Why securing the OT environment against cyberattacks is vital

Despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases, such as Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), shutdown maintenance, and brownfield services, increasing vulnerability to cyber threats. CISA's 2022 report highlights a 30% increase in OT system cyberattacks, with over 800 incidents. ENISA's findings corroborate this, showing that 63% of critical infrastructures faced cyber incidents, 55% targeting OT systems.

The early months of 2023 saw notable cyberattacks: a ransomware strike on a U.S. water plant in January; a European power grid disruption in February; and, an Asian transportation company's operational halt in March. These incidents emphasize the importance of stringent cybersecurity throughout the OT system lifecycle, especially in critical stages

During FAT, a pivotal stage in the OT system lifecycle, the system is tested in a controlled environment to confirm adherence to design requirements. During FAT, however, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope. It's crucial to integrate essential high-level cybersecurity controls at this stage to prevent transferring risks or threats to the site post-FAT. This proactive approach is key to maintaining robust security throughout the system's lifecycle. These controls include, but are not limited to:

Staging areas, designated for pre-deployment system testing, require secure measures to prevent unauthorized access, thereby avoiding the introduction of malware or other threats into production environments.

People are always the weakest point in any security system. It is important to educate employees about best cybersecurity practices. This includes training on how to identify phishing activities, handling sensitive project information, complying with cybersecurity requirements and identifying and reporting a cybersecurity incident.

An asset list is a comprehensive list of all hardware and software assets used in a specific project. This list is the main pillar to detect and understand if any changes have occurred.

The asset list contains information about firmware versions, OS, IP addresses, MAC addresses, vulnerabilities, what was patched and what wasn’t, the latest updates to end-point security, etc. The list must be maintained and updated regularly to ensure that all assets are properly secured, as well as to enable effective vulnerability and patch management.

Access controls are essential to prevent unauthorized access to sensitive information and systems. This includes implementing strong password policies, multi-factor authentication and other mechanisms to ensure that only authorized personnel can access sensitive areas or functions.

Secure configuration involves implementing security best practices when configuring hardware and software systems. This includes disabling unnecessary services and ports, using strong encryption and implementing other security measures to reduce the attack surface of a system.

Vulnerability and patch management involves regularly scanning systems for vulnerabilities and deploying patches to fix known issues. This is critical to prevent attackers from exploiting known vulnerabilities to gain access to sensitive information or disrupt operations.

Incident management involves having a plan in place to respond to cybersecurity incidents when they occur. This includes identifying the scope of the incident, containing it and recovering from it, as well as conducting a post-incident analysis to identify areas for improvement.

All these controls must be implemented and documented during the FAT milestone to ensure that potential risks are not transferred to the site.

Similarly, the SAT/shutdown maintenance window and brownfield services milestone also pose a cybersecurity risk to the OT system. During this milestone, the system is tested in its actual environment and any issues are addressed. These milestones, however, may require taking the system offline and cybersecurity controls may be relaxed to facilitate maintenance activities. Moreover, third-party contractors may not be familiar with the system's cybersecurity controls, leading to potential cybersecurity problems with the completion of maintenance work and when the system/plant is brought online again to resume production. This can result in dozens of untraceable changes to the cybersecurity controls, which are either disabled or bypassed.

Apart from the high-level controls mentioned during the FAT milestone, additional controls need to be implemented during the SAT/shutdown maintenance window and brownfield services due to the dynamic SAT environment. These controls include:

During SAT, the system is evaluated for its integration with the surrounding operational systems. This can identify vulnerabilities that might arise due to interactions with other systems or software.

As the system is now in its intended network environment, SAT can assess how it interacts with firewalls, intrusion detection systems and other network security measures. It can uncover vulnerabilities, such as open ports, that shouldn't be open or potential for unauthorized network access.

While these might be tested during FAT, during SAT, they're tested in the context of the operational environment. For instance, how the system integrates with the enterprise's identity and access management solutions.

Sometimes, organizations might choose to perform more aggressive penetration testing (red team exercises) during SAT to see how the system holds up against simulated cyberattacks in its actual environment.

During SAT, you might also test how incidents on the system integrate with the broader organizational incident response plan and tools.

To mitigate these risks, end-users, contractors, vendors and suppliers must establish and adopt a robust change management process that includes proper documentation, approval mechanisms, testing and validation procedures. This process should ensure that all changes, including those made during the critical and gap periods, are properly tracked, assessed for security implications and validated before the system's commissioning. A more advanced and strict approach is to assign a dedicated cybersecurity officer to follow up and document all the changes made at different milestones.