Operations Cybersecurity Addressed by Engaging Engineering Disciplines

By Eric Cosman

ARC Report Abstract


In recent years, the term “operations technology,” or “OT,” has emerged to describe technology used to manage and control manufacturing processes and other industrial operations. Unfortunately, the precise definition of this term is often ambiguous. OT systems collect, store and process information and execute complex control algorithms to operate these facilities safely and reliably. Their components are typically tightly connected using both internal and external networks. The imperative to protect these networks from cybersecurity-related risks further complicates the situation and demands operations cybersecurity.

Information security has long been an established discipline within most IT (information technology) organizations. As OT systems have grown in number and complexity there have been attempts to apply elements of this discipline in operations, but this does not address the full range of potential risks. Controllers, actuators, and instruments also perform vital functions and have potential vulnerabilities.  Addressing the full range of risks requires expertise from various engineering disciplines that understand the process or system under control.

It is important to view improved security as a means to an end (i.e., stability, availability, resilience) rather than an end in itself. The ultimate goal is to ensure the reliability, stability, and availability of the underlying industrial process.

Defining Operations Technology

Ensuring the reliability and integrity of industrial operations has been a concern since the earliest days of automation. As process and manufacturing facilities have grown in both size and complexity the systems and technology used to automate them have become commensurately more sophisticated. Many of the larger industrial facilities have reached the point where they simply cannot be operated manually.

Modern operations systems collect, store, and process information and execute complex control algorithms to operate these facilities safely and reliably. Their components are typically tightly connected using both internal and external networks.  While these systems use much of the same technology as IT-based business systems, there are significant differences in how the technologies are employed. The term, ”operations technology” describes the plant-floor related technology used to manage and control industrial processes.  In addition to real-time measurement and control, OT also typically encompasses real-time information at the field and plant floor levels.  

Information Security

Ensuring the security of information has long been an established discipline within most IT organizations. Traditionally focused in controlling access to information and business systems, this discipline is challenged to respond to the risk associated with increased digitization. The number of vulnerabilities seems endless, and new threats emerge on a regular basis. In addition to external threats such as ransomware, there are also internal threats such as inappropriate application of systems or information theft.

With today’s increased dependence on commercial-off-the-shelf (COTS) technologies, automation and other systems used in operations face very similar challenges. Even if not the focus of targeted attacks, they are often affected by non-targeted attacks distributed through the Internet.

Operations Cybersecurity

As those responsible for process and manufacturing systems have become more familiar with these risks, operations cybersecurity operations%20cybersecurity.jpgoperations cybersecurity has emerged as a specific area of focus.  Although similar to traditional IT cybersecurity, there are important differences.  Perhaps the most significant of these is the emphasis on system availability and integrity over the traditional focus on protecting information. This is commonly described as a reordering of the confidentiality/integrity/availability (CIA) triad. This is an oversimplification, since each of these three imperatives are critical to both business and operations systems.

However, it is true that availability and integrity are typically the primary focus for automation systems. The computers and systems used in operations often do not contain a large amount of sensitive or personally identifiable information. Much of the data in these systems is related to the process under control and may be difficult to interpret when taken out of this context.

Although there are real differences between business and operations systems, improved security is a common imperative.

Possible Approaches

End users often struggle to determine the best approach to address operations cybersecurity. Some have suggested that there should be a separate discipline or skill set within the engineering or operations groups. This approach has definite advantages, but also inefficiencies.  Certain skills may be duplicated in two separate organizations and the response to common challenges may vary unnecessarily. Others have chosen to assign operations cybersecurity to the existing IT security group, but this approach also has limitations since IT security experts may lack a detailed understanding of the nature of the operations environment. A balanced response is to have IT network and security experts contribute their expertise to operations cybersecurity programs.  Unfortunately, this does not address the questions related to organizational alignment and how such programs are managed.

Not Just Computers and Networks

Each of the above responses to the need for improved security of operations systems places the most emphasis on hardening and protecting workstations, servers, and connected networks. While these measures are certainly necessary, they may not be sufficient and may overlook some of the more critical components of those systems.

Controllers, actuators, and instruments also perform vital functions, and have potential vulnerabilities. Unfortunately, these vulnerabilities and the associated risks are easily overlooked in many analyses, particularly if the scope of the assessment is implicitly or explicitly limited to systems at levels 2 and 3 of the general reference model.  Even if sensors and similar devices at level 1 are included, those conducting these analyses may not have experience with these technologies.

For example, recent research has demonstrated that it is possible to compromise sensors at the field level, causing them to deliver erroneous data to automation systems. Even without deliberate attacks, the failure of these components can compromise the safety and security of the automation system. If the sensors cannot be trusted, subsequent control decisions may also be wrong, leading to potentially unsafe conditions. Vulnerabilities at the device level could increase further with increased adoption of the Internet of Things (IoT).

ARC Advisory Group clients can view the complete report at ARC Client Portal

If you would like to buy this report or obtain information about how to become a client please Contact Us

Keywords: Automation, Operational Technology (OT), Collaboration, Operations Cybersecurity, Engineering, Integrity, Safety, Resilience, ARC Advisory Group.



Engage with ARC Advisory Group