation.
18. https://www.cyberscoop.com/trisis-ics-malware-saudi-arabia/
19. https://tech.newstatesman.com/security/xenotime-triton-power
Lessons learned
YOKOGAWA UK LIMITED
Stuart Road, Manor Park, Runcorn, Cheshire, WA7 1TR, UK
Tel: +44 (0) 1928 597100
Email: uk-marketing@uk.yokogawa.com
YOKOGAWA UK LIMITED
Unit 33 Abercrombie Court, Arnhill Business Park, Westhill, Aberdeen, AB32 6FE, UK
Tel: +44 (0)1224 914777
Email: uk-marketing@uk.yokogawa.com
YOKOGAWA IRELAND
Unit 411 Grants Park, Greenogue Business Park, Rathcoole, Dublin 24, Ireland
Tel: +353 (0) 1 4577454
Email: info@ie.yokogawa.com
Trademarks
All brand or product names ofYokogawa Electric Corporation in the white paper are trademarks or registered trademarks
of Yokogawa Electric Corporation. All other company brand or product names in this report are trademarks or registered
trademarks of their respective holders.