2023 ARC Forum Secure Cloud Edge Workshop

Overview

The first day of the 2023 ARC Forum in Orlando, Florida included a variety of cybersecurity workshops and case study presentations. One of the workshops was titled Secure Cloud and Edge OT Architectures. While it is not possible to describe all topics discussed in this workshop in a brief report, the following provides a summary.

The purpose of the workshop was to help asset owners and other stakeholders understand the approaches that companies are adopting to ensure that architectural changes ensure the security of existing and new OT systems. It took the form of a moderated discussion among several major asset owners about their company’s approach to OT Cloud and Edge deployments and the lessons they have learned, followed by questions from the audience.

Describing the Challenge

ARC moderator Eric Cosman opened the workshop with a summary of recent research in this area. Although the scope of the workshop included both cloud and edge configurations, these are distinctly different. The first of these involves devices providing raw data to cloud-based applications that analyze this data and return directions to those devices. In the second scenario, some combination of storage, computation, and analytics reside in an edge device that takes action and reports information to cloud applications.

The essential task is the design and implementation of security measures for OT systems and other connected devices that are either connected to the cloud or operate on the edge of a network. Such configurations are still relatively new and may present challenges that are different from those encountered in securing more traditional, on-premise configurations.

Design Considerations

Just as with more traditional OT systems, there are several factors to be considered during design. In some cases, the details may vary somewhat for Edge and Cloud-based configurations.

• Device security – OT systems include a variety of intelligent devices. The inherent security-related capabilities of these devices must be carefully considered.
• Identity and access management – For distributed systems, it may be difficult to address this subject if there are multiple authentication domains used.
• Data encryption – Almost all distributed systems include a strong reliance on ensuring the integrity of communications over various networks. For this reason, data encryption is usually a basic requirement.
• Network security – In addition to encryption of data there are other security considerations associated with the use of networks. These include limiting access to network devices and control of network configurations.
• Incident management – Even in the absence of directed attacks there will almost certainly be security-related incidents. Examples include accidental misconfigurations or the entry of inaccurate or incorrect data. It is essential to have a robust incident management process in place before these occur.
• Protection from compromise or failure – In addressing security for OT systems, the fundamental goal is to protect them from unauthorized access, manipulation, or disruption while still allowing them to perform their intended functions. As is the case when securing virtually any system, the process begins with a detailed risk assessment. This may be conducted during the design phase or for existing systems, as the first step in an improvement effort.

Potential Consequences

Risk is generally defined as a function of threat, vulnerability, and consequence. There are several potential consequences of a security-related failure, including disruptions to production, equipment damage, financial loss, compromises to safety, exposure to hazardous materials, and environmental impact. These are largely the same regardless of architecture or deployment model.

Possible Measures

There are many measures available during the design of a system. For the most part, these are not specific to cloud or edge-based configurations but may be applied somewhat differently in such situations.

• Network segmentation – This is a recommended practice for automation systems that are wholly contained on the premises. It is even more important for more distributed systems because of the variety of network types used.
• Secure communication protocols – As mentioned above, the increased use of network communications across potentially long distances makes it imperative that the protocols used provide adequate security, including data encryption.
• Secure software development practices – This is an essential practice in the design of any computing and communications systems. OT systems using edge or cloud-based configurations are no exception.

ARC Advisory Group clients can view the complete report at  ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Keywords: Architecture, Cloud, Consequence, Cybersecurity, Edge, OT, Risk, Security, ARC Advisory Group.