Creating and maintaining a cyber security management system is crucial for hardening operations and unlocking business benefits. Tesco Controls has helped many clients navigate this effort.
Jonathan Shores, Tesco Controls engineering group manager, and Benjamin Salt, the company’s chief systems architect, recently wrote an article published in the October 2021 edition of Control Engineering’s Applied Automation magazine, titled Cybersecurity Demands Coordinated Tactics. The complete article can also be found online at Plant Engineering at Cybersecurity Demands Coordinated Tactics. This article discusses how the merging of IT and OT systems creates new security design challenges, and it contrasts some important differences in how security practices and technologies must be applied in each domain.
Top-down cyber security management
Cyberattacks can cause major safety and financial concerns for any public or private institution. In recent years, ISA/IEC 62443 has been developed to define how successful cyber security management systems (CSMSs) can formalize guidelines, polices, and procedures to bring OT security up to IT levels. The CSMS must address how OT and IT systems, roles, and risks are different, and its creation and maintenance must involve all aspects of the organization from the top to bottom.
Balancing priorities
Confidentiality, availability, and integrity of data and connectivity are three characteristics of digital security. For IT systems, the top priority is confidentiality, which is at odds with OT systems, which require high availability. While IT systems can often shut everything down if a threat is detected, OT systems require a much more careful approach to keep as much of the system operating as possible.
Detection and update differences
Because IT systems handle so much variable traffic, it can be difficult to create an intrusion detection system (IDS). OT systems, on the other hand, have very predictable traffic and are good candidates for an IDS. Another consideration is patching and updates. While testing must be performed for IT and OT systems alike, it is important to have a plan in place to provide an additional level of scrutiny for OT systems. This is needed to ensure that system availability is not compromised in the form of downtime, product quality issues, or safety when implementing patches and updates.
Standards framework
In addition to ISA/IEC 62443, there are other frameworks for establishing a CSMS, such as the NIST Framework for Improving Critical Infrastructure Cyber Security. Some industries have additional policies or standards, but in all cases the CSMS should address all levels of the organization.
To create and upgrade automation systems with suitable cybersecurity provisions, the team of designers, engineers, and security professionals must establish a unified management approach that recognizes the differences between OT and IT networks. This approach must cover the entire system lifecycle from design, system integration, and long-term operations and maintenance.
Securing OT systems is far from easy, but Tesco Controls has deep experience in designing and implementing best practices. The OT threat landscape is constantly changing, and Tesco regularly partners with clients to create CSMS plans that provide organizations with secure remote connectivity, cloud-based analytics, alerting capabilities, and other advantages.
Tesco Controls Inc. is a certified member of the Control System Integrators Association (CSIA).
All images Copyright 2021 by Tesco Controls, Inc.
Authors
Jonathan Shores is systems engineering group manager at Tesco Controls, Inc. He is focused on system architecture and security designs. He has more than two decades of experience designing and implementing process control systems for water/wastewater agencies.
Benjamin Salt is chief systems architect at Tesco Controls, Inc. With over 20 years at the company, he is focused on the analysis, design, development, and management of systems, and acts as a cybersecurity advisor internally and externally.