Emerging Technologies

Why securing the OT environment against cyberattacks is vital

During FAT, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope.

During FAT, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope. Image: Frantzou Fleurine on Unsplash

Qusai AlRabei
This article is part of: Centre for Cybersecurity
  • Despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases.
  • Risks can open up during Factory Acceptance Testing, Site Acceptance Testing, shutdown maintenance and brownfield services.
  • Here, we consider how these risks can be mitigated.

Despite existing frameworks to secure operational technology (OT) environments, cybersecurity controls often ease or are overlooked during key lifecycle phases, such as Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), shutdown maintenance, and brownfield services, increasing vulnerability to cyber threats. CISA's 2022 report highlights a 30% increase in OT system cyberattacks, with over 800 incidents. ENISA's findings corroborate this, showing that 63% of critical infrastructures faced cyber incidents, 55% targeting OT systems.

The early months of 2023 saw notable cyberattacks: a ransomware strike on a U.S. water plant in January; a European power grid disruption in February; and, an Asian transportation company's operational halt in March. These incidents emphasize the importance of stringent cybersecurity throughout the OT system lifecycle, especially in critical stages

Have you read?

    Risks during the FAT milestone and proposed controls

    During FAT, a pivotal stage in the OT system lifecycle, the system is tested in a controlled environment to confirm adherence to design requirements. During FAT, however, cybersecurity controls often become less stringent, with emphasis primarily on design specifications over security, unless explicitly included in the scope. It's crucial to integrate essential high-level cybersecurity controls at this stage to prevent transferring risks or threats to the site post-FAT. This proactive approach is key to maintaining robust security throughout the system's lifecycle. These controls include, but are not limited to:

    • Security of the staging area

    Staging areas, designated for pre-deployment system testing, require secure measures to prevent unauthorized access, thereby avoiding the introduction of malware or other threats into production environments.

    • People

    People are always the weakest point in any security system. It is important to educate employees about best cybersecurity practices. This includes training on how to identify phishing activities, handling sensitive project information, complying with cybersecurity requirements and identifying and reporting a cybersecurity incident.

    Discover

    How is the Forum tackling global cybersecurity challenges?

    • Asset lists

    An asset list is a comprehensive list of all hardware and software assets used in a specific project. This list is the main pillar to detect and understand if any changes have occurred.

    The asset list contains information about firmware versions, OS, IP addresses, MAC addresses, vulnerabilities, what was patched and what wasn’t, the latest updates to end-point security, etc. The list must be maintained and updated regularly to ensure that all assets are properly secured, as well as to enable effective vulnerability and patch management.

    • Access controls

    Access controls are essential to prevent unauthorized access to sensitive information and systems. This includes implementing strong password policies, multi-factor authentication and other mechanisms to ensure that only authorized personnel can access sensitive areas or functions.

    • Secure configuration

    Secure configuration involves implementing security best practices when configuring hardware and software systems. This includes disabling unnecessary services and ports, using strong encryption and implementing other security measures to reduce the attack surface of a system.

    • Vulnerability and patch management

    Vulnerability and patch management involves regularly scanning systems for vulnerabilities and deploying patches to fix known issues. This is critical to prevent attackers from exploiting known vulnerabilities to gain access to sensitive information or disrupt operations.

    • Incident management

    Incident management involves having a plan in place to respond to cybersecurity incidents when they occur. This includes identifying the scope of the incident, containing it and recovering from it, as well as conducting a post-incident analysis to identify areas for improvement.

    All these controls must be implemented and documented during the FAT milestone to ensure that potential risks are not transferred to the site.

    Risks during the SAT milestone

    Similarly, the SAT/shutdown maintenance window and brownfield services milestone also pose a cybersecurity risk to the OT system. During this milestone, the system is tested in its actual environment and any issues are addressed. These milestones, however, may require taking the system offline and cybersecurity controls may be relaxed to facilitate maintenance activities. Moreover, third-party contractors may not be familiar with the system's cybersecurity controls, leading to potential cybersecurity problems with the completion of maintenance work and when the system/plant is brought online again to resume production. This can result in dozens of untraceable changes to the cybersecurity controls, which are either disabled or bypassed.

    Proposed high-level controls

    Apart from the high-level controls mentioned during the FAT milestone, additional controls need to be implemented during the SAT/shutdown maintenance window and brownfield services due to the dynamic SAT environment. These controls include:

    • Environment integration

    During SAT, the system is evaluated for its integration with the surrounding operational systems. This can identify vulnerabilities that might arise due to interactions with other systems or software.

    • Network integration and firewalls

    As the system is now in its intended network environment, SAT can assess how it interacts with firewalls, intrusion detection systems and other network security measures. It can uncover vulnerabilities, such as open ports, that shouldn't be open or potential for unauthorized network access.

    • Authentication and authorization

    While these might be tested during FAT, during SAT, they're tested in the context of the operational environment. For instance, how the system integrates with the enterprise's identity and access management solutions.

    • Red/blue team testing

    Sometimes, organizations might choose to perform more aggressive penetration testing (red team exercises) during SAT to see how the system holds up against simulated cyberattacks in its actual environment.

    • Incident response integration

    During SAT, you might also test how incidents on the system integrate with the broader organizational incident response plan and tools.

    How to mitigate these risks

    To mitigate these risks, end-users, contractors, vendors and suppliers must establish and adopt a robust change management process that includes proper documentation, approval mechanisms, testing and validation procedures. This process should ensure that all changes, including those made during the critical and gap periods, are properly tracked, assessed for security implications and validated before the system's commissioning. A more advanced and strict approach is to assign a dedicated cybersecurity officer to follow up and document all the changes made at different milestones.

    Loading...
    Don't miss any update on this topic

    Create a free account and access your personalized content collection with our latest publications and analyses.

    Sign up for free

    License and Republishing

    World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

    The views expressed in this article are those of the author alone and not the World Economic Forum.

    Stay up to date:

    Cybersecurity

    Related topics:
    Emerging TechnologiesCybersecurity
    Share:
    The Big Picture
    Explore and monitor how Cybersecurity is affecting economies, industries and global issues
    World Economic Forum logo

    Forum Stories newsletter

    Bringing you weekly curated insights and analysis on the global issues that matter.

    Subscribe today

    Here’s why it’s important to build long-term cryptographic resilience

    Michele Mosca and Donna Dodson

    December 20, 2024

    How digital platforms and AI are empowering individual investors

    About us

    Engage with us

    • Sign in
    • Partner with us
    • Become a member
    • Sign up for our press releases
    • Subscribe to our newsletters
    • Contact us

    Quick links

    Language editions

    Privacy Policy & Terms of Service

    Sitemap

    © 2024 World Economic Forum