Until not long ago, cyber-attacks on industrial sectors were quite rare and were unique to states’ level, due to their considerable complexity. However, in recent years, this type of attack has increased in frequency mainly due to the business and environmental damage they can cause and because the OT world is unprepared for them.
A dedicated risk assessment for the operational environment (called in different terms depending on the context, for example, ICS, OT, SCADA) fundamentally differs from a risk assessment survey in the IT world. While the IT world emphasizes information, the OT world emphasizes employee safety. Therefore, the guideline in this type of survey is fundamentally different from a cyber risk assessment in IT systems.
Naturally, the regulation in this environment is also different. The basis today in the field is ISA/IEC 62443, to which NIST joins with its own guidelines – NIST SP 800-82. Moreover, there is a local regulation by the Ministry of Environmental Protection for compliance with threshold conditions in the cyber field to receive poison permits.
The data security strategy in the OT environment will be inspected as part of the survey. In this context, data security architecture will be reviewed according to the Purdue model layers, starting from the communication protocols between the sensors, PLCs, and management interfaces (HMI), through the segmentation and even up to the management software.
Who would be suitable candidates for this survey?
- Industrial companies that wish to evaluate the data security level of their OT systems.
- CISOs interested in managing information security in their organizations’ OT systems and overcoming the challenges of different environments in terms of computing and the nature of the work.
- Factories required by regulations to conduct information security assessments for their industrial systems.
What are the advantages of conducting risk assessments for industrial systems?
- Compliance with regulatory requirements.
- Obtaining an accurate analysis of the OT network regarding information security, leads to professional and practical insights.
What are the highlights of the test?
- Visibility of the controllers and the control software.
- Analysis of the information security architecture according to the Purdue model.
- Evaluating the level of separation between the OT operational network and the IT business network.
- Examining the security level of applied protocols, such as Modbus.
- Checking out the hardening level of terminals and servers that are in the operational network.
- Exploring work methods with external suppliers (supply chain).
- Evaluating the backup policies of the settings and servers.
- Compliance with relevant regulations.
A risk assessment for industrial systems must be performed by a specialist who understands this environment well. These are entirely different systems from the IT world, and one must ensure that the chosen company is well-known in the field and has extensive experience conducting such risk assessments in factories.