Improving the security of Operations Systems is a large, complex, and open-ended task. Although it shares many characteristics with more general information security responses, there are additional constraints and problems inherent in this domain.
Addressing these requires the experience and skills of a wide range of contributors and stakeholders. Much of the typical response focuses on roles such as security expert, system designer and engineer, and network engineer. While contributions from these disciplines are certainly essential, they are unfortunately not sufficient. There is one very important role that must also be involved. A comprehensive operations cybersecurity program must be based on a full appreciation of dynamics, constraints, and potential consequences of the process under control. To gain such understanding requires engagement with and involvement from the plant or operating engineer or technician. This role is generally referred to as the process operator.
It is these people in this role who arguably have the deepest appreciation of the connection between security mitigation and safe and reliable operation of the process or equipment under control. Unfortunately, this contribution has often been overlooked in favor of an emphasis on the more traditional areas of network integrity and information protection.
The Realities of Operations Cybersecurity
There have been countless discussions and debates about the extent to which operations systems are different from business information systems concerning what is required to protect them from cyber risks. Many of these discussions occur between members of the information security and engineering disciplines and often center around the questions of which organization should be responsible, what skills are required, and the technologies and methods used.
These debates are only important and useful to the degree to which they lead to decisions about what is required in an effective program that protects operations systems from compromise that can lead to serious consequences. Many characteristics are shared between the two domains, such as the use of common products and technology, and the need for authentication and access control. However, there are some very important differences that lead to the need for an extended response, regardless of the organizational models and associated processes used to achieve it.
The Physical Connection
Operations systems integrate components and subsystems from more common information management systems with sensors and actuators that connect directly to equipment for data collection and changing process conditions. Decisions made and actions taken by the applications in these systems have an immediate impact on the process under control. Valves move, material moves, reactions occur, and temperatures, pressures, and other conditions change.
Operations systems do not operate in a sealed or isolated environment. It is common or even prevalent for such systems to be connected to upper-level information systems for purposes such as order management or production reporting. The practical implication of this is that control systems become a channel through which decisions made in business systems can also have physical consequences.
The Cybersecurity Response
Although we may be tempted to bemoan the fact that there has not been any progress in securing operations systems, this is an overly pessimistic view. It is common for people to focus on the challenges in front of them, but we should also pause occasionally to reflect on what we have already accomplished. There has been an increase in the recognition and understanding of the problem, and standards, practices, and tools are now increasingly available.
However, we must continue to improve how we address the challenge of securing operations systems. The traditional response is often based on an implicit assumption that the primary imperatives are the protection of information and access control. While these are certainly relevant, there are many other potential consequences of compromise that can be far worse. These range from loss of view of the process conditions to loss of primary containment, equipment damage, environmental damage, or fire and explosion.
While the list of specific threats is constantly evolving as new vulnerabilities and motives are identified, it is possible to view those that are most likely as belonging to several broad categories.
- System penetration – This is perhaps the most basic threat, consisting of any type of access – interactive or programmed – that is not authorized or legitimate.
- Remote access – Although there are legitimate business needs for remote access to operations systems, this method can also prevent a serious threat. It is critical that appropriate processes and technologies be applied to ensure that only those authorized can access systems and that their actions are monitored appropriately.
- Data loss or compromise – Loss of or compromise to the integrity of vital data in the system is also a general class of threat. Although data loss is often a major area of focus it is equally important to ensure that data is not modified, leading to wrong decisions by automated systems.
- Lack of system availability – Operations systems must have a high level of availability and accessibility, combined with very short response times. If they fail to operate or if access is not possible there can be serious consequences for the process under control. This includes loss of view of the process conditions.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Assets, Consequences, Process Operator, Remote Access, SOC, Threats, ARC Advisory Group.
 The general term Operations Systems includes industrial control systems, safety systems, and associated devices and systems employed to maintain the safe and reliable operation of an industrial or manufacturing process.